For the CISO

Every question you have about Qapitol — answered plainly.

You've been asked to evaluate or approve a Qapitol engagement. Before your InfoSec team spends three weeks on a vendor questionnaire, here are the answers to the questions that actually matter.

Request Sandbox PoC →

CISO questions answered plainly

1,400+

Regulatory obligations covered

4 hours

P1 incident notification SLA

30 days

Data deletion guarantee

2 weeks

Sandbox PoC duration

Data & Privacy

Answers to data and privacy questions.

Does Qapitol have access to our production data? — Only the data you explicitly provide for evaluation or compliance testing. Strict data minimization. Production data processed under signed DPA, encrypted in transit/at rest, deleted within 30 days. VPC deployment option allows data to remain in customer's cloud account entirely.
Where does our data sit? — Default: AWS ap-south-1 (Mumbai). No cross-region transfer unless explicitly configured. VPC deployment available in customer cloud accounts. On-premise deployment available for air-gapped environments (Defence, Government, regulated BFSI).
Do you train your models on our data? — No. Qapitol does not use client data to train, fine-tune, or improve any model — Qapitol's or third-party. This is not a policy statement that might change — it is contractually guaranteed in our MSA.

Vendor Security Posture

Answers to vendor security posture questions.

Are you ISO 27001 or SOC 2 certified? — ISO 27001:2022 certified for all platform services and managed delivery. SOC 2 Type II audit in progress (target Q3 2026). Current SOC 2 bridge letter available. Annual third-party VAPT conducted; executive summary available under NDA.
What happens if you have a security incident? — We notify affected clients within 4 hours of confirming a P1 incident — not after we've fully resolved it. Resolution targets: 24 hours (critical), 72 hours (high). Written root cause analysis provided within 5 business days.
Can we do a penetration test on your platform? — Yes. Enterprise clients may conduct their own VAPT against Qapitol's hosted environments under a coordinated disclosure agreement. Test environment, IP ranges, and designated security contact provided. Turnaround: 5 business days to arrange.

AI-Specific Risk

Answers to AI-specific risk questions.

Who is liable if your compliance check misses a regulatory violation? — MSA includes indemnification clause for direct losses from platform errors within documented scope. Human review layer maintained for final regulatory decisions. Covers 1,400+ regulatory obligations; anything outside documented scope is flagged.
How do we audit your AI's decisions? — Every check produces immutable audit logs with full reasoning. Policy Reasoning Traces show regulatory clause applied, model used, confidence threshold, and classification rationale. Exportable as JSON, CSV, PDF for submission and GRC tool integration (ServiceNow, Splunk, SIEM).
What are the failure modes if your AI gets it wrong? — Outputs below a configurable confidence threshold are flagged for human review — they are never silently passed as compliant. Threshold customer-configurable per risk appetite. QAVE includes adversarial and edge-case testing. Known limitations published in product documentation.

Integration & Access

Answers to integration and access questions.

How does your access control work? Can we use our existing IdP? — SSO via SAML 2.0 and OIDC (compatible with Okta, Azure AD, Ping Identity, Google Workspace). Granular RBAC configurable per platform. MFA enforced. Staff access is JIT, individually logged, quarterly reviewed. No standing privileged access.
Can we run a PoC in a sandbox before touching production? — Yes — and we recommend it. Standard enterprise onboarding starts with a 2-week sandbox PoC using synthetic or anonymised data. Dedicated sandbox environment, test data templates, named technical contact provided. Fully isolated from production infrastructure.
What is your vendor exit / data deletion process? — On contract termination, all client data is purged within 30 days. We provide a written confirmation of deletion, listing what was deleted and from which systems. Exports of configuration, audit logs, compliance evidence, and Policy Reasoning Traces provided pre-deletion in standard formats. No data lock-in.

What You Hand Over

Trust summary — what the client provides.

Anonymised or synthetic test data (recommended default)
Production data only if required, under signed DPA
System integration credentials (scoped access)
Regulatory scope and policy documents
Access to sandbox/staging environment for PoC

What Qapitol Guarantees

Trust summary — Qapitol's guarantees.

No model training on client data, contractually bound
Data deleted within 30 days with written confirmation
4-hour P1 security incident notification SLA
JIT-only staff access, logged and quarterly reviewed
Immutable, exportable audit logs in standard formats
VPC deployment option with zero data egress
ISO 27001:2022 certification across platform services
Full data/config export pre-contract end, no lock-in

Three Paths Forward

Engagement options for security evaluation.

Path 1: Vendor Due Diligence — Request VSQ Pack. Includes pre-completed VSQ, CAIQ, enterprise InfoSec questionnaires, one-page security summary, SOC 2 bridge letter, VAPT executive summary. Signed NDA required. Turnaround: 2 business days.
Path 2: Platform Validation — Request Sandbox PoC. 2-week sandbox PoC. InfoSec and technical teams work in parallel. No production data required. Synthetic data templates and dedicated technical contact provided.
Path 3: Direct Security Discussion — [email protected] / Book a Security Call. Direct engagement with named security engineer or CISO/Head of Security.

Next step

Request Sandbox PoC →

Talk to the team — response within one business day.

Request Sandbox PoC → →Browse free resources