QX Logo

SECURITY & TRUST

ENTERPRISE DELIVERY IN YOUR MICROSOFT TENANT.

QuanteliX supports customer projects in Dynamics 365, ERP/BI, data foundation and managed services – with clear access controls, secure development and resilient operational processes within the customer systems.
GET IN TOUCH BOOK A MEETING

IMPLEMENTATION EXCLUSIVELY IN CUSTOMER TENANT

QUANTELIX ACTS AS DATA PROCESSOR

MFA + CONDITIONAL ACCESS MANDATORY

LEAST PRIVILEGE / RBAC AS STANDARD

DEV / TEST / PROD SEPARATED WITH CUSTOMER APPROVALS

NO OWN DELIVERY PLATFORMS; ANY SUB-PROCESSORS ARE CONTRACTUALLY GOVERNED AND DISCLOSED TRANSPARENTLY

SECURITY BY DESIGN. PRAGMATIC AND AUDITABLE.

We integrate security controls into your Microsoft Governance: minimizing access, controlling changes, reducing data exposure and making responsibilities traceable.

SCOPE

  • Dynamics 365 Customizing & Development
  • ERP / BI (Implementation, Extensions, Operations)
  • Data Basis for AI-Readiness
  • Managed Services / Support

DATA PROCESSING & DATA RESIDENCY

ROLE IN DATA PROCESSING

QuanteliX typically operates as a data processor based on an AVV/DPA.

WHERE DATA IS PROCESSED

Implementation occurs exclusively in customer-managed environments/tenants (e.g. Microsoft 365 / Dynamics 365 / Azure).

QuanteliX provides no systems of its own and hosts no customer systems.

ACCESS TO PRODUCTION DATA

Depending on the scope of services, QuanteliX may have access to production systems and data to provide services and support.

EU/GERMANY DATA RESIDENCY

We support EU/Germany residency requirements within the framework of the customer’s Microsoft configuration and tenant policies.

SUB-PROCESSORS

Delivery is generally executed within the customer’s systems and platforms. Where sub-processors are used for defined purposes, they are contractually integrated and disclosed upon request.

IDENTITY & ACCESS CONTROL

SECURITY BEGINS AT ACCESS

  • MFA mandatory for all access, supplemented by extensive Conditional Access Policies
  • RBAC and Least Privilege as standard
  • Joiner/Mover/Leaver: Access is immediately revoked as soon as required
  • Use of SSO and password manager standards

ENCRYPTION & KEY SOVEREIGNTY

  • Encryption in transit: TLS
  • Encryption at rest: depending on the customer’s Microsoft configuration
  • Key Management: entirely customer-side (key sovereignty and configuration with the customer)

SECURE DELIVERY & CHANGE CONTROL

SECURE DEVELOPMENT IN THE CUSTOMER LIFECYCLE.

  • Implementation via Azure DevOps with branching and review process
  • No secrets in code (no storage of access data in repositories)
  • Environment separation: DEV / TEST / PROD
  • Approvals: Production releases are made with customer approval according to agreed procedures

PATCH & VULNERABILITY MANAGEMENT

  • Regular patch management for end devices, tools, and relevant components
  • Incident/bug handling with defined SLAs according to criticality
  • Continuous improvement based on operational experience and customer requirements
For security reasons, we do not publish detailed internal assessments/tests on this public page.

INCIDENT RESPONSE & COMMUNICATION

CLEAR ESCALATION, FAST INFORMATION.

  • Defined incident response process with immediate stakeholder information
  • If a security incident becomes known, information is provided immediately by telephone
  • Security contact: legal@quantelix.io
  • Backup/Restore and Disaster Recovery remain with the customer within the respective tenant/environment architecture

ORGANISATION, GOVERNANCE & ENDPOINT SECURITY

  • Named role: Security Lead
  • Monthly security awareness training
  • Confidentiality/NDA and relevant background checks
  • Device management with MDM, disk encryption, and endpoint protection

COMPLIANCE & DOCUMENTATION

  • REQUEST AVV/DPA
  • REQUEST TOMS / SECURITY OVERVIEW
  • REQUEST SECURITY WORKSHOP
  • No ISO 27001 / SOC 2 certifications at this time
  • Controls aligned to Microsoft Security Baselines and customer governance
  • AVV/DPA available
  • TOMs (Technical and organizational measures) and security documentation on request

REFERENCES & NDA

For confidentiality reasons, we share information on existing customers, project details and specific implementations exclusively under NDA and after confirmation by the existing customers.

FAQ

FAQ
1.

Does QuanteliX host customer data on its own systems?

No. Processing takes place exclusively in the customer’s systems/tenants (e.g. Microsoft Azure/D365/M365). QuanteliX does not provide its own hosting systems for customer data.
2.

Does QuanteliX access production data?

Depending on the project and mandate, access to production data may be necessary, e.g. for support, troubleshooting, operations or error analysis. Access is role-based and according to the need-to-know principle.
3.

Does QuanteliX use sub-processors?

Where required, QuanteliX uses selected sub-processors for clearly defined purposes. A current list is available on request, and the involvement is contractually governed in accordance with Art. 28 GDPR.
4.

How quickly does QuanteliX inform about security incidents?

We inform the customer within 24–72 hours of discovery, in accordance with the AVV/project standard and without undue delay.
5.

How do I receive the AVV and the sub-processor list?

By request to legal@quantelix.io. We provide the standard AVV and send the current sub-processor list on request.