Security & Data protection

6.1 How We Handle Your Data 

Overview 

Qhub handles customer and company data through a formal, ISO-aligned Information Security and Data Protection framework.
Our approach covers the entire data lifecycle — from collection and classification to protection, monitoring, retention, and secure deletion. 

All controls are documented, enforced, and reviewed as part of Qhub’s Information Security Management System (ISMS).

Data Governance & Accountability

Data protection at Qhub is centrally governed. 

• Clear ownership for data, systems, and risks 
• Defined roles for data owners, custodians, and users 
• Oversight by the CIO / Security Officer 
• Policies reviewed and updated on a fixed cycle 

This ensures accountability and consistent handling of data across all teams and systems.

Data Classification & Handling

All data processed by Qhub is classified into defined categories (e.g. Restricted, Confidential, Internal, Public). 

Each classification level determines: 

• Who may access the data 
• How it must be stored 
• Whether encryption is required 
• How long it may be retained 
• How it must be deleted 

This prevents “one-size-fits-all” handling and ensures sensitive data always receives appropriate protection.

Access Control & Identity Security

Access to data and systems is strictly controlled. 

• Role-based access control (RBAC) 
• Least-privilege access by default 
• Formal approval for all access changes 
• Mandatory MFA where technically possible 
• Quarterly access reviews 
• Immediate access revocation on offboarding 

Service, system, and third-party access is time-bound, logged, and monitored.

Encryption & Secure Transmission

Qhub protects data using strong cryptographic controls. 

• Encryption at rest and in transit 
• Industry-standard algorithms only 
• Secure key management and rotation 
• Encrypted backups and replicas 

Encryption is applied consistently across production, backups, and recovery environments.

Secure Software Development

Qhub follows a secure Software Development Life Cycle (SDLC). 

• Security requirements defined during design 
• Separation of development, test, and production environments 
• No production data used in development by default 
• Code reviews and secure coding standards 
• Automated vulnerability scanning in CI/CD 
• No critical or high vulnerabilities released to production 

This ensures customer data remains protected throughout product development and change cycles.

Monitoring, Logging & Detection

All systems handling data are actively monitored. 

• Authentication and authorization events logged 
• Administrative and configuration changes logged 
• Network and application activity monitored 
• Logs protected against tampering 
• Alerts generated for suspicious activity 

This enables rapid detection, investigation, and response to potential security incidents.

Incident Response & Responsible Disclosure

Qhub maintains a structured incident response capability. 

• Defined incident severity levels 
• Clear roles and escalation paths 
• Evidence preservation and forensic readiness 
• Customer and stakeholder communication procedures 
• Annual testing of incident response plans 

We also operate a Responsible Disclosure program, allowing external parties to safely report vulnerabilities in good faith.

Backup, Disaster Recovery & Business Continuity

Data availability is protected through layered resilience controls. 

• Daily encrypted backups 
• Backups stored separately from production 
• Documented RTO/RPO objectives 
• Tested Disaster Recovery procedures 
• Business Continuity plans for operational resilience 

This ensures customer data remains recoverable even in extreme scenarios.

Data Retention & Deletion

Data is retained only as long as necessary. 

• Retention periods defined per data category 
• Secure deletion after retention expiry 
• Controlled handling of backups and logs 
• Support for customer data deletion requests 
• Data portability and contract-termination handling defined 

This aligns with GDPR data minimisation and storage limitation principles. 

Vendor & Third-Party Data Protection

All third parties are assessed before handling Qhub data. 

• Vendor risk classification (low / medium / high) 
• Security and privacy due diligence 
• Contractual security and data protection clauses 
• Ongoing vendor monitoring 
• Defined data return or destruction on contract end 

Third-party access is limited to what is strictly required.

Vulnerability & Risk Management

Security risks are continuously identified and managed. 

• Asset-based risk assessments 
• Formal risk scoring and ownership 
• Annual vulnerability scanning and penetration testing 
• Defined remediation SLAs 
• Tracking of findings to closure 

Risk management is an ongoing process, not a one-time exercise.

Personal Data & Privacy

Personal data is handled in line with privacy-by-design principles. 

• Lawful and purpose-limited processing 
• Minimal data collection 
• Clear privacy notices 
• Support for data subject rights 
• Identity verification for requests 
• Defined response timelines 

Privacy controls are embedded into both product and internal processes. 

Summary 

Qhub handles data through a comprehensive, auditable, and continuously managed security framework. 

In practice, this means: 

• Data is classified and protected based on sensitivity 
• Access is tightly controlled and reviewed 
• Data is encrypted, monitored, and backed up 
• Incidents are handled in a structured and transparent way 
• Data is retained and deleted according to clear rules 
• Third parties are governed with the same care as internal systems 

This approach supports enterprise, regulated, and public-sector customers using Qhub. 

6.2 Encryption & Storage 

Qhub protects customer data using strong encryption and secure cloud storage practices. All data is stored and transmitted in a way that ensures confidentiality, integrity, and availability throughout its lifecycle. 

Encryption 

Qhub applies encryption consistently across all environments: 

• Data at rest is encrypted using industry-standard encryption algorithms 
• Data in transit is protected using secure TLS/SSL connections 
• Backups and replicas are encrypted to the same standard as production data 
• Encryption keys are securely managed and access-restricted 

Encryption is enforced by default and cannot be disabled for customer data. 

Secure Storage 

Customer data is stored on secure, enterprise-grade cloud infrastructure: 

• Data is hosted in protected cloud environments 
• Customer data is logically segregated to prevent cross-tenant access 
• Access to storage systems is restricted to authorized personnel only 
• Administrative access is logged and monitored 

Storage configurations follow the principle of least privilege and are reviewed regularly. 

Backup & Resilience 

To ensure availability and recoverability: 

• Encrypted backups are created on a regular basis 
• Backups are stored separately from production systems 
• Recovery procedures are documented and tested 
• Data can be restored in line with defined recovery objectives 

Summary 

• All customer data is encrypted at rest and in transit 
• Storage environments are secure, segregated, and access-controlled 
• Backups are encrypted and resilient 
• Encryption and storage controls are continuously monitored 

These measures ensure that customer data in Qhub remains protected against unauthorized access, loss, or exposure. 

6.3 Sub-Processors 

A sub-processor is a third-party service provider that processes personal or customer data on behalf of Qhub as part of delivering Qhub service. 

In this context: 

• Customer = Data Controller 
• Qhub = Data Processor 
• Sub-processor = Third party engaged by Qhub to support the service 

Sub-processors are commonly used for infrastructure, hosting, security, analytics, communications, or support tooling. 

Why Sub-Processors Are Used 

Modern SaaS platforms rely on specialized providers to ensure: 

• Secure and scalable infrastructure 
• Reliable data storage and backups 
• Monitoring, logging, and alerting 
• Secure communication and collaboration 
• Operational efficiency and availability 

Q Hub carefully selects sub-processors that meet strict security and privacy standards. 

How Qhub Governs Sub-Processors

Due Diligence Before Engagement

Before engaging any sub-processor, Qhub performs a security and privacy review that may include: 

• Review of security policies and controls 
• Assessment of certifications (e.g. ISO 27001, SOC 2) 
• Evaluation of data access scope and necessity 
• Risk classification (low / medium / high) 

Only vendors that meet Qhub’s security requirements are approved.

Contractual Safeguards

All sub-processors are bound by contracts that include: 

• Data protection and confidentiality obligations 
• Restrictions on data usage and purpose 
• Security control requirements 
• Incident and breach notification obligations 
• Data return or deletion upon termination 
• Geographic data-location commitments

Least-Privilege Data Access

Sub-processors are granted: 

• Only the minimum access required to deliver their service 
• No unrestricted access to customer data 
• No access without a documented business purpose 

Access is reviewed periodically and revoked when no longer required. 

Ongoing Monitoring

Qhub continuously monitors sub-processors by: 

• Reviewing updated security certifications and reports 
• Tracking changes in service scope or data handling 
• Re-assessing risk when services or regulations change 

High-risk sub-processors receive enhanced scrutiny. 

Data Location & Transfers 

Qhub selects sub-processors that: 

• Support regional data residency where applicable 
• Apply strong encryption at rest and in transit 
• Comply with applicable data-transfer mechanisms (e.g. GDPR requirements) 

If cross-border data transfers occur, they are governed by appropriate legal safeguards. 

Transparency 

Qhub maintains a sub-processor inventory that includes: 

• Sub-processor name 
• Purpose of processing 
• Data categories involved 
• Geographic location 

This list is available via the Trust Center and updated when changes occur. 

Customers are notified in advance of material changes where required. 

Summary 

• Sub-processors are third parties that support Qhub in delivering the Hub 
• They are carefully selected, contractually bound, and continuously monitored 
• Access to customer data is limited, logged, and controlled 
• Transparency and compliance are central to how Qhub manages sub-processors