Security Trust Centre — Web Page Content¶
Purpose: Copy-paste ready content for quick-id.com/security or quick-id.com/trust Classification: Public Last updated: March 2026
Copy everything below this line for your website:
Quick-ID Security & Trust Centre¶
At CTW Data Solutions, security is not just a feature — it is the foundation of everything we build. Quick-ID processes sensitive identity documents for 50+ enterprise customers worldwide. We take that responsibility seriously.
Compliance & Certifications¶
| Standard | Status | Details |
|---|---|---|
| ISO/IEC 27001:2022 | 🔄 Certification in progress | Full ISMS implemented; certification target September 2026 |
| SOC 2 Type I | 🔄 Readiness phase | Trust Services Criteria mapped; Type I audit target Q4 2026 |
| GDPR / DSGVO | ✅ Compliant | Registered in Germany; DPO appointed; DPAs available for all customers |
| EU AI Act | ✅ Assessed | Risk classification completed; Quick-ID assessed as limited/minimal risk |
Certification documents available on request to customers under NDA.
Data Protection by Design¶
Zero-retention architecture. Quick-ID processes identity documents entirely in-memory. Your users' ID images are never written to disk, never stored in a database, and never retained after processing.
How it works:
- Your application sends an ID image to the Quick-ID API over TLS 1.3
- Our OCR engine extracts structured data in a secure container (Azure AKS)
- The extracted data is returned to your application via the API response
- The original image is immediately discarded from memory
No data is retained by Quick-ID. Ever.
Infrastructure Security¶
| Control | Implementation |
|---|---|
| Hosting | Microsoft Azure — Germany West Central (Frankfurt), with additional EU regions available |
| Encryption in transit | TLS 1.3 enforced on all API endpoints |
| Encryption at rest | AES-256 via Azure Key Vault managed keys |
| Network isolation | Azure Virtual Network with Network Security Groups; no public administrative access |
| Infrastructure as Code | All infrastructure managed via Terraform; peer-reviewed and version-controlled |
| Container security | Azure Kubernetes Service (AKS) with restricted container policies |
Application Security¶
| Control | Implementation |
|---|---|
| Authentication | API key authentication via Azure Key Vault |
| Rate limiting | Per-customer rate limits to prevent abuse |
| Code security | GitHub Advanced Security: SAST, secret scanning, Dependabot |
| Code review | All changes require peer review via pull request before deployment |
| CI/CD pipeline | Automated testing and security scanning on every deployment |
| Dependency management | Automated vulnerability scanning and patching via Dependabot |
Access Control¶
- Multi-factor authentication (MFA) enforced on 100% of internal accounts
- Role-based access control (RBAC) with least-privilege principle
- Quarterly access reviews
- Immediate access revocation upon personnel changes
Availability¶
| Metric | Target |
|---|---|
| Uptime SLA | 99.9% |
| Status page | app.quick-id.com/health/ |
| Business continuity | Documented BCP with defined RTO and RPO |
| Backup & recovery | Automated geo-redundant backups; restore tested semi-annually |
Incident Response¶
- Documented Incident Response Plan tested via tabletop exercises
- 24/7 emergency escalation for critical incidents
- GDPR-compliant 72-hour breach notification process
- Post-incident review for all significant events
Employee Security¶
- Security awareness training completed annually by all staff
- Background checks for all new hires
- Confidentiality agreements required
- BYOD policy with mandatory encryption, screen lock, and OS updates
Vendor Security¶
We carefully select and monitor our vendors:
| Vendor | Purpose | Compliance |
|---|---|---|
| Microsoft Azure | Cloud infrastructure | SOC 2 Type II, ISO 27001, C5 |
| GitHub | Source code management | SOC 2 Type II, ISO 27001 |
| Google Workspace | Internal collaboration | SOC 2 Type II, ISO 27001 |
Data processing agreements are in place with all vendors.
Data Processing Agreement¶
A DPA compliant with GDPR Article 28 is available for all Quick-ID customers. Contact your account manager or email privacy@quick-id.com to request a copy.
Privacy Policy¶
Our full privacy policy is available at quick-id.com/privacy-policy.
Security Contact¶
To report a security vulnerability or ask a security question:
- Email: security@quick-id.com
- Response time: We aim to acknowledge all reports within 24 hours
FAQ¶
Does Quick-ID store my users' ID images? No. All images are processed entirely in-memory and discarded immediately after processing. We operate a zero-retention architecture.
Where is my data processed? By default, data is processed in Microsoft Azure Germany West Central (Frankfurt). Additional EU regions are available for customers outside the DACH region.
Is Quick-ID GDPR compliant? Yes. CTW Data Solutions GmbH is registered in Germany, has an appointed DPO, maintains a GDPR Article 30 processing register, and offers DPAs to all customers.
Can I get a copy of your ISO 27001 certificate? Our certification audit is scheduled for 2026. Once issued, certificates will be available to customers under NDA. In the meantime, we can share our Statement of Applicability and security documentation on request.
Does Quick-ID use AI? Yes, Quick-ID uses AI/ML models for document verification and OCR. Our models are trained on synthetic and licensed datasets — they do not learn from or retain individual customer data.
© 2026 CTW Data Solutions GmbH — All rights reserved.