How we keep your account, your queries, and the platform itself safe — with explicit disclosure of what we have, what we're building, and what we don't yet claim.
Every request between you and Quintarthai is encrypted, nonced, and same-site-bound. The platform refuses to serve over HTTP, even on first visit.
Submitted to the Chrome HSTS preload list. Every browser that ships with the preload (Chrome, Firefox, Safari, Edge) refuses HTTP on quintarthai.com.
TLS 1.3 only. Modern cipher suites. Certificate via Let's Encrypt with 90-day auto-renewal.
Strict-dynamic with per-request nonces. Blocks inline scripts not signed with the request's nonce. Reports go to /api/v1/csp-report.
Session cookies are HttpOnly · Secure · SameSite=Strict. JWT for API auth carried in Authorization: Bearer header. State-changing endpoints reject cross-origin requests.
All compute is Canadian-controlled. APIs require authentication. Secrets never leave the server. Monitoring catches anomalies before they become incidents.
Canadian-controlled VPS (Hostinger KVM, Boston-fronted edge). Quintessentia Network Inc. (Niagara Falls, ON) is the data controller under PIPEDA.
Every proprietary endpoint requires JWT auth. Rate-limited per user, per tier. Admin bypass requires explicit role flag.
Environment-variable-only. No secrets in source. Rotation documented. SSH keys not shared.
Observability hooks on every API path. Status page tracks 6 components. CSP reports + 4xx/5xx alerts flow to the on-call channel.
User queries are retained 90 days for debugging then aggregated. Broker data stays in your browser. No third-party tracking. No participation in LLM training programs.
Dual-language privacy notices (English + French). All processing under Canadian privacy law. Right to access, correct, and delete granted by default.
Any holdings imported via brokerage CSV remain in your browser's localStorage. Never uploaded. Never persisted on our servers.
We do not contribute user queries to model training programs. Our LLM providers (Cerebras, Groq) are configured to opt-out of training on our traffic.
No Google Analytics. No Facebook Pixel. No ad-network PII sharing. First-party observability only.
Mercury hides their gaps in FAQ footnotes. We promote ours to the front. Most fintechs at our stage don't have SOC 2 either — we'd rather tell you up front than have you find out after.
Audit not yet completed. We meet most controls in practice (logging, access review, change management) but haven't been independently audited. Mid-stage fintech standard timing — we're aiming for completion by Q3.
We don't have ISO 27001 certification. Required for some enterprise procurement processes. Will start the path once SOC 2 lands. Roadmap target: 2027.
Database is encrypted by the host filesystem (LUKS) but we don't manage the keys ourselves. Roadmap: customer-managed keys via Vault by end of 2026.
Why we publish this: Quintarthai's audience is sophisticated. You're going to ask us about SOC 2 anyway. We'd rather lead with the gaps than have to recover trust after you've found them. Mercury's security page hides the Evolve Bank deposit cap in their FAQ footnotes — we won't operate that way.
Email security@quintarthai.com. We acknowledge within 48 hours and aim to fix within 14 days for high-severity issues. No bug bounty yet — that's on the roadmap once we exit beta.
PGP key, expected response timelines, and our coordinated disclosure policy are at /legal/disclosures.html.
PIPEDA · GDPR · Quebec Law 25 compliant. Data stored in Canada. No third-party trackers. No LLM training on your data.
Service-as-information disclaimer · informational research only · not investment advice · institutional-grade source attribution.
Affiliate relationships · regulatory disclaimers · backtest assumptions · methodology transparency.
Quinn is powered by Claude (Anthropic) + Cerebras Llama. Citations always show source · no fabricated quotes · model and version visible on every response · zero LLM training on user data.