QuantQuest
Start Free Trial

Data Protection Policy

Last updated: August 5, 2025

Our Commitment to Data Protection

At QuantQuest, we understand that financial data is highly sensitive. We are committed to protecting your data with the highest standards of security and privacy, exceeding industry requirements and regulatory standards in Singapore.

Enterprise Security

Bank-level encryption and security protocols

PDPA Compliant

Full compliance with Singapore data protection laws

Privacy by Design

Data protection built into every feature

1. Data Protection Principles

We adhere to the following core principles in handling your data:

  • Consent: We only collect data with explicit consent
  • Purpose Limitation: Data is used only for stated purposes
  • Notification: Clear communication about data collection and use
  • Access and Correction: You can access and update your data anytime
  • Accuracy: We ensure data is accurate and up-to-date
  • Protection: Robust security measures protect all data
  • Retention Limitation: Data is kept only as long as necessary
  • Transfer Limitation: Strict controls on data transfers

2. Technical Security Measures

Infrastructure Security

  • AWS cloud infrastructure with multiple availability zones
  • Regular security patches and updates
  • Network isolation and firewall protection
  • DDoS protection and intrusion detection systems
  • Regular penetration testing by certified professionals

Data Encryption

  • 256-bit AES encryption for data at rest
  • TLS 1.3 encryption for data in transit
  • Encrypted database connections
  • Secure key management with HSM (Hardware Security Modules)
  • End-to-end encryption for sensitive financial data

Access Controls

  • Multi-factor authentication (MFA) required
  • Role-based access control (RBAC)
  • Session management and automatic timeouts
  • IP whitelisting options for enterprise accounts
  • Comprehensive audit logs of all data access

3. Organizational Measures

  • Dedicated Data Protection Officer (DPO)
  • Regular employee training on data protection
  • Strict confidentiality agreements for all staff
  • Background checks for employees handling sensitive data
  • Clean desk policy and secure disposal procedures
  • Incident response team available 24/7

4. Data Processing Activities

Financial Planning Data

Data Types:

  • • Income and expense records
  • • Asset and liability information
  • • Investment portfolios
  • • CPF account details

Protection Measures:

  • • Encrypted storage
  • • Access logging
  • • Regular backups
  • • Anonymization for analytics

Client Communication Data

Data Types:

  • • Email communications
  • • Meeting notes
  • • Document uploads
  • • Collaboration history

Protection Measures:

  • • Secure messaging
  • • Version control
  • • Retention policies
  • • Secure file sharing

5. Data Subject Rights

Under Singapore's PDPA and our commitment to data protection, you have the following rights:

Right to Access

Request a copy of all personal data we hold about you

Right to Rectification

Correct any inaccurate or incomplete personal data

Right to Erasure

Request deletion of your data (subject to legal requirements)

Right to Data Portability

Receive your data in a structured, machine-readable format

Right to Object

Object to specific processing of your personal data

6. Data Breach Response

In the unlikely event of a data breach, we have comprehensive procedures in place:

  1. Immediate containment: Isolate affected systems within 1 hour
  2. Assessment: Determine scope and impact within 24 hours
  3. Notification: Inform affected users within 72 hours
  4. PDPC reporting: Notify authorities as required by law
  5. Remediation: Implement fixes and prevent recurrence
  6. Review: Conduct post-incident analysis and improvements

7. Third-Party Data Processors

We carefully select third-party processors who meet our security standards. Current processors:

  • Render.com - Application hosting and platform-native logs/metrics (uses underlying cloud providers such as AWS; Sybil's contract/DPA is with Render; AWS is Render's sub-processor)
  • Stripe - Payment processing (PCI-DSS compliant)
  • SendGrid - Transactional email

All third parties are bound by data processing agreements/vendor terms and may process personal data only to provide their services; they are prohibited from using customer data for their own purposes.

8. Compliance and Certifications

Hosting & Certifications

  • Hosted in Singapore on SOC 2 Type II and ISO 27001-certified infrastructure (Vercel and Render). Certifications belong to our hosting providers.
  • Certifications apply to Vercel, Render, and AWS; QuantQuest itself is not yet SOC 2 or ISO certified.

Security Controls

  • Bank-grade encryption with TLS 1.2/1.3 in transit and AES-256 at rest for managed databases.
  • DDoS protection at the edge via Cloudflare (through Render) and Vercel edge defenses for the frontend.
  • Privacy by design with authenticated access, PDPA consent and audit trails, plus MFA via authenticator apps.

9. Contact Our Data Protection Team

For any questions about data protection or to exercise your rights:

Data Protection Officer

Sybil Pte Ltd

Operating as: QuantQuest

Email: dpo@quantquest.sg

Response time: Within 48 hours