Last updated: 7 May 2026
This website
- HTTPS only. The site is served exclusively over TLS 1.2 or higher. HTTP requests are 301-redirected to HTTPS at the edge.
- HSTS preload-eligible. Strict-Transport-Security is set to two years with
includeSubDomains and preload.
- Modern security headers. Content-Security-Policy, X-Frame-Options DENY, X-Content-Type-Options nosniff, Referrer-Policy strict-origin-when-cross-origin, and a locked-down Permissions-Policy.
- WAF protection. AWS WAFv2 with the Common Rule Set, Known Bad Inputs Rule Set, and a strict per-IP rate limit on the contact API.
- Private origin. The static files are stored in a private S3 bucket reachable only by the site's CloudFront distribution; the bucket has no public ACL.
- Encrypted at rest. All site assets and CloudFront access logs are stored with AWS-managed AES-256 server-side encryption.
- Logging. Edge access is logged to a write-only logs bucket with a 90-day expiration. Lambda logs go to CloudWatch with 30-day retention.
Contact form & email
- Server-side validation. Every submission is validated by a Lambda function: schema, length caps, character allowlist on names, RFC-style email regex, and a honeypot field that silently drops bot submissions.
- Header injection prevention. User input is sanitised before any value is used in an email subject or address; CRLF and control bytes are stripped.
- Authenticated email delivery. Outgoing notification mail is sent from a domain verified in AWS SES, signed with DKIM, with SPF and DMARC records published. The DMARC policy is set to
p=quarantine with strict alignment.
- Least privilege. The Lambda's IAM role can call
ses:SendEmail only when the From address matches the verified identity. It has no other AWS permissions.
- Rate limiting. WAF caps requests to
/api/* at 30 per 5-minute window per IP. The Lambda also enforces a per-IP cooldown as defence-in-depth.
- No third-party trackers. The site loads no advertising or behavioural-tracking scripts from third parties.
Engagements
For paid engagements (consulting, software delivery, training, support), the security baseline above is the minimum, deliveries to regulated sectors (healthcare, finance, defense, public sector) typically include additional controls negotiated in the Master Services Agreement and Statement of Work. Common controls include:
- SSO and least-privilege access to all client systems we touch.
- Mutual NDAs and per-engagement DPAs / BAAs where applicable.
- Code review on every change, with automated security scanning in CI.
- Secrets management via AWS Secrets Manager, HashiCorp Vault, or the client's chosen tool, never in source control.
- Data-handling commitments calibrated to the data class (PHI, PII, CUI, etc.) and the relevant compliance regime (HIPAA, SOC 2, FedRAMP-readiness, etc.).
- Audit trails on every model output we deliver, with regulator-friendly reporting.
Reporting a vulnerability
If you've discovered a security issue with our website or one of our products, please report it to support@quantumhorizon.ai with subject "Security issue". Please include:
- A clear description of the issue.
- Steps to reproduce, or a proof-of-concept request/response.
- Your name (so we can credit you, if you'd like) and a way to reach you.
We commit to acknowledging good-faith vulnerability reports within five business days, and we will not pursue legal action against researchers who follow this disclosure process and stay within scope (no DoS, no data exfiltration, no testing against other users' data).
Questions
For security-review questionnaires, vendor-risk assessments, or specific control-evidence requests for a procurement process, email support@quantumhorizon.ai with the questionnaire attached. We typically respond inside three business days.