New: The Enterprise AI Evaluation Playbook (2026 edition) is out — download it free.
Qapitol QA

Security & Trust

Your data stays yours. Our security posture, fully documented.

Qapitol is purpose-built for regulated enterprises. Before you ask your InfoSec team to send us a 200-question VSQ, here's what we can tell you upfront.

Request VSQ Pack →

01

2 hours

Detection & internal triage SLA

02

4 hours

P1 client notification SLA

03

24h / 72h

Critical / High resolution SLA

04

30 days

Data deletion window

Certifications & Compliance Status

Current certification and compliance posture.

  • ISO/IEC 27001:2022 — Certified — All Qapitol AI platform services and managed delivery operations
  • SOC 2 Type II — In Progress — Target completion Q3 2026
  • VAPT — Completed — Last conducted Q1 2026
  • GDPR & DPDP — Live — Data processing alignment for EU and India data subjects

Deployment Options

Three deployment models across SaaS, VPC, and on-premise.

  • SaaS — Qapitol Cloud: AWS ap-south-1 (Mumbai); AES-256 at rest, TLS 1.3 in transit; no data retained beyond session scope; SOC 2 controls applied
  • VPC Deployment: AWS, Azure, GCP supported; zero data egress guarantee; your security team controls access
  • On-Premise / Air-Gap: complete network isolation; Defence, Government, BFSI ready

Data Handling

AES-256 at rest, TLS 1.3 in transit, Mumbai AWS region, no cross-client data sharing, data deleted in 30 days, no model training on client data. Contractual guarantee: no-train policy is explicitly stated in our Master Services Agreement.

Incident Response SLAs

Documented SLAs across the incident lifecycle.

  • 2-hour SLA — Detection & Internal Triage
  • 4-hour SLA (P1) — Client Notification
  • 24h (Critical) / 72h (High) — Resolution
  • 5 business days — Post-Incident Review & RCA

Access Controls

Enterprise identity and access management controls.

  • SSO via SAML 2.0 / OIDC (Okta, Azure AD, Google Workspace, Ping Identity)
  • Role-Based Access Control (RBAC)
  • MFA Enforced
  • Just-in-Time Privileged Access
  • Annual Access Review
  • Immutable Audit Logs

Sub-Processors

Third-party sub-processors with signed DPAs.

  • AWS — Cloud infrastructure — ap-south-1 — DPA signed
  • Formspree — Web form capture — USA — DPA signed
  • Google Analytics — Analytics (opt-in) — USA — DPA signed
  • Anthropic — LLM evaluation (opt-in) — USA — DPA signed

Next step

Request VSQ Pack →

Talk to the team — response within one business day.

Request VSQ Pack →Browse free resources