📘 Public beta · Endpoints are stable; OpenAPI specs and SDKs ship monthly. See changelog →
Resources
Security & compliance

Security & compliance

At-rest encryption

Data classEncryption
Customer PII (NIK, email, phone)AES-256-GCM, per-org KEK (envelope), KMS-managed
Biometric capture bundles (frames)AES-256-GCM, sealed-at-rest; never re-served via API
Face embeddings (ArcFace vectors)Plaintext — required for cosine match (vector → vector). Hashed reference stored alongside.
Webhook secretsAES-256-GCM, per-org KEK
API keysStored as SHA-256 hash; never recoverable
Source documents (PDFs, images)AES-256-GCM; sealed; retention period configurable
Audit logsPostgres-trigger-enforced immutability + AES-256-GCM at rest

In-transit encryption

  • TLS 1.3 mandatory on all production endpoints.
  • TLS 1.2 supported for compatibility but flagged in headers (deprecated).
  • HSTS enabled; preload list submitted.
  • Certificate-transparency-compliant.

Network architecture

  • All Quantum Elixir products run in id-jkt-1 (Jakarta) by default.
  • Single-region production — sg-sin-1 replica coming 2026 Q3.
  • Inter-service traffic uses mTLS within our VPC.
  • No public exposure of internal services — only the documented HTTPS endpoints.

Identity & access

  • Production access for our staff requires hardware security keys (FIDO2 / WebAuthn).
  • Privileged actions are four-eyes — two engineers approve any infra change touching customer data.
  • All staff access is audit-logged; reviewed weekly.
  • No production database access from laptops — only through audited bastion hosts.

Compliance certifications

CertificationStatus
ISO 27001Certified (2025-Q4)
ISO 27017 (cloud)Certified (2025-Q4)
ISO 27018 (PII in cloud)Certified (2025-Q4)
SOC 2 Type IIInitial audit window 2026-01 to 2026-12; report due 2027-Q1
OJK 38 / SE OJK 21Compliant (designated DPO + DPA available)
UU PDP (Indonesia)Compliant; DPO designated; data subject rights workflows live
GDPR (for cross-border)DPA template available

Audit reports + certifications available under NDA — request via compliance@quantumelixir.tech.

Indonesian-specific compliance

UU PDP (Personal Data Protection Law)

  • Lawful basis — Contract + Legitimate Interest, documented per data category.
  • Data subject rights — Access, Rectification, Erasure, Portability all supported via the dashboard's Data Subject Rights tool. SLA: 30 days for response.
  • Cross-border transfer — Adequacy decision pending; in the interim we use standard contractual clauses. Customers can opt out of cross-border by enforcing dataResidency: ID-only on org settings (default is ID-only).
  • Breach notification — 72-hour notification to data controller (your org); customer is responsible for downstream notification to data subjects + Kominfo.

Bank Indonesia + OJK

  • Hosted in OJK-recognized data center (PT Cyber Network Indonesia · Jakarta · Tier IV).
  • Annual penetration test by an OJK-licensed assessor.
  • DRP tested annually; RTO 4h, RPO 15 min.

Vulnerability disclosure

We run a private bug-bounty — see Support & contact.

Public disclosure embargoed for 90 days from report unless mutually agreed.

PGP key:

pub   ed25519/4D2EB7F09A451234 2025-09-01 [SC] [expires: 2027-09-01]
      Key fingerprint = 4D2E B7F0 9A45 1234 5678  90AB CDEF 1234 5678 9ABC
uid                      Quantum Elixir Security <security@quantumelixir.tech>

Full key + security.txt at https://quantumelixir.tech/.well-known/security.txt.

Data retention

Data classDefault retention
Customer recordsUntil org deletes or org account closed + 1 year
Bank statement PDFs90 days
Document Intelligence source files90 days
Identity capture bundles (frames)90 days
Face embeddingsUntil enrollment retired
API request logs90 days
Audit logs7 years (regulatory)
Webhook delivery history30 days

Custom retention available per-org (longer or shorter). Contact compliance@quantumelixir.tech.

What we don't do

  • We don't sell, share, or license customer data to third parties. Full stop.
  • We don't use customer production data to train models without explicit per-org opt-in.
  • We don't run customer data through any third-party LLM API by default. All AI processing happens inside our VPC.
  • We don't fingerprint cross-org — customers in Org A are never matched against customers in Org B unless both orgs explicitly opt into a shared-watchlist arrangement.

Pen-test reports + DPA on request

Email compliance@quantumelixir.tech with your org name + signed NDA template. We turn around DPA + most-recent pen-test summary within 2 business days.

Support & contactData residency