Quake Security & Compliance Overview

At Quake, we are committed to protecting the confidentiality, integrity, and availability of our clients' data. Our Information Security Management System (ISMS) is aligned with ISO 27001 standards. This document outlines the technical and organisational measures we implement to secure the Quake Platform.

1. Certifications & Compliance

StandardStatusDetailsISO 27001AlignedWe operate a comprehensive ISMS aligned with the ISO 27001 standard. External certification is scheduled for 2026. This alignment evidences our appropriate technical and organisational measures.GDPR / UK GDPRCompliantWe act as a Data Processor. All data processing occurs within the UK.Cyber EssentialsCompliantNot yet certified

2. Infrastructure & Physical Security

Hosting Providers: The Quake Platform infrastructure is hosted on AWS (Amazon Web Services) and Vultr. Both providers are Tier-1 cloud operators maintaining ISO 27001, SOC 2 Type II, and PCI-DSS compliance standards.

Data Locality: All production data is stored in the London region. We do not transfer data outside this region without explicit agreement.

Physical Access: We rely on our cloud providers' robust physical security (biometrics, 24/7 onsite security, video surveillance) and do not maintain physical servers at our own offices.

3. Data Protection & Encryption

Encryption in Transit: All data transmitted between the Client and the Quake Platform is encrypted using strong protocols (TLS 1.2 or higher).

Encryption at Rest: Customer data is encrypted at rest within our AWS and Vultr storage volumes using industry-standard algorithms (AES-256).

Backups:

Frequency: Daily full backups and hourly incremental backups.

Redundancy: Backups are replicated to a separate geographic availability zone for disaster recovery.

Testing: Restoration procedures are tested annually.

4. Access Control & Authentication

Least Privilege: Internal access to production systems is restricted to a limited number of authorised engineering staff based on the principle of least privilege.

Multi-Factor Authentication (MFA): MFA is enforced for all Quake employees accessing internal systems, source code, and administrative dashboards.

Client Authentication: The Quake Platform supports secure authentication protocols including SSO (Single Sign-On) and Enforced Strong Passwords.

5. Vulnerability Management & Testing

Penetration Testing: We engage independent third-party security firms to conduct penetration testing on the Quake Platform at least annually. (Summary reports available upon request).

Vulnerability Scanning: Automated scans are performed on code dependencies and infrastructure regularly. Critical patches are applied within 14 days of release.

Secure Development: Our Software Development Life Cycle (SDLC) includes code reviews and static analysis (SAST) before deployment.

Third-Party Assurance: Upon request, Quake can provide high-level summaries of our critical suppliers' security posture (e.g., confirmation of AWS/Supabase SOC 2 status) as part of our rigorous Supplier Due Diligence process. This provides assurance of security controls in lieu of our own pending external ISO 27001 certification.

6. Incident Management

Monitoring: We utilise 24/7 automated monitoring across both AWS and Vultr environments to detect anomalous activity.

Notification: As per our Terms of Use, we commit to notifying clients of any confirmed Personal Data Breach without undue delay (and no later than 72 hours).

Response Plan: We maintain a documented Incident Response Plan (IRP) which is tested annually.

7. Personnel Security

Screening: All Quake employees undergo background checks (including criminal record checks where legally permitted) prior to employment.

Training: All staff receive mandatory Information Security and GDPR training upon hire and annually thereafter.

Confidentiality: All employees and contractors sign strict confidentiality agreements (NDAs).