SECURITY & TRUST

ENTERPRISE DELIVERY IN YOUR MICROSOFT TENANT.

QuanteliX supports Dynamics 365, ERP/BI, AI-ready databases and Managed Services – with clear access controls, secure development and resilient operational processes.

GET IN TOUCH BOOK A MEETING

IMPLEMENTATION EXCLUSIVELY IN CUSTOMER TENANT

QUANTELIX ACTS AS DATA PROCESSOR

MFA + CONDITIONAL ACCESS MANDATORY

LEAST PRIVILEGE / RBAC AS STANDARD

DEV / TEST / PROD SEPARATED WITH CUSTOMER APPROVALS

NO SUB-PROCESSORS FOR DELIVERY (TOOLING REMAINS WITH CUSTOMER)

SECURITY BY DESIGN. PRAGMATIC AND AUDITABLE.

We integrate security controls into your Microsoft Governance: minimizing access, controlling changes, reducing data exposure and making responsibilities traceable.

SCOPE

•

Dynamics 365 Customizing & Development
•

ERP / BI (Implementation, Extensions, Operations)
•

Data Basis for AI-Readiness
•

Managed Services / Support

DATA PROCESSING & DATA RESIDENCY

ROLE IN DATA PROCESSING

QuanteliX typically operates as a data processor based on an AVV/DPA.

WHERE DATA IS PROCESSED

Implementation occurs exclusively in customer-managed environments/tenants (e.g. Microsoft 365 / Dynamics 365 / Azure).

QuanteliX provides no systems of its own and hosts no customer systems.

ACCESS TO PRODUCTION DATA

Depending on the scope of services, QuanteliX may have access to production systems and data to provide services and support.

EU/GERMANY DATA RESIDENCY

We support EU/Germany residency requirements within the framework of the customer’s Microsoft configuration and tenant policies.

SUB-PROCESSORS

No sub-processors are used for delivery. Tools/platforms remain with the customer.

IDENTITY & ACCESS CONTROL

SECURITY BEGINS AT ACCESS

MFA mandatory for all access, supplemented by extensive Conditional Access Policies
RBAC and Least Privilege as standard
Joiner/Mover/Leaver: Access is immediately revoked as soon as required
Use of SSO and password manager standards

ENCRYPTION & KEY SOVEREIGNTY

Encryption in transit: TLS
Encryption at rest: depending on the customer’s Microsoft configuration
Key Management: entirely customer-side (key sovereignty and configuration with the customer)

SECURE DELIVERY & CHANGE CONTROL

SECURE DEVELOPMENT IN THE CUSTOMER LIFECYCLE.

Implementation via Azure DevOps with branching and review process
No secrets in code (no storage of access data in repositories)
Environment separation: DEV / TEST / PROD
Approvals: Production releases are made with customer approval according to agreed procedures

PATCH & VULNERABILITY MANAGEMENT

Regular patch management for end devices, tools, and relevant components
Incident/bug handling with defined SLAs according to criticality
Continuous improvement based on operational experience and customer requirements

For security reasons, we do not publish detailed internal assessments/tests on this public page.

INCIDENT RESPONSE & COMMUNICATION

CLEAR ESCALATION, FAST INFORMATION.

Defined incident response process with immediate stakeholder information
If a security incident becomes known, information is provided immediately by telephone
Security contact: legal@quantelix.io
Backup/Restore and Disaster Recovery remain with the customer within the respective tenant/environment architecture

ORGANISATION, GOVERNANCE & ENDPOINT SECURITY

Named role: Security Lead
Monthly security awareness training
Confidentiality/NDA and relevant background checks
Device management with MDM, disk encryption, and endpoint protection

COMPLIANCE & DOCUMENTATION

REQUEST AVV/DPA
REQUEST TOMS / SECURITY OVERVIEW
REQUEST SECURITY WORKSHOP

No ISO 27001 / SOC 2 certifications at this time
Controls aligned to Microsoft Security Baselines and customer governance
AVV/DPA available
TOMs (Technical and organizational measures) and security documentation on request

REFERENCES & NDA

For confidentiality reasons, we share information on existing customers, project details and specific implementations exclusively under NDA and after confirmation by the existing customers.

FAQ

Does QuanteliX host customer data on its own systems?

No. Processing takes place exclusively in the customer’s systems/tenants (e.g. Microsoft Azure/D365/M365). QuanteliX does not provide its own hosting systems for customer data.

Does QuanteliX access production data?

Depending on the project and mandate, access to production data may be necessary, e.g. for support, troubleshooting, operations or error analysis. Access is role-based and according to the need-to-know principle.

Does QuanteliX use sub-processors?

Yes. QuanteliX uses selected sub-processors. A current sub-processor list is available on request, and sub-processors are contractually bound in accordance with Art. 28 GDPR.

How quickly does QuanteliX inform about security incidents?

We inform the customer within 24–72 hours of discovery, in accordance with the AVV/project standard and without undue delay.

How do I receive the AVV and the sub-processor list?

By request to legal@quantelix.io. We provide the standard AVV and send the current sub-processor list on request.