McCoy’s Quantum is built for enterprise, higher education, and institutional partners that require strong security controls, clear privacy guarantees, and a data-minimization approach. Our security program is designed to help organizations deploy Quantum with confidence—without creating unnecessary data risk.

Security

Security Principles

We design Quantum around five principles:

  1. Data minimization by default

    We collect and retain only what is needed to operate the platform and deliver agreed functionality.

  2. Customer control and tenant isolation

    Organizations maintain control over access, identity, and configuration, with strong separation between customers.

  3. Defense in depth

    Multiple layers of security controls across infrastructure, application, and operations reduce risk and single points of failure.

  4. Transparency and auditability

    Administrative actions and system activity are logged so customers can validate access and behavior.

  5. Continuous improvement

    Security is an ongoing process—monitored, reviewed, and improved as the product scales.

Cloud & Infrastructure Security (Google Cloud Platform)

Quantum runs on Google Cloud Platform (GCP), leveraging a modern cloud security foundation and managed services designed for high availability and secure operation.

Our infrastructure security approach includes:

  • Network protections: segmentation and firewalling, controlled ingress/egress paths, and DDoS-aware design patterns

  • Identity and access management: strict permissions and least-privilege access for services and administrators

  • Secure service configuration: hardened defaults, restricted administrative access, and controlled deployment pipelines

  • Monitoring and alerting: operational telemetry to detect availability issues, anomalous behavior, and abuse patterns

  • Backups & resilience: versioned backups and tested recovery procedures to support business continuity

Data Minimization & “No Unnecessary Personal Data” Approach

Many enterprise partners prefer an approach where the platform does not store personal or sensitive user data unless it is explicitly required.

Quantum supports this by enabling deployments that use:

  • Organization-managed identifiers (e.g., employee/student IDs or pseudonymous identifiers)

  • Minimal profile fields, configurable per organization

  • Optional learning analytics that can be aggregated and de-identified where appropriate

What we do not do

  • We do not sell or share personal data

  • We do not use customer data for behavioral advertising

  • We do not train models on customer-provided data without explicit agreement

  • We do not collect personal data simply because it might be “useful later”

If an organization requires a strict “no personal data stored” posture, we can align implementation and configuration to support that requirement.

Data Encryption & Protection

We protect data through encryption and access controls across its lifecycle.

  • Encryption in transit: TLS for network communication

  • Encryption at rest: encrypted storage for persistent data

  • Key management: secure handling of encryption keys consistent with cloud best practices

  • Secure secrets management: credentials and tokens are stored and rotated using controlled systems, not embedded in code

Tenant Isolation & Access Controls

Quantum is designed to support multi-tenant enterprise use with strong logical separation between organizations.

  • Tenant isolation: organization data is separated by design and access policy

  • Role-based access control (RBAC): admin, instructor, and learner roles with scoped permissions

  • Least privilege: access is granted only to what is needed for a given role and task

  • Administrative auditability: admin actions are logged to support review and accountability

Authentication, SSO, and Identity Options

For enterprise deployments, Quantum can support identity and access patterns that reduce risk and simplify administration:

  • SSO support (where applicable) to centralize authentication under the customer’s identity provider

  • Optional provisioning workflows (e.g., controlled onboarding, managed accounts)

  • Session security controls (timeouts, secure authentication flows)

If your organization has specific requirements (SSO, access reviews, onboarding constraints), we can align deployment to your standard operating model.

Logging, Monitoring, and Audit Trails

Security depends on visibility.

Quantum maintains logs to support:

  • Operational monitoring (availability, performance, error tracking)

  • Security monitoring (anomalous traffic, abuse signals, suspicious access patterns)

  • Audit trails (administrative actions, configuration changes, access events)

Log retention is managed to balance security needs with data minimization.

Secure Development & Change Management

We treat security as part of the product lifecycle, not a one-time checklist:

  • Secure code practices and peer review for changes

  • Dependency and vulnerability management for third-party libraries

  • Environment separation (development vs. production controls)

  • Controlled deployments with traceability of changes

Incident Response & Vulnerability Handling

We maintain internal procedures for:

  • Detecting and responding to security incidents

  • Containing and remediating issues quickly

  • Communicating with impacted customers when required

  • Performing post-incident reviews to prevent recurrence

Data Retention, Export, and Deletion

Quantum supports enterprise expectations around data lifecycle management:

  • Retention: data retained only as needed for platform operation and as agreed with the customer

  • Export: customers can request export of relevant organizational data in supported formats

  • Deletion: upon termination or request (subject to contractual and legal obligations), data can be deleted according to defined procedures

We prioritize predictable, documented handling of data at every stage.

API & Integration Security (When Enabled)

When using the Quantum API:

  • Authentication is required for all requests

  • Keys/credentials are scoped and revocable

  • Rate limits help prevent abuse and protect availability

  • Usage logging supports debugging, monitoring, and audit needs

API access is designed to be controlled, measurable, and enterprise-friendly.

Compliance & SOC 2 Readiness

Many organizations use SOC 2 as a benchmark for vendor security maturity. McCoy is building toward a SOC 2–aligned control environment, including policies and operational practices across:

  • Access controls

  • Change management

  • Incident response

  • Logging and monitoring

  • Risk management and vendor management

  • Business continuity and recovery

If your procurement process requires security documentation (questionnaires, policies, architecture summaries, subprocessors list), we can provide what’s needed to support review.

Note: We will never represent ourselves as “SOC 2 certified” unless and until a formal independent audit is completed and the report is available under appropriate sharing terms.

Subprocessors & Third-Party Services

Enterprise partners often require transparency into critical vendors. We maintain an internal inventory of key service providers involved in operating the platform and can share relevant details as part of enterprise security review.

Your Organization’s Requirements

Security and privacy requirements vary widely across corporations, universities, and foundations. We’re happy to align Quantum to your needs, including:

  • Minimal data collection configurations

  • Tenant-specific access controls

  • SSO and identity requirements

  • Data retention preferences

  • Security and procurement documentation

Contact us for further security support

If your organization requires heightened security protocols, custom controls, or restricted deployment environments (e.g., defense or government use cases), please contact us to coordinate a tailored security review.