Trust and data residency
Answer the three questions every security review asks first — where the data lives, how it is protected, and who else touches it.
Where data lives
Customer data is hosted in the European Union:
- The primary database, storage, and server-side functions run on Supabase infrastructure in the EU (AWS
eu-west-1, Ireland). - The web application is delivered through Cloudflare's network, with the application served from os.thequantumclub.com.
Data residency in the EU is the default and only configuration — there is no setup step where customer data is moved to another region.
Encryption
| Layer | Protection |
|---|---|
| In transit | TLS for all client, API, and inter-service traffic |
| At rest | Encrypted storage for the database, file storage, and backups |
| Credentials | Passwords and recovery codes stored as salted, iterated hashes; SCIM tokens stored as PBKDF2-SHA256 hashes — plaintext is never retained |
| Documents | Private files served through expiring signed URLs, never public buckets |
Beyond encryption, authorization is enforced inside the database itself via Row-Level Security — see the security model. Encrypted data that the policy denies you is data you cannot query at all.
Subprocessors
The Quantum Club keeps its subprocessor list short. At a high level:
| Subprocessor | Purpose | Region |
|---|---|---|
| Supabase (on AWS) | Database, authentication, storage, server-side functions | EU (eu-west-1) |
| Cloudflare | Content delivery, DDoS protection, application hosting | Global network; EU-served traffic |
| Stripe | Payment processing | Payment data handled by Stripe under its own PCI DSS compliance; The Quantum Club does not store card numbers |
Supporting services (for example transactional email delivery) operate under data processing terms consistent with the DPA. The current authoritative subprocessor list is provided with the DPA.
Data Processing Agreement
A DPA is available for customers and covers processing purposes, subprocessors, transfer mechanisms, and breach notification terms. Request it through your account contact during procurement or security review.
What a reviewer should verify
Residency
Confirm EU hosting meets your transfer requirements. Primary processing is in eu-west-1; edge delivery uses Cloudflare's network.
Access model
Note that client applications never hold privileged database credentials — the anonymous key plus Row-Level Security is the entire client trust model.
Contracts
Obtain the DPA and the current subprocessor list, and map them against your own Article 28 checklist.
For the broader control environment — MFA, step-up authentication, anomaly detection, rate limiting — see the security model and the compliance posture.
You can state where the data is (EU, eu-west-1), how it is encrypted in transit and at rest, the three principal subprocessors, and that a DPA is available on request.
Compliance posture
The compliance position, stated plainly — what is implemented, what is in readiness, and what is deliberately not claimed.
Accessibility statement
How accessible The Quantum Club documentation is, the standard we hold it to (WCAG 2.2 AA / EN 301 549), the issues we know about, and how to tell us when something does not work.