Deployment isolation
On-premise, private-cloud, hybrid, or air-gapped — your call. Workforce data never crosses a vendor boundary unless you explicitly want a hybrid configuration.
Trust center
Security, by architecture.
ATC Quest is the only enterprise LMS where data residency is a property of the architecture, not a contract clause. Below: the controls, the certifications, and the incident process.
Security pillars
Six controls every customer asks about
Encryption
TLS 1.2+ in transit (HSTS preload eligible). AES-256 at rest. Argon2id password hashing (bcrypt fallback). End-to-end signed audit reports.
Authentication
SAML 2.0 / OIDC SSO with major IdPs (Azure AD, Okta, Google Workspace, Auth0). MFA enforceable per-tenant. SCIM 2.0 user lifecycle.
Tamper-evident records
Each completion / assessment / audit entry is cryptographically signed by the deployment certificate. Hash chains let auditors independently verify records weren't altered after the fact.
Independent testing
Quarterly third-party penetration testing. Annual code audit. Continuous SAST / DAST in CI. Public vulnerability disclosure program.
Privacy by design
On-premise = data never leaves your network. We do not train external AI models on customer content. Cohort-level analytics by default; individual data only with explicit access policy.
Compliance
Frameworks aligned + certifications status
| Framework | Status |
|---|---|
| DPDPA 2023 | Compliant by design. Grievance officer designation supported. |
| HIPAA | On-prem deployment ensures PHI never leaves your network. BAA available. |
| GDPR | SCCs for EU/UK transfers when applicable. Data subject rights handled in-platform. |
| ISO 27001 | Aligned. Certification track in progress (target 2027). |
| SOC 2 Type II | In progress (target 2026 H2). Type I available for review. |
| NABH | Learning record format aligned for healthcare deployments. |
| RBI cyber framework | Workforce data localisation by default for India BFS deployments. |
| IATF 16949 / ISO 9001 / 14001 / 45001 | Audit-ready training evidence for manufacturing customers. |
Detailed evidence packs (SOC 2 Type I report, pen test summary, encryption documentation, sub-processor list) available under NDA on request.
Incident response
Five-stage process; 72-hour notification
- 1
Detection
Continuous monitoring (24/7) on production deployments. Customer-side incident reporting via [email protected].
- 2
Triage
Within 1 hour of report acknowledgement. Severity classification per industry standard (P0–P4).
- 3
Containment
Immediate isolation of affected component; rollback to last-known-good state if applicable.
- 4
Notification
Customer notification within 72 hours of confirmed personal-data breach (DPDPA / GDPR aligned).
- 5
Post-mortem
Root-cause analysis + remediation plan delivered within 14 days; corrective actions tracked to closure.
Vulnerability disclosure
Found something? Tell us.
We honour responsible disclosure. Email [email protected] with details. We acknowledge within 24 hours, triage within 72 hours, and credit researchers in our security advisories (with permission). For sensitive disclosures, our PGP key fingerprint is published at /.well-known/security.txt.
- • Out of scope: theoretical attacks, missing best-practices headers, low-impact issues without proof of impact.
- • In scope: authentication / authorisation, injection (SQL / NoSQL / command), XSS, SSRF, data exfiltration, business logic flaws.
- • We do not currently run a paid bug bounty; recognition + advisory credit only.
Need our SOC 2 Type I report or sub-processor list?
Available under NDA. 30-min security review with our team to walk through architecture and controls.