Trust Center
How Quantum League AI protects your data — and exactly where we stand on each security and privacy framework. We publish this honestly: a framework is only marked Certified when an independent audit confirms it. Everything else is our own alignment work in progress.
GDPR
EU General Data Protection Regulation
Controls implemented: data access/export, timestamped consent records with withdrawal, right-to-erasure (30-day grace then anonymization), cookie consent, data-retention schedule, records of processing (Art. 30), a DPIA for the video-AI + minors, and a breach-notification runbook. No third-party certification is claimed.
EU/EEA
CCPA/CPRA
California Consumer Privacy Act
Consumer rights met via the same controls as GDPR: access/export, deletion (with grace + anonymization), and correction. We do not sell or share personal information. See the CCPA compliance doc. No third-party certification is claimed.
US-CA
PCI DSS
Payment Card Industry Data Security Standard
Card data is handled entirely by Stripe (a PCI DSS Level 1 provider). QuantumLeagueAI never stores or processes raw card numbers.
Global
ISO 42001
ISO/IEC 42001 AI Management System
AI governance practices implemented for the video-AI and Luna: governance statement, a DPIA for AI processing of minors, human oversight (coach approval before publishing), transparency, and data-minimization. No third-party certification is claimed.
Global
NIST 800-53
NIST SP 800-53 Security & Privacy Controls
Our controls are mapped to the relevant NIST 800-53 families (Access Control, Audit, Identification & Auth, System & Comms Protection, Contingency Planning, Incident Response, and more). This is a self-assessment against the catalog — not a federal assessment or ATO.
US
NIST CSF
NIST Cybersecurity Framework
We organize our security program around Identify/Protect/Detect/Respond/Recover.
US
DORA
EU Digital Operational Resilience Act
DORA legally binds EU financial entities — it does NOT apply to us. We voluntarily adopt its operational-resilience controls: ICT risk management, incident response, backup & disaster recovery, and third-party risk management. No regulatory compliance is claimed.
EU
NIS 2
EU Network and Information Security Directive 2
NIS 2 legally binds essential/important entities in regulated sectors — it does NOT apply to us. We voluntarily follow its security measures: risk management, incident handling, business continuity/backup, supply-chain security, vulnerability handling, encryption, and access control. No regulatory compliance is claimed.
EU
MVSP
Minimum Viable Secure Product
Core MVSP controls implemented: SSO/Firebase Auth, RBAC, immutable audit logging, TLS + security headers/CSP, default-deny data rules, dependency patching (Dependabot), webhook signature verification, backups (Firebase). Open items: MFA, pen-test, security training. See the MVSP doc.
Global
USDP
US Data Privacy (state privacy laws)
The common requirements across US state privacy laws (access, deletion, correction, opt-out of sale — we don't sell) are met by the same controls as GDPR/CCPA. No third-party certification is claimed.
US
GDPR-K / COPPA
Children's privacy (COPPA / GDPR Article 8)
Youth-player data is minimized and access-restricted; guardian-consent capture and further minor-data controls are being built.
US / EU
SOC 2
AICPA SOC 2 (Trust Services Criteria)
Targeting a SOC 2 Type II examination. Controls are being documented; no report exists yet.
US
ISO 27001
ISO/IEC 27001 Information Security Management
Aligning our ISMS practices toward certification; not yet certified.
Global
NIST 800-171
NIST SP 800-171 (Controlled Unclassified Information)
On roadmap for any future government/defense engagements.
US
HITRUST
HITRUST CSF
Not in scope today; listed for transparency.
US
NYDFS 500
NYDFS 23 NYCRR 500 Cybersecurity Regulation
Financial-services regulation; not currently in scope.
US-NY
EU-US DPF
EU-US Data Privacy Framework
We rely on appropriate transfer safeguards; DPF self-certification is under consideration.
EU/US
Cyber Essentials
UK NCSC Cyber Essentials
Baseline technical controls being aligned; not yet certified.
UK
Essential Eight
ACSC Essential Eight
Mitigation strategies used as a hardening reference.
AU
OFDSS
Open Finance Data Security Standard
Open-finance data standard; monitored, not in scope today.
Global
Custom
Custom / customer-specific framework
Reserved slot for a customer- or partner-specific control set. Contact us to map your requirements.
—
HIPAA
US Health Insurance Portability and Accountability Act
QuantumLeagueAI is not a covered entity or business associate. Any wellness/training metrics are not processed as protected health information.
US
TISAX
Trusted Information Security Assessment Exchange
Automotive-sector standard; outside our scope.
EU (Automotive)
CMMC
Cybersecurity Maturity Model Certification
US defense supply-chain standard; not in scope today.
US (DoD)
AWS FTR
AWS Foundational Technical Review
Our infrastructure runs on Google Cloud / Firebase and Vercel, not AWS.
Global
Your data rights
Export or delete your personal data (GDPR/CCPA).
Privacy Policy
What we collect, why, and how we protect it.
Terms & DPA
Terms of Service and Data Processing Addendum.
Security questions or to request a report: security@quantumleagueai.com