Hosting & Infrastructure Seurity
Third-Party Risk & Subprocessors
Incident Response & Breach Management
Access Control & Identity Management
Monitoring, Logging & Auditing
Vulnerability & Patch Management
Change & Configuration Management
Customer Support & Data Handling
Governance & Compliance
Q: Are you certified or audited?
A: Yes, Qevlar AI is independently audited and holds a SOC 2 Type II attestation, with the auditor concluding controls were suitably designed and operated effectively for Security criteria.
Additionally, Qevlar undergoes annual third-party penetration testing. Contractually, customers have audit rights under Qevlar’s DPA, allowing one audit per year with defined conditions and scope.
Q: Do you have a CISO/DPO?
A: Yes. Security and compliance are led by the CEO and delegated to a DPO function responsible for GDPR oversight and risk management.
DPO contact can be provided on request; inquiries should be sent to privacy@qevlar.com.
Q: Does Qevlar solution comply with the EU AI Act?
A: Yes, Qevlar is designed to align with the EU AI Act and is currently classified as not prohibited, not Annex III high-risk, and not a GPAI provider, with mandatory human oversight built into every AI-assisted step.
- Qevlar implements transparency, traceability, risk management, security and data governance, and vendor oversight controls consistent with the Act’s requirements.
- The platform enforces human-in-the-loop approval, full override/rollback, visible evidence and confidence indicators, and end-to-end logging.
- Hosting and processing are EU/EEA-resident by default (GCP Belgium; Azure Sweden for inference, no training on customer data).
- Data governance includes read-only integrations, RBAC/SSO, tenant isolation, encryption, vulnerability management SLAs, and secure SDLC.
- Investigation transparency and explainability are inherent to the product design.
Hosting & Infrastructure Security
Q: Where is the customer data hosted?
A: Qevlar hosts and processes customer data in the EU/EEA by default: primary hosting on Google Cloud Platform in Belgium, with LLM inference on Azure Sweden under EU/EEA processing and no training on customer data.
Q: Are backups performed and encrypted?
A: Backups are fully automated, encrypted (AES-256), and stored in EU regions with retention and integrity checks.
Q: How long are alerts stored?
A: Alerts and related customer data are retained in the EU, with default deletion 60 days after contract termination unless otherwise agreed in writing.
Audit and security logs, including alert processing logs, are retained for up to 12 months or per the customer’s controller instructions to meet compliance needs.
During the subscription term, alerts, investigation reports, and associated telemetry are stored only as long as needed to operate the service under the customer’s control.
Q: Can Qevlar connect to on-premise security solutions?
A: The platform is designed for non-disruptive integration and utilizes standardized APIs for seamless data exchange.
Security events can either be pushed to Qevlar or pulled by Qevlar, depending on the customer’s configuration and technology stack.
Qevlar’s public-facing IP address is shared with the customer to allow secure traffic flow. In environments with strict network policies, a reverse proxy can be set up to further secure and control the connection. Other connectivity mechanisms can be discussed.
Q: Does Qevlar support other deployment types?
A: Yes, Qevlar supports Bring Your Own Cloud (BYOC) deployments on GCP and Azure.
Q: Can Qevlar host data in a different location?
A: Yes, as part of the BYOC deployment, customers can choose their preferred geographic location for data residency.
Q: How does Qevlar segregate tenant data?
A: Qevlar segregates customers’ data through logical multi-tenancy: all services are tenant‑aware and every database query is scoped by a unique tenant identifier to prevent cross‑tenant access
Data Protection & GDPR
Q: Are you a processor or controller?
A: Qevlar acts as a Data Processor for customer data contained within alerts processed to produce investigation reports while acting as a controller for its own account, admin, billing, telemetry, and service operations data.
Customers remain controllers of their incident data.
Q: Do you process data outside the EU?
A: Primary processing and storage are in the EU/EEA (GCP Belgium), and AI inference is performed in Azure OpenAI Sweden with EEA processing and no model training on customer data
Q: How are DSR handled?
A: Requests (access, deletion, rectification) can be submitted to privacy@qevlar.com and are handled within statutory deadlines.
There are no routine transfers to third countries; any exceptional support access is covered by SCCs/TIAs with audit logging
Q: Does Qevlar train on customer data?
A: No. Qevlar does not train its AI models on customer data. The platform maintains AI inference is explicitly configured to prevent model training on customer inputs.
Customers can add context as “memory” to guide investigations with their own inputs, but this does not involve training AI models on their data.
Third-Party Risk & Sub-processors
Q: List your sub-processors.
A: See following table.
| Sub-processors | Nature of processing activities | Localization of processing |
|---|---|---|
| Google LLC | Infrastructure service | Belgium |
| Microsoft Corporation | Infrastructure service | Sweden / France |
| Sentry | Monitoring | Germany |
| Sendinblue | Notification email | Belgium / France / Germany |
Q: How are subprocessors vetted?
A: Subprocessors undergo documented vendor due diligence covering security and privacy requirements, contract reviews with confidentiality/privacy commitments, and annual reviews of critical third-party vendors.
Incident Response & Breach Management
Q: Do you have an IR plan?
A: Yes. A documented Incident Response Plan defines roles, reporting timelines, severity levels, investigation, containment, recovery, communications, evidence preservation, and post‑mortems, and it is tested at least annually
Q: What’s your breach notification SLA?
A: Customers are notified without undue delay and within 72 hours after confirmation of a personal data breach.
Access Control & Identity Management
Q: Do you enforce MFA and RBAC?
A: Yes, MFA is mandatory for all internal accounts and production access. RBAC is enforced through GCP IAM with least-privilege principles.
Q: How are secrets managed?
A: Secrets are managed using GCP Secret Manager with restricted access and automatic rotation.
Q: Which access rights does Qevlar need?
A: Qevlar AI typically needs read-only permissions to query customer’s security events either through an API key, a service account or an application; depending on the security solution.
Q: How are credentials secured?
A: Credentials are secured in an enterprise-grade security architecture that covers:
- Access Control: Qevlar implements role-based permissions with enforced segregation of duties.
- End-to-end Encryption: Data in transit is secured with TLS, and data at rest is protected with AES-256 encryption.
- Audit Trails: Comprehensive logging of all system activities is maintained for security and compliance.
- Security Controls: Qevlar adheres to SOC2 type II Compliance, follows Secure SDLC practices, undergoes regular penetration tests, and aligns with OWASP guidelines.
Monitoring, Logging & Auditing
Q: Are logs protected and retained?
A: Yes. Immutable logs are retained for 12 months, access restricted.
Application Security & SDLC
Q: Do you perform code review and testing?
A: All code changes are peer-reviewed via GitHub and subject to CI/CD security scans.
Q: Do you conduct pentests?
A: Yes. Annual third-party penetration tests are performed on the SaaS environment, with remediation tracked internally.
Vulnerability & Patch Management
Q: How are vulnerabilities handled?
A: CVEs are tracked continuously; critical issues are patched within 7 days.
Change & Configuration Management
Q: How do you manage configuration changes?
A: Configuration changes follow a formal SDLC with ticketing, documentation, QA/UAT testing, peer/manager review, and management approval before production; only authorized personnel can deploy to production, with strict separation of environments.
Emergency changes are documented and reviewed post‑implementation; rollback is supported via version control with full history tracking.
Network/infrastructure changes require prior approval and ticket tracking; firewall and network rules are periodically reviewed.
These controls were independently validated in the SOC 2 Type 2 audit.
Employee Security & Awareness
Q: Are Qevlar employees trained?
A: Yes, employees must complete security awareness and GDPR training within 30 days of hire and at least annually thereafter, and developers receive annual secure development training appropriate to their role.
Q: Are background checks performed?
A: Yes, for sensitive positions in engineering and operations.
Business Continuity & DR
Q: Do you have a tested DR plan?
A: Yes. Qevlar AI maintains a documented Disaster Recovery Plan with defined RTO/RPOs and step-by-step recovery procedures, and it is reviewed and tested at least annually
RPO < 1h, RTO < 4h.
Encryption & Key Management
Q: How is data encrypted?
A: All data at rest is encrypted with AES-256, and data in transit with TLS 1.2+. Encryption keys are managed by GCP KMS.
Legal & Contractual
Q: Do you sign NDAs and DPAs?
A: Yes. Qevlar provides standard NDAs and Data Processing Agreements aligned with GDPR.
Customer Support & Data Handling
Q: How is support data handled?
A: Support data (emails, tickets, call recordings) are retained up to 3 years and deleted upon customer request.