Data protection
Lawful basis for processing, full data subject rights, sub-processor transparency, and a 72-hour breach notification process under both the Swiss and EU regimes.
- FADP · Compliant
- GDPR · Compliant
Built for the most
sensitive portfolios
Pension funds, insurers, private banks and family offices entrust Quanthome with their real estate book. We treat that responsibility as a product requirement, not a compliance afterthought.
100%
Swiss data residency
0
Client data used for AI training
24/7
Infrastructure monitoring
Six pillars protect your data at every layer
From the cantonal data we ingest to the AI answers we generate, every layer is designed to keep your information confidential, auditable, and under your control.
Mapped to the four pillars your risk team already audits
Four control families, the same ones Swiss and European institutional investors verify in every vendor questionnaire.
Information security
Controls designed against the ISO/IEC 27001:2022 Annex A catalogue and the SOC 2 Trust Services Criteria. Independent certification is on the 2026 roadmap.
- ISO 27001 · Aligned
- SOC 2 Type II · In progress
AI transparency
AI-assisted outputs are clearly labelled and require human verification before use in regulated decisions, per Article 50 of the EU AI Act. No client data is used to train any model.
- EU AI Act Art. 50 · Compliant
- Zero training on client data
Financial sector ready
Quanthome is a technology provider, not a financial intermediary. Our controls fit cleanly into the outsourcing, BCM and operational-risk frameworks of FINMA-supervised entities.
- FINMA outsourcing · Vendor-ready
- CISA / AMAS context
Security is a product feature, not a checklist
The teams that use Quanthome, pension funds, insurers, asset managers, banks, already operate under some of the strictest oversight in Europe. Our job is to make working with us the easiest line item in their vendor file, not the hardest.
That means short, plain-language contracts with a real Data Processing Addendum, a single security contact who answers in business hours, and a willingness to share the evidence behind every claim on this page. If your risk team needs something we haven't documented yet, ask, that's how this page keeps getting longer.
— The Quanthome engineering team
What risk teams ask us most
How does Quanthome define customer data?
Customer data is everything you bring into Quanthome, uploaded documents, custom datasets, portfolio holdings, and the prompts or queries you send to our AI. Customer content is the answers and exports our platform returns. Both are treated as confidential and segregated per workspace, and both remain your property under our Master Services Agreement.
Where is my data hosted and processed?
Production runs on Google Cloud in European regions, with Swiss residency for clients who require it. Sub-processors are limited to a short, published list, and any cross-border transfer is governed by Standard Contractual Clauses (or the Swiss-equivalent FADP transfer mechanism). We do not replicate client data outside the EU/EEA/Switzerland without a written instruction.
Do you train AI models on my data?
No. Customer content is never used to train, fine-tune, or improve any AI model, neither our own nor those of our model providers. We contractually require zero-data-retention with the foundation model providers we integrate. If a client wants a bespoke model trained on its own data, that happens only on explicit request, in a dedicated environment, and only for that client.
Who at Quanthome can access my data?
By default, nobody. Production access is least-privilege, time-bound, MFA-protected, and logged. A small on-call group can request break-glass access for incident response, every such request is recorded and reviewed. Engineers cannot browse customer data as part of normal development.
How is data encrypted?
All traffic to quanthome.com and our APIs is TLS 1.2+ with HSTS. Data at rest in our databases, object storage, and backups is encrypted with AES-256 using cloud-provider managed keys. Secrets and credentials live in Secret Manager, never in source control, never in container images.
Do you run security testing and audits?
Yes. Every code change goes through peer review and automated checks: dependency vulnerability scanning, secret detection, and an AI security-reviewer gate. We commission third-party penetration tests before major product releases, and continuously monitor production for anomalous behaviour.
What happens if there is a security incident?
We follow a documented incident response runbook. Confirmed incidents that affect customer data trigger notification to the affected customer's primary contact within 72 hours, in line with GDPR and FADP timelines, with regular updates until resolution.
Can I sign a Data Processing Addendum (DPA) with you?
Yes. We sign DPAs as part of every enterprise contract, including Standard Contractual Clauses and FADP transfer language where relevant. A copy of our standard DPA is available on request from contact@quanthome.com.
Security contact
Have a security question, want our standard DPA, need to request a sub-processor list, or have a vulnerability to report? Write to us directly, we triage every message within one business day.
- Security and trust:
- contact@quanthome.com
- Postal address:
Quanthome SA
Avenue Mon-Repos 24
1005 Lausanne, Switzerland
Responsible disclosure
We do not currently operate a bug bounty programme, but we welcome good-faith research. Please give us reasonable time to investigate and fix before public disclosure, and never access or modify data that is not your own.
Talk to our team about your due diligence
We are happy to walk a risk officer or CISO through our controls, share evidence, and answer the questions on your standard vendor questionnaire.