Security & Compliance

Operational reference for enterprise-facing controls currently implemented in Quantlix.

Identity & access

  • MFA (TOTP) per user with recovery codes and disable flow.
  • Organization MFA requirement to enforce MFA for org-scoped API access.
  • API key scopes, optional expiry, revoke timestamp, and last-used audit fields.
  • Scoped OIDC SSO with optional password-login enforcement by organization.

Data protection posture

On supported runtime paths (see EU AI Act readiness), teams can correlate policy decisions, enforcement events, and traces — including what was blocked or redacted before a model call. In workflow use cases, PII controls should run before model nodes. For self-hosted deployments, raw source data can remain inside the customer-controlled network boundary.

Company and hosting note

Quantlix is owned by Navego AB, Lillängsvägen 21, 131 41 Nacka, Stockholm, Sweden.

Deployment options include managed operation and self-hosting. For strict data residency requirements, confirm the selected hosting region and provider configuration before production rollout.

Signed audit exports

Enforcement-event JSONL can be exported with hash chain and trailing HMAC signature metadata.

curl "https://api.quantlix.ai//enforcement-events/export?deployment_id=DEPLOYMENT_ID&format=jsonl&signed=true" \
  -H "X-API-Key: YOUR_API_KEY"
curl -X POST "https://api.quantlix.ai//audit/verify-signed-export" \
  -H "X-API-Key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"lines":["{...signed jsonl line 1...}","{...line 2...}","{...signature block...}"]}'

Note: signed export requires `AUDIT_SIGNING_KEY`.

GDPR data subject rights

Self-service export and erasure are available via authenticated auth endpoints.

curl "https://api.quantlix.ai//auth/gdpr/export" \
  -H "X-API-Key: YOUR_API_KEY"
curl -X POST "https://api.quantlix.ai//auth/gdpr/delete" \
  -H "X-API-Key: YOUR_API_KEY"

Erasure is blocked with `409` when the user is the sole owner of any organization.

Readiness, not legal compliance

Quantlix provides runtime policy enforcement and exportable evidence on supported production paths to help teams build EU AI Act readiness and broader AI governance workflows. It is not legal advice, a conformity assessment, CE marking, or a guarantee of regulatory compliance. Risk classification, DPIAs, and legal interpretation remain your responsibility.

Supported paths & evidence APIs → · Trust center →

Trust center

Hosting, subprocessors, SOC 2 / ISO posture, and audit evidence are summarized on the Trust center page (aligned with this document). The live subprocessor register is also available as machine-readable JSON.

Common questions

Does Quantlix store prompts?

Quantlix stores execution and audit data needed for traces, enforcement events, and visibility. For privacy-sensitive workflows, use redaction before model calls and review retention settings for your deployment model.

Can I export audit evidence?

Yes. Enforcement exports and signed audit exports are available when signing is configured. Workflow analysis can also export compliance evidence for redaction proof.

Use traces and run history for investigations →

What about subprocessors?

Quantlix publishes a versioned subprocessor register for managed hosting and platform services. Customer- configured model providers (Anthropic, OpenAI, Azure OpenAI, Bedrock, Voyage AI, etc.) are listed when applicable but are part of your own data flow when you connect them.

Live register: Trust center · JSON API · /subprocessors.json

Security & Compliance — Quantlix — Quantlix