Security and compliance posture
How we approach security on engagements that touch regulated data. Honest, with clear lines on what we can and cannot sign.
For healthcare engagements that touch protected health information, we work under a Business Associate Agreement on the customer paper. We do not produce a generic BAA template; we sign the one your legal team uses and we do not negotiate it down.
If you ask whether we are HIPAA certified, the honest answer is that HIPAA does not certify vendors. We follow the safeguards required of business associates and we have shipped audited integrations that passed external HIPAA security review.
HIPAA does not certify vendors. We follow the safeguards and we have passed external HIPAA review on shipped integrations.posture / hipaa
Concrete controls baked into how we ship, not a marketing checklist.
We avoid storing customer data in our own systems whenever the architecture allows. When we must hold data temporarily during development, we use synthetic or anonymized samples; we do not download production records to laptops.
For incident response, we work with your security and legal teams under your existing playbook. We expect notification and triage SLAs to be specified in the contract.
We will not sign attestations of compliance frameworks where we do not actually meet the controls.boundaries / honest by default
If a buyer asks for SOC 2 Type II attestation today, we will tell you we are not yet audited and offer to work under contractual equivalents instead. Honesty here saves time later.
If you find a security issue in any system we have shipped, contact us at hello@quadevs.com. We acknowledge within one business day and coordinate disclosure with you and the affected customer.