Data Protection Policy
Last updated: February 11, 2026
Our Commitment to Data Protection
At QuantQuest, we understand that financial data is highly sensitive. We are committed to protecting your data with the highest standards of security and privacy, exceeding industry requirements and regulatory standards in Singapore.
Enterprise Security
Bank-level encryption and security protocols
PDPA Compliant
Full compliance with Singapore data protection laws
Privacy by Design
Data protection built into every feature
1. Data Protection Principles
We adhere to the following core principles in handling your data:
- Consent: We only collect data with explicit consent
- Purpose Limitation: Data is used only for stated purposes
- Notification: Clear communication about data collection and use
- Access and Correction: You can access and update your data anytime
- Accuracy: We ensure data is accurate and up-to-date
- Protection: Robust security measures protect all data
- Retention Limitation: Data is kept only as long as necessary
- Transfer Limitation: Strict controls on data transfers
2. Technical Security Measures
Infrastructure Security
- AWS cloud infrastructure with multiple availability zones
- Regular security patches and updates
- Network isolation and firewall protection
- DDoS protection and intrusion detection systems
- Regular penetration testing by certified professionals
Data Encryption
- 256-bit AES encryption for data at rest
- TLS 1.3 encryption for data in transit
- Encrypted database connections
- Secure key management with HSM (Hardware Security Modules)
- End-to-end encryption for sensitive financial data
Access Controls
- Multi-factor authentication (MFA) required
- Role-based access control (RBAC)
- Session management and automatic timeouts
- IP whitelisting options for enterprise accounts
- Comprehensive audit logs of all data access
3. Organizational Measures
- Dedicated Data Protection Officer (DPO)
- Regular employee training on data protection
- Strict confidentiality agreements for all staff
- Background checks for employees handling sensitive data
- Clean desk policy and secure disposal procedures
- Incident response team available 24/7
4. Data Processing Activities
Financial Planning Data
Data Types:
- • Income and expense records
- • Asset and liability information
- • Investment portfolios
- • CPF account details
Protection Measures:
- • Encrypted storage
- • Access logging
- • Regular backups
- • Anonymization for analytics
Client Communication Data
Data Types:
- • Email communications
- • Meeting notes
- • Document uploads
- • Collaboration history
Protection Measures:
- • Secure messaging
- • Version control
- • Retention policies
- • Secure file sharing
Public Hub Profile Data
Data Types:
- • Adviser name, title, bio, photo
- • Professional credentials and certifications
- • MAS registration details
- • Testimonial content and submitter names
- • Social media links and theme preferences
Protection Measures:
- • Public display controlled by adviser toggles
- • Adviser-approved content only
- • Deletion within 90 days of profile deactivation
- • Testimonial removal upon consent withdrawal
Lead Generation Data
Data Types:
- • Name and contact information
- • WhatsApp number
- • Quiz responses and personality results
- • Submission timestamps
Protection Measures:
- • OTP verification for submissions
- • Encrypted storage
- • 24-month retention limit
- • Consent withdrawal mechanism
- • Access restricted to assigned adviser only
5. Data Subject Rights
Under Singapore's PDPA and our commitment to data protection, you have the following rights:
Right to Access
Request a copy of all personal data we hold about you
Right to Rectification
Correct any inaccurate or incomplete personal data
Right to Erasure
Request deletion of your data (subject to legal requirements)
Right to Data Portability
Receive your data in a structured, machine-readable format
Right to Object
Object to specific processing of your personal data
6. Data Breach Response
In the unlikely event of a data breach, we have comprehensive procedures in place:
- Immediate containment: Isolate affected systems within 1 hour
- Assessment: Determine scope and impact within 24 hours
- Notification: Notify affected individuals and the PDPC within 3 calendar days of confirming a notifiable breach, in accordance with PDPA Part 6A
- Remediation: Implement fixes and prevent recurrence
- Review: Conduct post-incident analysis and improvements
7. Third-Party Data Processors
We carefully select third-party processors who meet our security standards. Current processors:
- Cloud infrastructure provider — Application hosting and database services (Singapore region, SOC 2 Type II and ISO 27001 certified)
- Stripe — Payment processing (PCI-DSS compliant)
- Transactional email provider — Account notifications and service communications
- Twilio — OTP verification and WhatsApp messaging
- AI service providers — AI-assisted content generation (bound by no-training clauses and data minimisation requirements)
All third parties are bound by data processing agreements and may process personal data only to provide their services; they are prohibited from using customer data for their own purposes.
8. Compliance and Certifications
Hosting & Certifications
- Hosted in Singapore on SOC 2 Type II and ISO 27001-certified infrastructure. Certifications belong to our hosting providers.
- QuantQuest itself is not yet independently SOC 2 or ISO certified.
Security Controls
- Bank-grade encryption with TLS 1.2/1.3 in transit and AES-256 at rest for managed databases.
- DDoS protection at the edge via our hosting providers.
- Privacy by design with authenticated access, PDPA consent and audit trails, plus MFA via authenticator apps.
9. Contact Our Data Protection Team
For any questions about data protection or to exercise your rights:
Data Protection Officer
Sybil Pte Ltd
Operating as: QuantQuest
Email: dpo@quantquest.sg
Response time: Within 48 hours