Trust isn't a feature. It's the foundation.
Qability is built for the people who have to say yes to an auditor. Security and compliance are the substrate — tenant isolation, encryption, identity, and a tamper-evident trail by default.
The pillars
Security designed in, not bolted on
Each control is part of the platform's substrate — enforced at the database and the infrastructure, not left to application code to remember.
Tenant isolation
Every company is isolated with PostgreSQL row-level security enforced at the database — not application-layer checks you have to trust.
Encryption everywhere
AES-256 at rest and TLS 1.3 in transit. Secrets are managed in a dedicated vault; tenant-managed keys are available on Enterprise.
Identity & SSO
SAML 2.0, OIDC, and SCIM provisioning. Works with Okta, Azure AD, Google Workspace, and Auth0 — with enforced MFA.
Granular permissions
Role-based access with fine-grained permission strings, scoped API keys, and supplier portals that only ever see their own records.
Backups & recovery
Continuous point-in-time recovery with automated, encrypted backups. Cross-region replication on Regulated and above.
Data residency
Choose where your data lives — US-East or EU-West regions. Dedicated, single-tenant infrastructure on Enterprise.
Defense in depth
Your data, protected at every layer.
A single control is a single point of failure. Qability layers independent defenses from the network edge down to individual database rows, so a gap in one layer is contained by the next.
Writes are server-authoritative and permission-checked before they ever commit — there are no optimistic client mutations to roll back, and no trust placed in the browser.
Network
Private networking, WAF, DDoS protection, and rate limiting in front of every service.
Application
Pessimistic, server-authoritative writes. Every mutation is permission-checked before it commits.
Data
Row-level security per tenant, column-level encryption for sensitive fields, and least-privilege database roles.
Monitoring
Centralized logs and metrics with alerting on anomalies, failed logins, and replication lag — 24/7.
Compliance
Aligned to the standards your auditors know
Audit trails, electronic signatures, and change control are first-class primitives — so the evidence is already there when the audit comes.
Independent audit of security controls.
E-signatures, audit trails, system controls.
Medical device quality management workflows.
General quality management foundation.
EU data residency, DPA, and subprocessor list.
BAA available for covered entities on Enterprise.
Need our DPA, subprocessor list, or a completed security questionnaire? Email the security team.
How we operate
Security is a practice, not a checkbox
The controls above are backed by the day-to-day discipline of how we build and run the platform.
Secure SDLC
Mandatory code review, dependency scanning, and automated security checks in CI on every change.
Penetration testing
Independent third-party penetration tests, with remediation tracked to closure.
Least privilege
Access to production is role-scoped, time-bound, logged, and reviewed on a regular cadence.
Incident response
A documented incident response plan with defined severities, on-call rotation, and customer notification SLAs.
Vendor management
Every subprocessor is reviewed before onboarding and listed publicly for your DPA.
Tamper-evident audit trail
Who, what, when, and why — captured automatically for every record and exportable for auditors.
Responsible disclosure
Found a vulnerability? We appreciate the help. Report it privately and we'll acknowledge within one business day and keep you posted through remediation.
Built to pass the review