Trust Center
Copy-paste-ready answers to the questions your procurement team sends us every week. Filter by industry to see answers tailored to your vertical. If your RFP needs something we haven't pre-answered, reach out — we turn custom answers around in 2 business days.
Provide a brief company overview including year founded, headcount, and funding.
QEHS (operated by Hefty Innovations) builds a composable, multi-tenant QEHS platform used by organisations across manufacturing, construction, and energy. Headquarters: global-remote. Privately held, self-funded; no external venture capital dependencies. Revenue profile available under NDA.
Describe how your solution handles incident management.
QEHS ships a no-code Composer that lets customers configure incident management end-to-end: reporting (web + mobile + email-to-record), triage, investigation, RCA, CAPA, lessons-learned, and regulator reporting (OSHA 300/301, RIDDOR, EU-OSHA). Configurability covers fields, workflows, guards, effects, SLAs, approvals, and escalation matrices without code. 40+ pre-built templates accelerate rollout; customers typically launch production incidents in 2–4 weeks.
How is audit and inspection data captured and reported?
Inspections and audits use Composer-configured checklists with mobile-first UX: GPS + photo + annotation, offline capture, conditional logic (skip irrelevant sections), weighted scoring, auto-calculated index. Results feed dashboards, trend reports, and regulator-ready exports. Schedulers trigger recurring inspections; overdue alerts route to actions.
Describe your permit-to-work capabilities.
QEHS supports hot-work, confined-space, LOTO, working-at-height, excavation, and custom permits. Each permit type is a Composer module with its own workflow, guards (JHA completed, gas-test valid, isolation confirmed), approvals (matrix or role), and attachments. Concurrent-permit conflict detection prevents clashing work. Mobile signature capture on permit issue + close-out.
How does the platform support regulatory reporting?
Regulatory reports are generated from live data via saved report views: OSHA 300/301A (US), RIDDOR (UK), EU-OSHA, TRIR/LTIR/SIF calculators, ISO 45001 audit evidence, ISO 14001 environmental metrics, GRI/CSRD sustainability extracts. Exports to Excel + CSV + PDF with tenant branding.
What authentication and authorization methods are supported?
SSO via SAML 2.0 and OIDC with all major IdPs. SCIM 2.0 for provisioning. API auth via API keys or OAuth 2.0 + PKCE. Authorization uses module-scoped RBAC + location-scoped RBAC + record-level guards; roles are configurable per tenant. MFA (TOTP + WebAuthn) enforced per policy.
Describe your penetration-testing cadence.
Annual third-party pen test by accredited firm (CREST / OSCP-led team). Scope: web application, API, mobile, infrastructure. Critical findings remediated within 30 days; High within 90 days. Executive summary available under NDA; full report on request for Enterprise customers.
What certifications and attestations do you hold?
SOC 2 Type 2 (annual), ISO 27001 (certified), ISO 9001 QMS, GDPR / UK GDPR compliance. HIPAA readiness documented. Regional coverage for PIPEDA, Australian Privacy Principles, UAE PDPL. Roadmap: ISO 27701 (privacy), SOC 2 + HITRUST for healthcare prospects.
How is data residency handled?
Tenant picks primary + DR region at provisioning. Six regions available (US, EU, UK, AU, CA, UAE). Data does not cross region without documented approval. Per-field encryption with customer-managed keys (KMS or Vault BYOK) for sensitive attributes on Enterprise.
What is a typical implementation timeline?
Starter: 2–4 weeks for 1–3 modules using templates. Standard: 6–8 weeks for 5–10 modules including migration from legacy. Enterprise: 10–14 weeks for org-wide rollout with complex integrations. Implementation follows a 5-phase playbook (discovery → design → build → pilot → rollout) with weekly checkpoints.
How is data migrated from legacy systems?
CSV import for under 10k records; REST API bulk-load for larger. Migration tooling supports field mapping, transformation rules, and dry-run validation before commit. Historical workflow states preserved. Dedicated migration engineer on Enterprise SoWs.
What are the support tiers and SLAs?
Community (Free tier): forum + self-serve. Email (Team / Business): 1-business-day first response. Priority (Business): 8-hour first response, 24/7 on-call for P1. Priority 1h (Enterprise): 1-hour first response 24/7, dedicated CSM, quarterly business reviews.
What integrations are supported out of the box?
SSO/SCIM: Okta, Entra ID, Google, Auth0, JumpCloud, Ping, OneLogin, Duo. BI: Power BI, Tableau, Looker, Sigma. Communication: Teams, Slack. ITSM: ServiceNow, Jira. Webhooks + REST API for anything else. Zapier / Workato connectors available. Custom integrations via SDK (TypeScript, Python, Go).
What is the pricing model?
Per-seat + usage-metered (AI tokens, storage, API calls). Plans: Free (1 user / 1 module), Team ($X/seat/mo, up to 10 users), Business ($Y/seat/mo, up to 50 users), Enterprise (custom). Annual prepay = 20% discount. Multi-year commitments and volume tiers available on Enterprise.
Send us your RFP template. We return the completed document (Word + PDF) within 3 business days, signed by an officer, with evidence attachments.
QEHS