Security

Quala runs on AWS in us-east-1 (and eu-central-1 for EU customers). All workloads run inside isolated VPCs with private subnets for application and database tiers. We do not run customer workloads on shared servers with other tenants.

• In transit: TLS 1.3 between every external endpoint and TLS 1.2+ between internal services.
• At rest: AES-256 disk encryption on all databases, object storage, and backups. Keys are managed in AWS KMS with annual rotation.
• Candidate session payloads (code edits, terminal output, AI conversations) are additionally encrypted with a per-organization data key.

Production access is restricted to a small on-call rotation. All access is authenticated with hardware-bound SSO and a phishing- resistant second factor. Privileged actions are logged to an immutable audit trail.

Customer admins can enforce SSO (SAML / OIDC), provision users via SCIM, and bind specific roles to specific assessments on Scale plans.

• Dependencies are scanned daily for known vulnerabilities; high or critical CVEs are patched within 72 hours.
• Every pull request runs SAST, secret scanning, and a sandboxed integration suite before it can merge.
• We run an external bug-bounty program and publish a security.txt at quala.dev/.well-known/security.txt.

Each assessment runs in a single-tenant Firecracker microVM that is destroyed on submission. Candidates cannot reach Quala internal services or other candidates' environments from inside the sandbox, and outbound network access is restricted to an allow-list of package registries and approved AI providers.

Application, infrastructure, and authentication events stream into our SIEM in real time with 365-day retention. We alert on anomalies, brute-force patterns, and configuration drift.

We follow a documented response playbook with defined roles, escalation timelines, and customer-notification commitments. We will notify affected customers without undue delay — and within 72 hours where required by GDPR — after confirming a personal-data incident.

Databases are continuously replicated across availability zones with point-in-time recovery for the past 30 days. We run quarterly recovery drills against the production runbook.

• SOC 2 Type II — in progress, expected H2 2026.
• GDPR — see our dedicated page.
• EEOC-defensible scoring rubrics — built in by design.

Report security issues to security@quala.dev. We aim to acknowledge within one business day. Please give us a reasonable window to remediate before public disclosure.