Trust Center
Your procurement team rarely writes the questionnaire — they paste from a template. Ours is pre-filled. Search below for specific controls, or filter by framework (SIG Lite, CAIQ, HECVAT, VSA). Download the full packet from the compliance library under NDA.
Do you have a formal information security program?
SIG LiteYes. QEHS maintains a documented ISMS aligned with ISO 27001 Annex A. The security program is owned by the Head of Security, reviewed quarterly by the executive team, and audited annually by an accredited third party.
Evidence available: ISO 27001 certificate · Information Security Policy · Annual review minutes
How often is the program reviewed and approved?
SIG LiteAt minimum quarterly by the security steering committee, with full annual review and executive sign-off. All policy revisions are versioned in our document management system with tracked approvals.
Do you enforce multi-factor authentication for privileged access?
SIG LiteYes. All privileged access (infrastructure, production database, tenant data) requires SSO + step-up MFA via WebAuthn (hardware keys) or TOTP. Customer-facing app supports SSO + SCIM + per-tenant MFA policy.
Evidence available: Access control policy · IdP configuration screenshots
How is access reviewed and revoked?
SIG LiteQuarterly access reviews via our IdP. Immediate revocation on termination via SCIM deprovisioning. Service-account credentials rotated every 90 days.
How is customer data encrypted?
SIG LiteAt rest: AES-256 (AWS KMS-managed keys; BYOK available on Enterprise). In transit: TLS 1.2+ enforced end-to-end, HSTS on all customer-facing endpoints. Field-level encryption available for sensitive fields on Enterprise plans.
Evidence available: Encryption standards document · TLS Labs scan result (A+)
Do you maintain tenant isolation?
SIG LiteYes. Logical isolation via tenantId on every row; all queries wrapped in withTenant() context. Optional dedicated database instance on Enterprise. No shared secrets or credentials across tenants.
Do you have a documented incident response plan?
SIG LiteYes. 24x7 on-call rotation with 15-minute acknowledgement SLA for P1 incidents. Full IRP with runbooks covers detection, containment, eradication, recovery, and lessons-learned phases. Tested quarterly via tabletop exercises and annually via live game-day drills.
Evidence available: Incident Response Plan · Latest tabletop exercise report
What is your customer notification SLA for a confirmed breach?
SIG Lite72 hours for confirmed incidents affecting customer data, per GDPR Article 33. Higher tiers (Enterprise) receive priority notification via CSM within 24 hours of confirmation.
What is your RTO / RPO?
SIG LiteRTO 4 hours, RPO 1 hour for Enterprise tier. Point-in-time recovery covers 35 days. DR drill runs semi-annually; results published to customers on request.
Do you perform static and dynamic application security testing?
CAIQ v4Yes. SAST (Semgrep + language-native tooling) runs on every PR. DAST via ZAP runs nightly against staging. Annual third-party penetration test; remediation within 30 days for Critical / 90 days for High.
Evidence available: Latest pen test summary (NDA) · SAST/DAST tooling overview
How are production changes controlled?
CAIQ v4All production changes flow through PR review → automated test suite → staging deploy → approval → canary → full rollout. No direct production edits. Full audit trail in Git; every deploy attributable.
Is customer data ever used for model training?
CAIQ v4No. Tenant data is never used to train QEHS AI features or any third-party model. AI provider agreements explicitly prohibit training on our traffic; BYO-key option gives tenants full control.
Do you have a documented data retention and deletion policy?
CAIQ v4Yes. Tenant-configurable retention per module. On tenant offboarding: 30-day grace period → export → full deletion within 60 days (verifiable via deletion attestation). Audit log retention default 1 year, configurable up to 7 years on Enterprise.
Do you support SSO and SCIM?
CAIQ v4Yes. SSO via SAML 2.0 and OIDC with Okta, Entra ID, Google Workspace, Auth0, JumpCloud, Ping, OneLogin, Duo. SCIM 2.0 for provisioning + deprovisioning + group-to-role mapping.
Do you process FERPA-covered student records?
HECVAT FullQEHS is primarily a QEHS-data platform and does not directly receive FERPA student records. Where customer configurations could receive such data, we sign a FERPA addendum and treat the data as Confidential.
Is the product WCAG AA conformant?
HECVAT FullYes. QEHS targets WCAG 2.1 AA. Automated accessibility checks run in CI (axe-core). Manual screen-reader testing (NVDA, VoiceOver) on major surfaces each release. Current VPAT available on request.
Evidence available: Voluntary Product Accessibility Template (VPAT)
Are sub-processors disclosed and approved?
VSA FullYes. Full sub-processor list at qehsethos.com/trust/subprocessors, updated with 30-day advance notice (RSS feed available). Customer objection right honored per DPA.
Evidence available: Subprocessor list · DPA Schedule 3
Where is customer data stored?
VSA FullSix primary regions: US (us-east-1, us-west-2), EU (eu-central-1 Frankfurt), UK (eu-west-2 London), AU (ap-southeast-2 Sydney), CA (ca-central-1), UAE (me-central-1). Customer selects primary + DR region at tenant provisioning; data does not leave without documented approval.
Our full SIG Lite, CAIQ v4, HECVAT, and VSA submissions are available as downloadable PDFs under NDA. They include evidence attachments, signed executive attestation, and version history.
QEHS