How we protect your code and your data.
We run penetration tests for a living. Our own security posture is held to the standards we expect from clients. Here is what that looks like in practice.
The Principle
We have read enough pentest reports of agencies to know the most common findings: secrets in repos, no 2FA, shared admin accounts, archive copies of pentest evidence kept indefinitely. We refuse to be the firm those reports get written about.
The controls below are not aspirational. They are the baseline every engagement runs against. For the standards they align to, see certifications & credentials.
Active Controls
How client data is actually protected.
Source code in private repos
All client source code lives in private GitHub repositories under the client's organization, not ours. Branch protection is enforced on main. Two-factor authentication is enforced for every account with repository access — no exceptions for contractors.
Secrets via Vercel environment variables
API keys, database URLs, Stripe keys, and any production credentials live in Vercel environment variables, scoped per environment. Secrets are never committed to source. GitGuardian scans every commit on push to catch accidental leaks before they merge.
TLS 1.3 across all environments
Production, staging, and preview environments all run TLS 1.3 by default through Vercel's edge. HSTS is preloaded where appropriate, and we enforce HTTPS at every redirect, both internal and external.
Two-factor on every account
GitHub, Vercel, AWS, Stripe, Resend, Sentry, and every other service touching client work has two-factor authentication enforced on every account. Recovery codes are stored in a dedicated password manager, not in any document attached to the project.
Dependency scanning
Dependabot runs on every repository. Snyk scans dependencies on each CI build. GitGuardian watches for secret leaks. Findings are triaged within one business day, and critical CVEs are patched in a same-day deploy when the upstream patch is available.
Pentest data isolation
Penetration tests are executed from isolated, time-boxed environments dedicated to the engagement. Test data, screenshots, raw scanner output, and notes are stored in an encrypted, access-controlled location and never mixed with other client material.
Pentest data destruction
Pentest evidence is retained for 90 days post-delivery to allow remediation discussion and retesting, then permanently destroyed. The final report stays in the client's possession. Raw artifacts are not held indefinitely on our side.
GDPR-aware data handling
Our analytics defaults are privacy-respecting. We do not run third-party tracking pixels on client production environments without explicit client authorization. Client-collected personal data stays on client infrastructure, not on ours.
Confidentiality & NDA
NDAs available on request.
We sign mutual NDAs before discovery on any engagement that touches sensitive IP, internal systems, or non-public financial data. We have a clean template ready to send within an hour of asking. If your legal team has its own preferred NDA, we will sign reasonable counterparts.
All employees and contractors with project access sign the NDA. Confidentiality obligations survive the engagement indefinitely. Public case studies, references, and the content of our work page only include clients who have explicitly authorized their inclusion.
Tooling
Specific tools, not generic claims.
The current security tool stack: GitHub with branch protection and required reviews on main, Dependabot for automated dependency PRs, Snyk for vulnerability scanning during CI, GitGuardian for secret leak detection on every push, Vercel for environment-isolated secret management, Sentry for error tracking, 1Password for credential sharing within engagements, and Cloudflare in front of anything that needs DDoS or WAF protection.
For penetration testing engagements, the tooling expands to include Burp Suite Pro, Nmap, Nuclei, custom Python scripts, and the Kali ecosystem. None of those tools are ever run from the main QUANT LAB workstation — they live on isolated, time-boxed environments per engagement.
For more detail on testing methodology, see web app pentest, network pentest, and Active Directory pentest.
Incident Response
What happens if something goes wrong.
Every QUANT LAB build ships with a written runbook in the client repository. The runbook covers deploy procedure, rollback procedure, common failure modes, monitoring access, and incident-response contacts. It is written so a stranger on call at 3 a.m. can execute it.
If a security incident is suspected on a system we operate or have credentials for, the response is: contain (rotate credentials, revoke sessions), preserve (collect logs, screenshots, timestamps), notify (client and any relevant third parties within four hours of confirmation), and remediate (deploy the fix and document the post-mortem within five business days).
For ongoing maintenance clients, incident response is covered by the retainer. For one-off engagements, post-launch incidents are covered for the first 48 hours and quoted thereafter.
Reporting a Vulnerability
Found something on a QUANT LAB property?
If you have identified a security issue on quantlabusa.dev or on any system we operate, email beltz@quantlabusa.dev with the details. We acknowledge in writing within one business day.
We do not run a paid bounty program at this size, but we will publicly credit responsible disclosure on this page when the reporter wants the credit. Please give us a reasonable window to remediate before publishing.
Where This Connects
Security as a through-line.
Our security posture shows up everywhere. It is baked into our build methodology, disclosed in our customer process, and aligned with the standards on the credentials page. For the engineer behind it, see team & leadership.
For long-form writing on how we run pentest engagements, see penetration test cost 2026 and pentest firms in Georgia. For more on how security shapes the way we build software, see the CRM development guide.
Procurement team needs more detail?
We will fill out reasonable security questionnaires and provide documented evidence for the controls above. Just tell us what you need.
Call (770) 652-1282or emailbeltz@quantlabusa.dev