Security

Auditability by design. Not by apology.

ChatCPQ treats security and compliance as part of the architecture, not a retrofit.

CURRENT POSTURE
  • ISO 27001CERTIFIED
  • SOC 2 Type IIANNUAL AUDIT
  • GDPRCOMPLIANT
  • EU data residencyAVAILABLE
  • Penetration test2026 Q1
01Certifications & frameworks

Where we stand, and how to verify it.

ISMS
ISO 27001
Information security management, certified annually by an accredited auditor.
CONTROLS
SOC 2 Type II
Independent attestation of security, availability, confidentiality, and processing integrity.
PRIVACY
GDPR
EU data-protection regulation. DPA available on request; EU SCCs for cross-border transfers.
RESIDENCY
EU & Nordic
Dedicated data residency for EU customers. Nordic-DR region available for regulated sectors.
02Controls matrix

What protects your data, and your quotes.

A IDENTITY & ACCESS

Least privilege, by default.

  • SSO via SAML / OIDC · enforced MFA
  • Role-based access: viewer, author, approver, owner
  • Just-in-time access to production · peer-reviewed
  • Session recording on administrative surfaces
B DATA PROTECTION

Encrypted, isolated, versioned.

  • AES-256 at rest · TLS 1.3 in transit
  • Per-workspace isolation · optional customer-managed keys
  • Immutable audit log · WORM storage
  • Backups tested quarterly · point-in-time restore
C SOFTWARE DELIVERY

Secure by default, secure by review.

  • Signed commits · branch protection · mandatory review
  • SBOM generation on every build
  • Dependency scanning · auto-patch window 48h
  • Canary releases · one-click rollback
D INCIDENT RESPONSE

Rehearsed, not improvised.

  • 24/7 on-call · < 15-min acknowledgement
  • Quarterly tabletop exercises
  • Customer notification within 24h of confirmed impact
  • Post-incident report within 10 business days
03Your data stays your data

We don't train on customer data. Not ever.

At no point do we use your workspace data to train or fine‑tune AI models. ChatCPQ's AIs are grounded in your data for your instance only — and the engine, not the model, decides prices and totals.

A NO TRAINING

Your prompts and docs are not training data.

  • No prompts, documents, quotes, or artifacts are used to train or fine‑tune models
  • No cross‑customer learning. No “global memory” from your workspaces
B ISOLATION

Scoped to your workspace.

  • Workspace isolation is enforced by the backend (auth + context)
  • Data stays inside your workspace boundaries unless you explicitly share
C NUMBERS COME FROM THE ENGINE

AI assists. The engine decides.

  • The Avatar and Guide help with intent and workflow
  • Pricing and totals are computed deterministically by the engine
D PROCUREMENT READY

Clear answers, fast.

  • DPA available · subprocessors disclosed · change‑logged
  • Security pack on request (SOC 2, ISO 27001, pen‑test summary)
04Subprocessors

Fully disclosed. Change-logged.

SubprocessorPurposeRegionStatus
AWS IrelandPrimary compute & storageEU · eu-west-1ACTIVE
AWS StockholmNordic-DR regionEU · eu-north-1ACTIVE
CloudflareEdge & DDoSGlobalACTIVE
DatadogObservabilityEUACTIVE
PostmarkTransactional emailEUACTIVE
Security review

Bring your questionnaire. We'll answer it in days, not weeks.

Request security pack Architecture
Available on request
SOC 2 report · ISO 27001 certificate · Pen-test summary · DPA · SIG-Lite · CAIQ.

security@vloxq.com