Trust Center
Security & compliance at Qontiv
Qontiv is built for manufacturers in regulated industries. One page for procurement, legal, and security teams.
Questions or vendor security questionnaires: security@qontiv.com
Certifications
- SOC 2 Type II On roadmap
- ISO/IEC 27001:2022 On roadmap
- ISO/IEC 42001:2023 (AI) On roadmap
Qontiv does not currently hold these certifications. Our compliance program — policies, Statement of Applicability drafts, and evidence collection — is in active development. We can walk procurement and security teams through the current state under NDA: security@qontiv.com.
Designed for compatibility with
- IATF 16949 Designed for
- AS9100 Rev D Designed for
- ISO 13485 / FDA QMSR Designed for
- 21 CFR Part 11 Designed for
- EU GMP Annex 11 Designed for
- EU AI Act (Reg. 2024/1689) Designed for
- EU Cyber Resilience Act Designed for
Sub-processors
10 sub-processors across infrastructure, AI/ML, analytics, and payments. 30 days' advance notice of any addition or material change.
View full list →Data Processing Agreement
Standard DPA covering GDPR Article 28, NIS2 Article 23 breach-notification SLAs, and EU AI Act Article 26 deployer/provider obligations.
Uptime & status
Current service status, historical uptime, and incident reports.
status.qontiv.com →Vulnerability disclosure
Responsible disclosure policy per EU CRA Article 13 §5. Critical vulnerabilities acknowledged within 48 hours, patched within 7 days. PGP key available on request.
security@qontiv.com →Compliance framework coverage
Qontiv is designed for compatibility with the frameworks below — Qontiv does not hold these certifications on your behalf. Your organization retains its own certification obligations.
125 controls mapped across 10 frameworks. Full catalog with per-control evidence and ownership boundaries available under NDA — request the full control catalog →
| Framework | Controls | Coverage | Applies to |
|---|---|---|---|
| SOC 2 (CC series) | 21 | Compatible | All customers |
| ISO/IEC 27001:2022 Annex A | 21 | Compatible | All customers |
| 21 CFR Part 11 | 14 | Partial | FDA-regulated manufacturers |
| EU GMP Annex 11 | 13 | Partial | EU pharmaceutical manufacturers |
| ISO/IEC 42001:2023 Annex B | 13 | Compatible | Customers using AI Copilot |
| ISO 13485:2016 | 12 | Compatible | Medical device manufacturers |
| EU AI Act (Reg. 2024/1689) | 10 | Compatible | EU customers using AI features |
| IATF 16949 | 8 | Compatible | Automotive manufacturers |
| EU Cyber Resilience Act | 8 | Compatible | EU market placement |
| AS9100 Rev D | 5 | Compatible | Aerospace manufacturers |
"Compatible" — Qontiv provides the technical controls, records, or evidence your organization needs to satisfy the framework requirement as part of your overall compliance program. "Partial" — shared responsibility: Qontiv provides tooling, your organization provides the process. Neither label asserts that Qontiv holds certification under the framework — your organization holds its own certification.
Security practices
Encryption
All data encrypted in transit (TLS 1.3) and at rest (AES-256). Row-level security enforced at the PostgreSQL layer — no shared row access between tenants.
Access control
Role-based access with 12 predefined roles covering ISA-95 operations pillars. MFA enforced for all privileged accounts. OAuth2/OIDC — no shared credentials.
Immutable audit trail
All regulated records are append-only at the database level. Electronic signatures immutably bound to record, user identity, timestamp, and declared meaning per 21 CFR Part 11 §11.50.
Vulnerability management
Dependabot, CodeQL, and Trivy scan every PR and nightly. Patch SLAs: Critical ≤7 days, High ≤30 days, Medium ≤90 days. SBOM published per release per EU CRA Article 13.
Incident response
NIS2-aligned IRP with Article 23 cadence: 24-hour early warning, 72-hour notification, 1-month final report for affected EU customers.
AI governance
Every AI interaction producing a regulated record is logged immutably (prompt, model ID, template version, response, user). Human-override actions logged per EU AI Act Article 14.
Ready to see Qontiv in your environment?
A 30-minute walkthrough with your equipment and your data.