Security You Can Rely On
We hold ourselves to a high standard so your data is always protected. Here's an open view of our security posture, certifications, and the partners we work with.
Our Commitment to Security
Security isn't a checkbox — it's built into how we design, operate, and improve QuivaWorks.
At QuivaWorks we believe that trust is earned through transparency and action. Our information security programme is designed to protect the confidentiality, integrity, and availability of all data we handle — whether that's your assistant configurations, team data, or conversation history. We hold ISO 27001 certification and operate under a formal Information Security Management System (ISMS) that is independently audited every year.
Independently Verified
Our certifications are issued and renewed through accredited third-party auditors, not self-assessments.
ISO/IEC 27001 is the internationally recognised standard for information security management. Certification requires a comprehensive ISMS covering risk assessment, security controls, and continuous improvement — audited annually by an accredited certification body.
- Formal Information Security Management System (ISMS)
- Annual third-party surveillance audits
- Risk assessment and treatment framework
- Covers design, development, and operation of the QuivaWorks platform
- Mandatory employee security training and awareness
QuivaWorks is operated by Evari Services UK Ltd, a UK-registered company. We comply fully with the UK GDPR and EU GDPR. A Data Processing Agreement (DPA) is available to all customers and forms part of our standard Terms of Service.
- Data Processing Agreement available on request
- Lawful basis documented for all processing activities
- Data Subject Rights (access, deletion, portability) supported
- Records of Processing Activities (RoPA) maintained
- 72-hour breach notification process in place
How We Protect Your Data
Our controls span physical, technical, and organisational layers — all mapped to the ISO 27001 Annex A control set.
Strict access governance ensures only authorised personnel can reach sensitive systems and data.
- Role-based access control (RBAC) across all systems
- Multi-factor authentication enforced for all staff
- Least-privilege principle applied by default
- Access reviews conducted quarterly
All customer data is encrypted in transit and at rest using industry-standard algorithms.
- TLS 1.2 or higher for all data in transit
- AES-256 encryption for all data at rest
- Encryption keys managed via Google Cloud KMS
- HTTPS enforced with HSTS preloading
Continuous monitoring detects anomalies and security events before they become incidents.
- Centralised security logging and SIEM alerting
- Automated anomaly detection on key systems
- Audit trails retained for all privileged actions
- Uptime and availability monitoring 24/7
We proactively find and fix vulnerabilities before they can be exploited.
- Dependency scanning on every code merge
- Regular penetration testing by third parties
- Responsible disclosure programme in place
- Critical patches applied within 24 hours
A documented and rehearsed incident response plan minimises the impact of any security event.
- Formal Incident Response Plan reviewed annually
- Defined severity classifications and escalation paths
- Customer breach notification within 72 hours
- Post-incident reviews and lessons learned
Regular backups and tested recovery procedures protect against data loss.
- Automated daily backups of all customer data
- Geographically redundant backup storage
- Recovery Time Objective (RTO) tested quarterly
- Business continuity plan maintained
Security awareness is embedded into how our team works — from day one.
- Security awareness training on joining and annually
- Acceptable use and confidentiality agreements
- Phishing simulation exercises conducted regularly
- Background checks for all new hires
Security is integrated into every stage of our software development lifecycle.
- Mandatory code review before production merges
- OWASP Top 10 considered in design and review
- Staging environment mirrors production
- Infrastructure-as-code with change control
Your Data, Your Rights
We collect only what we need, retain it only as long as necessary, and make it easy for you to exercise your rights.
A Data Processing Agreement (DPA) is included within our Terms of Service and governs how we process personal data on your behalf. Enterprise customers can request a countersigned copy.
- Included in standard Terms of Service
- Defines controller / processor responsibilities
- Covers sub-processor obligations
- Signed copies available on request
We retain your data only for as long as your account is active or as required to fulfil legal obligations. Conversation and assistant data is deleted on account closure.
- Account data deleted within 30 days of closure
- Billing records retained for 7 years (legal requirement)
- Log data retained for 90 days
- Backups purged within 35 days of deletion
As a data subject under the UK / EU GDPR you have a number of rights we are committed to upholding. Contact us at privacy@quiva.ai to exercise any of these.
- Right to access your personal data
- Right to erasure ("right to be forgotten")
- Right to data portability
- Right to rectification of inaccurate data
QuivaWorks is operated by Evari Services UK Ltd. Primary infrastructure runs on Google Cloud Platform. AI processing may involve cross-border transfers to our AI model providers, covered under Standard Contractual Clauses (SCCs).
- Primary data stored in EU/UK GCP regions
- International transfers covered by SCCs
- Transfer Impact Assessments documented
- No selling of personal data to third parties
When your assistants use Claude or Gemini to process requests, those queries are sent to the relevant AI model provider. We have data processing agreements in place with each provider, and your data is not used to train AI models.
- DPAs in place with all AI model providers
- Your data is not used for model training
- Prompts and responses are not stored by providers
- You control what data your assistants can access
We use cookies on our marketing website to measure traffic and improve the experience. You can manage your preferences at any time via our cookie banner. No behavioural advertising cookies are used.
- Cookie consent collected before any analytics
- Google Analytics used for website traffic only
- No cross-site tracking or advertising pixels
- Preferences can be updated at any time
Third-Party Sub-processors
These are the companies we use to deliver the QuivaWorks service. Each has a data processing agreement in place with us and is subject to our vendor security review.
| Provider | Purpose | Category | Location |
|---|---|---|---|
Claude
Anthropic, PBC
|
AI model processing — powers assistant responses and reasoning within the QuivaWorks platform. | AI Model | United States |
Gemini
Google LLC
|
AI model processing — alternative AI model available to assistants within the QuivaWorks platform. | AI Model | United States |
Google Cloud Platform
Google LLC
|
Cloud infrastructure, compute, database, storage, and hosting for the QuivaWorks platform. | Infrastructure | UK |
Stripe
Stripe, Inc.
|
Payment processing and subscription billing. Card data is handled exclusively by Stripe and never touches our servers. | Payments | United States |
Google Analytics
Google LLC
|
Website traffic analytics and usage measurement on the quiva.ai marketing website. Only activated with cookie consent. | Analytics | United States |
Have a Security Question?
Our security team is happy to answer questions, provide documentation, or discuss our controls in more depth.