How we protect accounts, data, and infrastructure.

Security is a continuous practice, not a checkbox. We design the platform around least-privilege access, encrypted transport, encrypted storage, scoped credentials, and routine review. This page describes the controls in place today; it will be updated as the platform matures.

All traffic between your browser and Quantora is encrypted with TLS 1.2 or higher. HTTP Strict Transport Security is enforced. Insecure connections are refused.

Account data and operational data are stored on managed infrastructure with disk level encryption. Passwords are stored as Argon2-hashed values; we never store or log raw passwords.

• Sessions expire after a period of inactivity and on password reset.
• We support multi-factor authentication via TOTP authenticator apps, and will require it for paid tiers.
• Suspicious login attempts trigger rate limits and account notification.
• Account recovery requires verified email control, never a customer support backchannel.

Production runs on managed cloud infrastructure with isolated environments for staging and production. Access to production systems is restricted to a small named set of engineers, audited, and requires multi-factor authentication.

We do not connect to your brokerage account, custody account, or execution venue. The platform is read-only research and has no access to your money.

We collect the minimum personal data needed to run the service (see our Privacy Policy). Data is retained for the period required to provide the service plus a short tail for legal and operational reasons.

Sub-processors (hosting, email, analytics, payments) are contractually bound by data protection terms. We review their security posture before onboarding and on a periodic basis.

If you believe you have found a vulnerability, please email security@quantoraresearch.com with reproduction steps and impact. We will acknowledge within two business days and work with you on remediation. Please do not publicly disclose the issue before we have had a reasonable opportunity to fix it.

We do not currently run a paid bug bounty programme but we will credit researchers in our security acknowledgements if they wish.

In the event of a security incident affecting your data, we will notify affected users without undue delay and in line with the notification requirements of applicable law.

As the platform grows we plan to pursue formal attestations (SOC 2 Type II and ISO 27001 are on the roadmap). We will not claim attestations we do not hold.

For general security questions, email security@quantoraresearch.com.