Security Policy

Scope

This policy applies to systems and platforms operated by Quantum Wave Solutions (QWS), including our public website (quantumwave.com.au), support portal, and customer-deployed Sovereign and Enterprise platforms. Customer-managed deployments of QWS-built software remain subject to the customer's own controls, supplemented by the practices described here.

Hosting & Infrastructure

Production workloads for QWS-operated platforms are hosted on Micron21 mCloud — an Australian-owned, Tier IV, IRAP-assessed data centre infrastructure with facilities in Australia. We do not host customer production data in shared multinational cloud tenancies without explicit, documented authorisation from the customer.

Backups are encrypted, stored in Amazon Web Services Australian regions (ap-southeast-2), and retained according to each engagement's retention requirements.

Encryption

• Data in transit is protected by TLS 1.2 or higher with modern cipher suites.
• Data at rest is encrypted using AES-256-GCM where the underlying platform supports it — including database storage, object storage and backups.
• Secrets and credentials are stored in encrypted secret stores or environment-scoped key vaults — never in source control.

People & Clearances

QWS is Australian-owned and operated. All engineering, support and operations work is performed by Australian-based personnel. Where engagements require it, our team holds Australian Government Security Vetting Agency clearances at the level appropriate to the work (NV2 / PV available where required).

Secure Development

• All software is custom-built and held under QWS source control. Customers receive full source where contractually required.
• We do not embed third-party telemetry, analytics beacons or "phone-home" services in delivered platforms unless explicitly disclosed and authorised by the customer.
• Dependencies are pinned and tracked for known vulnerabilities. Security-relevant patches are applied through a documented change-management process.
• Code changes are version-controlled, tested, and audited prior to deployment to production.

Access Control

• Access to production systems follows least-privilege principles.
• Administrative access requires multi-factor authentication.
• Authentication and access events are logged.
• Personnel access is revoked promptly on role change or departure.

Data Residency

All production data and backups for QWS-operated systems are held within Australian data centres. We do not transfer customer data offshore without explicit, written authorisation.

Incident Response

We maintain an incident response process covering detection, containment, remediation and notification. In the event of a security incident affecting customer data, QWS will:

• Take immediate action to contain and remediate.
• Notify affected customers without undue delay.
• Comply with the Notifiable Data Breaches scheme under the Privacy Act 1988 (Cth) where applicable, including notification to the Office of the Australian Information Commissioner within statutory timelines.

Sub-processors

QWS uses a deliberately small set of sub-processors. The current list is:

• Micron21 Pty Ltd — Australian-based production hosting (Tier IV, IRAP-assessed).
• Amazon Web Services — encrypted backup storage, restricted to Australian regions.
• Microsoft 365 — corporate email and document infrastructure.

Additional sub-processors required for specific engagements are disclosed and agreed with the customer prior to use.

Reporting a Security Concern

If you have identified a security vulnerability in any QWS-operated system, please refer to our Vulnerability Disclosure Policy for how to report it safely.

For all other security questions, contact us at connect@quantumwave.com.au.