Back to home

Trust Center

How Quantum League AI protects your data — and exactly where we stand on each security and privacy framework. We publish this honestly: a framework is only marked Certified when an independent audit confirms it. Everything else is our own alignment work in progress.

Transparency note. Quantum League AI does not currently hold third-party certifications for the frameworks below. Statuses reflect our internal self-assessment and roadmap, not audited attestations. We will update this page — and provide reports — as formal audits are completed.
CertifiedAlignedIn progressPlannedNot applicable

GDPR

EU General Data Protection Regulation

Aligned

Controls implemented: data access/export, timestamped consent records with withdrawal, right-to-erasure (30-day grace then anonymization), cookie consent, data-retention schedule, records of processing (Art. 30), a DPIA for the video-AI + minors, and a breach-notification runbook. No third-party certification is claimed.

EU/EEA

CCPA/CPRA

California Consumer Privacy Act

Aligned

Consumer rights met via the same controls as GDPR: access/export, deletion (with grace + anonymization), and correction. We do not sell or share personal information. See the CCPA compliance doc. No third-party certification is claimed.

US-CA

PCI DSS

Payment Card Industry Data Security Standard

Aligned

Card data is handled entirely by Stripe (a PCI DSS Level 1 provider). QuantumLeagueAI never stores or processes raw card numbers.

Global

ISO 42001

ISO/IEC 42001 AI Management System

Aligned

AI governance practices implemented for the video-AI and Luna: governance statement, a DPIA for AI processing of minors, human oversight (coach approval before publishing), transparency, and data-minimization. No third-party certification is claimed.

Global

NIST 800-53

NIST SP 800-53 Security & Privacy Controls

Aligned

Our controls are mapped to the relevant NIST 800-53 families (Access Control, Audit, Identification & Auth, System & Comms Protection, Contingency Planning, Incident Response, and more). This is a self-assessment against the catalog — not a federal assessment or ATO.

US

NIST CSF

NIST Cybersecurity Framework

Aligned

We organize our security program around Identify/Protect/Detect/Respond/Recover.

US

DORA

EU Digital Operational Resilience Act

Aligned

DORA legally binds EU financial entities — it does NOT apply to us. We voluntarily adopt its operational-resilience controls: ICT risk management, incident response, backup & disaster recovery, and third-party risk management. No regulatory compliance is claimed.

EU

NIS 2

EU Network and Information Security Directive 2

Aligned

NIS 2 legally binds essential/important entities in regulated sectors — it does NOT apply to us. We voluntarily follow its security measures: risk management, incident handling, business continuity/backup, supply-chain security, vulnerability handling, encryption, and access control. No regulatory compliance is claimed.

EU

MVSP

Minimum Viable Secure Product

Aligned

Core MVSP controls implemented: SSO/Firebase Auth, RBAC, immutable audit logging, TLS + security headers/CSP, default-deny data rules, dependency patching (Dependabot), webhook signature verification, backups (Firebase). Open items: MFA, pen-test, security training. See the MVSP doc.

Global

USDP

US Data Privacy (state privacy laws)

Aligned

The common requirements across US state privacy laws (access, deletion, correction, opt-out of sale — we don't sell) are met by the same controls as GDPR/CCPA. No third-party certification is claimed.

US

GDPR-K / COPPA

Children's privacy (COPPA / GDPR Article 8)

In progress

Youth-player data is minimized and access-restricted; guardian-consent capture and further minor-data controls are being built.

US / EU

SOC 2

AICPA SOC 2 (Trust Services Criteria)

Planned

Targeting a SOC 2 Type II examination. Controls are being documented; no report exists yet.

US

ISO 27001

ISO/IEC 27001 Information Security Management

Planned

Aligning our ISMS practices toward certification; not yet certified.

Global

NIST 800-171

NIST SP 800-171 (Controlled Unclassified Information)

Planned

On roadmap for any future government/defense engagements.

US

HITRUST

HITRUST CSF

Planned

Not in scope today; listed for transparency.

US

NYDFS 500

NYDFS 23 NYCRR 500 Cybersecurity Regulation

Planned

Financial-services regulation; not currently in scope.

US-NY

EU-US DPF

EU-US Data Privacy Framework

Planned

We rely on appropriate transfer safeguards; DPF self-certification is under consideration.

EU/US

Cyber Essentials

UK NCSC Cyber Essentials

Planned

Baseline technical controls being aligned; not yet certified.

UK

Essential Eight

ACSC Essential Eight

Planned

Mitigation strategies used as a hardening reference.

AU

OFDSS

Open Finance Data Security Standard

Planned

Open-finance data standard; monitored, not in scope today.

Global

Custom

Custom / customer-specific framework

Planned

Reserved slot for a customer- or partner-specific control set. Contact us to map your requirements.

HIPAA

US Health Insurance Portability and Accountability Act

Not applicable

QuantumLeagueAI is not a covered entity or business associate. Any wellness/training metrics are not processed as protected health information.

US

TISAX

Trusted Information Security Assessment Exchange

Not applicable

Automotive-sector standard; outside our scope.

EU (Automotive)

CMMC

Cybersecurity Maturity Model Certification

Not applicable

US defense supply-chain standard; not in scope today.

US (DoD)

AWS FTR

AWS Foundational Technical Review

Not applicable

Our infrastructure runs on Google Cloud / Firebase and Vercel, not AWS.

Global

Security questions or to request a report: security@quantumleagueai.com