Compliance posture
The compliance position, stated plainly — what is implemented, what is in readiness, and what is deliberately not claimed.
GDPR
GDPR is the operating baseline, not an aspiration. Data-subject rights (export, deletion, rectification, consent withdrawal) are implemented in-product, recording consent is granular and documented, retention windows are defined, and data is hosted in the EU. Details: GDPR and data rights and trust and data residency.
A Data Processing Agreement (DPA) is available for customers.
SOC 2 and ISO 27001
The Quantum Club does not currently hold a SOC 2 attestation or ISO 27001 certification. What follows describes the implemented control posture, which is built to those frameworks' expectations.
Controls in production that map to SOC 2 trust criteria and ISO 27001 Annex A:
- Access control. Role-based access enforced by database Row-Level Security; MFA required for elevated roles; step-up authentication for sensitive administrative operations. See the security model.
- Identity lifecycle. SSO (SAML 2.0 / OIDC) and SCIM 2.0 provisioning give customers directory-driven joiner/leaver control with a retained audit trail — relevant evidence for user access management requirements.
- Logging and monitoring. Security-relevant events are recorded as audit events; authentication telemetry is scanned by automated anomaly detection every five minutes, with findings routed to the security team.
- Cryptography. TLS for data in transit; encryption at rest; credentials and provisioning tokens stored only as salted, iterated hashes.
- Least privilege. Client applications hold only anonymous-level keys; privileged keys are confined to server-side functions.
- Change management. Database changes ship as versioned migrations; deployments are gated and verifiable against the source repository.
Customers running their own audits can request the DPA and architecture details to support vendor assessments.
EU AI Act readiness
The Quantum Club uses AI under the brand Club AI, and its positioning is deliberate:
- Club AI assists humans; it does not decide. Matching, recommendations, and analytics are decision support surfaced to recruiters, partners, and members — a human remains the decision-maker on hiring outcomes.
- Assessments are screening support. Assessment features are explicitly scoped as screening support based on observed work-sample evidence. They are not marketed or operated as standalone selection instruments, and they do not produce personality or clinical diagnoses.
- Scoring runs server-side under the same access controls as the rest of the platform, keeping outputs auditable.
This framing — assistive AI with human oversight, conservative claims about assessment validity — is the readiness posture for the EU AI Act's treatment of employment-related AI systems.
If your procurement process requires a certificate identifier or audit report reference for SOC 2 or ISO 27001, request the current status through your account contact rather than assuming one exists. The posture above is honest as of the verification date.
Summary table
| Framework | Status |
|---|---|
| GDPR | Implemented in-product; EU hosting; DPA available |
| SOC 2 | Readiness posture; controls implemented, no attestation claimed |
| ISO 27001 | Readiness posture; controls map to Annex A, no certification claimed |
| EU AI Act | Readiness framing: assistive AI, human decision-makers, screening-support assessments |
You can answer a vendor questionnaire accurately: GDPR is implemented, SOC 2 and ISO 27001 are readiness postures with real controls behind them, and AI features are positioned as human-assistive.