QuantQuest
Try for Free

Data Protection Policy

Last updated: April 20, 2026

Our Commitment to Data Protection

At QuantQuest, we understand that financial data is highly sensitive. We are committed to protecting your data with the highest standards of security and privacy, exceeding industry requirements and regulatory standards in Singapore.

Enterprise Security

Bank-level encryption and security protocols

PDPA Compliant

Full compliance with Singapore data protection laws

Privacy by Design

Data protection built into every feature

1. Data Protection Principles

We adhere to the following core principles in handling your data:

  • Consent: We only collect data with explicit consent
  • Purpose Limitation: Data is used only for stated purposes
  • Notification: Clear communication about data collection and use
  • Access and Correction: You can access and update your data anytime
  • Accuracy: We ensure data is accurate and up-to-date
  • Protection: Robust security measures protect all data
  • Retention Limitation: Data is kept only as long as necessary
  • Transfer Limitation: Strict controls on data transfers

2. Technical Security Measures

Infrastructure Security

  • AWS cloud infrastructure with multiple availability zones
  • Regular security patches and updates
  • Network isolation and firewall protection
  • DDoS protection and intrusion detection systems
  • Regular penetration testing by certified professionals

Data Encryption

  • AES-256 encryption for data at rest in managed databases
  • TLS 1.2 / 1.3 encryption for all data in transit
  • Encrypted database connections
  • Field-level encryption for selected sensitive identifiers at rest
  • Provider-managed key management with hardware-backed key storage

Access Controls

  • Multi-factor authentication (MFA) required
  • Role-based access control (RBAC)
  • Session management and automatic timeouts
  • IP whitelisting options for enterprise accounts
  • Comprehensive audit logs of all data access

3. Organizational Measures

  • Dedicated Data Protection Officer (DPO)
  • Regular employee training on data protection
  • Strict confidentiality agreements for all staff
  • Background checks for employees handling sensitive data
  • Clean desk policy and secure disposal procedures
  • Incident response team available 24/7

4. Data Processing Activities

Financial Planning Data

Data Types:

  • • Income and expense records
  • • Asset and liability information
  • • Investment portfolios
  • • CPF account details

Protection Measures:

  • • Encrypted storage
  • • Access logging
  • • Regular backups
  • • Anonymization for analytics

Client Communication Data

Data Types:

  • • Email communications
  • • Meeting notes
  • • Document uploads
  • • Collaboration history

Protection Measures:

  • • Secure messaging
  • • Version control
  • • Retention policies
  • • Secure file sharing

Public Hub Profile Data

Data Types:

  • • Adviser name, title, bio, photo
  • • Professional credentials and certifications
  • • MAS registration details
  • • Testimonial content and submitter names
  • • Social media links and theme preferences

Protection Measures:

  • • Public display controlled by adviser toggles
  • • Adviser-approved content only
  • • Deletion within 90 days of profile deactivation
  • • Testimonial removal upon consent withdrawal

Lead Generation Data

Data Types:

  • • Name and contact information
  • • WhatsApp number
  • • Quiz responses and personality results
  • • Submission timestamps

Protection Measures:

  • • OTP verification for submissions
  • • Encrypted storage
  • • 24-month retention limit
  • • Consent withdrawal mechanism
  • • Access restricted to assigned adviser only

AI Copilot Data

Data Types:

  • • Conversation messages and AI-generated responses
  • • Client financial context used for AI analysis (insurance policies, net worth, cashflow, CPF data)
  • • Uploaded insurance documents processed via OCR
  • • Session metadata and feedback ratings

Protection Measures:

  • • Automated identifier-masking before AI processing (NRIC/FIN with checksum validation, Singapore mobile numbers, email addresses, bank account numbers, and 6-digit postal codes). Masking is privacy-protective but does not constitute anonymisation; some personal data may remain in transmitted content. Coverage continuously expanded based on evaluation results.
  • • Encrypted transmission (TLS 1.3)
  • • No data used for AI model training
  • • Per-adviser data isolation (tenancy enforcement)
  • • Conversation deletion available to advisers at any time
  • • Persistent AI-generated content disclaimers on all outputs

Knowledge Pack Data

Data Types:

  • • Adviser-uploaded product reference documents (insurer brochures, product summaries, adviser notes)
  • • OCR-extracted text and structured data from those documents
  • • Per-adviser scoped product shelf metadata

Protection Measures:

  • • Strict per-adviser isolation (database-level ownership filter on every read)
  • • Personalisation classifier rejects documents flagged as containing client-specific data at upload
  • • PII scrubbing applied to uploaded text as an additional layer
  • • SHA-256 audit hash per Knowledge Pack entry stored with each AI response that referenced it
  • • Adviser may delete entries at any time; deletion removes the entry from future AI access

5. Data Subject Rights

Under Singapore's PDPA and our commitment to data protection, you have the following rights:

Right to Access

Request a copy of all personal data we hold about you

Right to Rectification

Correct any inaccurate or incomplete personal data

Right to Erasure

Request deletion of your data (subject to legal requirements)

Right to Data Portability

Receive your data in a structured, machine-readable format

Right to Object

Object to specific processing of your personal data

6. Data Breach Response

In the unlikely event of a data breach, we have comprehensive procedures in place:

  1. Immediate containment: Isolate affected systems within 1 hour
  2. Assessment: Determine scope and impact within 24 hours
  3. Notification: Notify the PDPC as soon as practicable and in any case within 3 calendar days of completing assessment of notifiability under PDPA Part 6A. Where the breach is likely to cause significant harm to affected individuals, notify those individuals as soon as practicable.
  4. Remediation: Implement fixes and prevent recurrence
  5. Review: Conduct post-incident analysis and improvements

7. Third-Party Data Processors

We carefully select third-party processors who meet our security standards. Current processors:

  • Cloud infrastructure provider — Application hosting and database services (Singapore region, SOC 2 Type II and ISO 27001 certified)
  • Stripe — Payment processing (PCI-DSS compliant)
  • Transactional email provider — Account notifications and service communications
  • Twilio — OTP verification and WhatsApp messaging
  • AI/LLM service provider — Powers the AI Copilot for client data analysis, insurance document extraction, and engagement management. Data is transmitted after automated PII scrubbing. Bound by our data minimisation procedures and the provider's API terms of service, including data minimisation requirements and prompt deletion after processing. For full details, refer to the AI Copilot Terms of Use.

All third parties are bound by data processing agreements and may process personal data only to provide their services; they are prohibited from using customer data for their own purposes.

Details of current sub-processors, including specific provider names, jurisdictions of processing, and applicable certifications, are available to financial-adviser firms under NDA on request. We will notify you of material changes to our sub-processors that handle Client Data.

8. Compliance and Certifications

Hosting & Certifications

  • Hosted in Singapore on SOC 2 Type II and ISO 27001-certified infrastructure. Certifications belong to our hosting providers.
  • QuantQuest itself is not yet independently SOC 2 or ISO certified.

Security Controls

  • Bank-grade encryption with TLS 1.2/1.3 in transit and AES-256 at rest for managed databases.
  • DDoS protection at the edge via our hosting providers.
  • Privacy by design with authenticated access, PDPA consent and audit trails, plus MFA via authenticator apps.

9. Contact Our Data Protection Team

For any questions about data protection or to exercise your rights:

Data Protection Officer

Sybil Pte Ltd

Operating as: QuantQuest

Email: dpo@quantquest.sg

Response time: Within 48 hours