Quest Consortium Security Solutions limited (QCSS), a company registered in the United Kingdom, acts as a Data Controller for personal data processed in connection with account registration, billing, and operation of the Services.

Where the Company processes personal data on behalf of its customers, it acts as a Data Processor in accordance with applicable contractual arrangements, including Data Processing Agreements (DPAs).

Contact for privacy matters: hq@qcwss.com

The Company collects personal data necessary to provide and improve the Services, including: 

• Identity data (e.g., name, email)
• Technical data (e.g., IP address, logs)
• Transactional data (e.g., billing records)

The Company adheres to data minimization principles. Special category (sensitive) data is not intentionally collected unless required by law and subject to additional safeguards.

Personal data is processed for:

• Service delivery and account management
• Authentication and security monitoring
• Billing and fraud prevention
• Compliance with legal obligations

Lawful bases include contract performance, legitimate interests, legal obligations, and consent where applicable.

Individuals have the right to:

• Access, correct, or delete their data
• Restrict or object to processing
• Withdraw consent where applicable

Requests can be submitted to hq@qcwss.com. The Company will respond within 30 days under GDPR

Individuals may lodge complaints with a relevant supervisory authority in their jurisdiction.

For the United Kingdom, this includes the Information Commissioner’s Office (ICO). For Nigeria, this includes the Nigeria Data Protection Commission (NDPC).

Where applicable, individuals within the European Economic Area may contact their local supervisory authority under the General Data Protection Regulation (GDPR).

The Company encourages individuals to contact it first for resolution. 

Where personal data is transferred outside its originating jurisdiction, appropriate safeguards such as Standard Contractual Clauses (SCCs) are implemented.

Transfer Risk Assessments (TRAs) are conducted where required.

Personal data is retained only for as long as necessary for the purposes outlined and to meet legal obligations.

Retention periods are defined in the Company’s internal data retention policy. Data is securely deleted or anonymized thereafter.

The Company implements appropriate technical and organisational measures, including: 

• Encryption in transit
• Access controls and authentication
• Logging and monitoring
• Incident response processes 

n the event of a data breach affecting personal data, notifications will be handled in accordance with applicable laws and contractual obligations.

This Cookie Policy explains how Quest Consortium Security Solutions (“Company,” “we,” “us,” or “our”) uses cookies and similar tracking technologies when users access or interact with our website, applications, and cybersecurity platform (collectively, the “Services”).

This Policy applies to users globally and is aligned with applicable data protection and privacy laws, including the UK General Data Protection Regulation (UK GDPR) and, where applicable, the Privacy and Electronic Communications Regulations (PECR).

This Policy should be read alongside the Company’s Privacy Policy. Where applicable, additional documentation such as the Data Processing Agreement may apply to customers under contractual arrangements.

This Policy provides transparent information regarding the use of cookies, including their function, legal basis, and available user control mechanisms.

Cookies are small text files placed on a user’s device when visiting a website or using an application. These files enable systems to recognize returning users, maintain session continuity, and store configuration preferences.

The Company may also use similar technologies such as local storage, session storage, and web beacons. These technologies support functionality, track interactions, and maintain system integrity. They do not execute code or access unrelated data on the user’s device.

Cookies may be:

• First-party cookies, set directly by the Company
• Third-party cookies, set by approved service providers acting on behalf of the Company

The Company uses cookies necessary for the secure and effective operation of the Services, as well as cookies that support analytics and performance optimisation.

Essential Cookies

These cookies are strictly necessary for the operation of the Services. They support:

• User authentication and session management
• Access control enforcement
• Security monitoring and fraud preventio

These cookies do not require user consent where permitted by applicable law.

Analytics Cookies

These cookies collect aggregated and anonymised information about system performance, feature usage, and error diagnostics. This data is used solely for service improvement and operational analysis.

Analytics cookies are deployed only where permitted by applicable law and, where required, are subject to user consent prior to activation.

The Company does not use cookies for behavioral advertising, profiling, or cross-site tracking unless explicitly disclosed and consented to in accordance with applicable law. 

Cookies are used to support the secure and reliable delivery of the Services, including:

• Maintaining authenticated user session
• Detecting anomalies and suspicious activity patterns
• Preventing session hijacking and unauthorised access
• Ensuring consistent application performance

Cookies may also support internal monitoring used to diagnose technical issues, measure system performance, and identify potential security risks. All use is aligned with data minimisation and purpose limitation principles.

The Company relies on legitimate interests as the legal basis for deploying essential cookies necessary for the secure and functional operation of the Services.

For non-essential cookies, including analytics cookies where required by applicable law, the Company obtains user consent prior to placement. Users are provided with options to accept, reject, or manage cookies through a consent mechanism.

Consent records are maintained to demonstrate compliance with applicable legal requirements.

Where required, consent mechanisms are implemented in accordance with applicable regulations, including UK GDPR and international equivalents.

Users may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.

The Company maintains an internal record of cookies used, including their purpose, classification, and retention period.

Retention periods are defined based on operational necessity, security requirements, and regulatory obligations, and are reviewed periodically to ensure compliance.

The Company maintains a dynamic inventory of cookies to ensure accuracy as technologies evolve.

The Company may engage third-party service providers to support analytics, infrastructure, or operational functionality. Where such providers deploy cookies on behalf of the Company, they are contractually restricted to authorised processing activities.

All third-party providers are subject to appropriate due diligence and contractual obligations, including data protection requirements consistent with the Company’s standards.

The Company does not permit third-party providers to use cookies for independent tracking, profiling, or advertising purposes unless explicitly disclosed and consented to where required by applicable law.

Users may manage cookie preferences through:

• Browser settings (e.g., blocking or deleting cookies)
• Disabling essential cookies may impact the functionality and availability of the Services.
• Guidance on managing cookies is typically available through browser provider documentation.

Disabling essential cookies may impact the functionality and availability of the Services.

Guidance on managing cookies is typically available through browser provider documentation.

This Cookie Policy may be updated periodically to reflect changes in legal requirements, technology, or operational practices.

Material changes will be communicated through appropriate channels, such as website notifications or direct communication where applicable.

The Company maintains internal version control and review processes to ensure the Policy remains accurate and compliant.

Continued use of the Services constitutes acceptance of the updated Policy.

Questions regarding this Cookie Policy may be directed to hq@qcwss.com

The Company may also provide additional contact channels, including a designated Data Protection Officer (DPO), where applicable.

This Acceptable Use Policy (“AUP”) forms part of and is incorporated into Quest Consortium Security Solutions (QCSS) Terms of Use and governing agreement.

This Policy applies to all Customers, users, and any individuals accessing or using the Services. The Services are intended solely for lawful cybersecurity activities.

The Services may only be used on systems for which the Customer has explicit, documented authorization.

Customers are responsible for ensuring compliance with applicable laws and must maintain evidence of authorization. The Company may request validation where misuse is suspected.

Prohibited actions include:

• Unauthorized access or data exfiltration
• Disruption of systems or networks
• Circumvention of security controls 
• Reverse engineering (except where legally permitted)

Violations may result in enforcement actions under the Terms of Use. 

Customers must comply with applicable export control and sanctions laws, including UK and international regulations

The Company may implement controls to restrict access from sanctioned regions where required.

Customers are responsible for all account activities and must implement appropriate controls, including:

• Access management
• Authorization procedures
• Monitoring and oversight

Controls should align with recognised standards such as ISO 27001 or equivalent best practices.

The Company may monitor use of the Services as necessary to ensure compliance, detect threats, and protect system integrity.

Monitoring is conducted in line with applicable data protection laws, including UK GDPR.

The Company may take proportionate enforcement actions, including:

• Warnings
• Access restrictions
• Suspension
• Termination

Serious violations may be escalated and reported to authorities where required.

Customers must report suspected misuse or incidents promptly to hq@qcwss.com

The Customer agrees to cooperate in investigations.

The Company may update this AUP to reflect legal, operational, or security changes.

Customers will be notified via email. Continued use constitutes acceptance.

The Company is committed to handling complaints in a fair, transparent, and timely manner. This process establishes a structured approach for receiving, assessing, investigating, and resolving complaints in a way that supports accountability, regulatory alignment, and continuous improvement. This process forms part of the Company’s governance framework and operates in alignment with the Privacy Policy, Terms of Use, Incident Response Plan, and internal risk management processes.

This process applies to all complaints received from customers, users, partners, or third parties relating to the Company’s Services, including but not limited to:

• Service performance or availability
• Billing and payments
• Data protection or privacy concerns
• Security-related issues
• Customer support interactions

Complaints must relate to services or activities within the Company’s control. Matters outside this scope may be redirected appropriately.

Complaints may be submitted through the following channels: 

• Email: hq@qcss.com
• Website contact form
• Official support channel

Submissions should include, where available:

• Name and contact details of the complainant
• Description of the complaint
• Relevant dates and events
• Supporting evidence (if applicable)

All complaints are treated confidentially and handled in accordance with applicable data protection laws.

• Acknowledge receipt within a defined and reasonable timeframe (typically within 2–5 business days)
• Log and track the complaint in an internal complaint register
• Assess the nature, severity, and impact of the complaint
• Assign appropriate ownership for investigation
• Take reasonable steps to investigate and resolve the issue
• Communicate progress and outcome to the complainant where appropriate

Each complaint will be:

• Reviewed to determine validity and scope
• Investigated by the relevant team (e.g., Product, Engineering, GRC, or Support)
• Assessed for risk, impact, and root cause

Resolution actions may include:

• Corrective measures to address the issue
• Process or control improvements
• Communication of findings and resolution to the complainan

Resolution timelines will be proportionate to the complexity and severity of the complaint

Complaints may be escalated where:

• The issue is not resolved within expected timeframes
• The complaint involves high-risk matters (e.g., data protection, security, legal exposure)
• The complainant is not satisfied with the initial resolution

Escalation path:
Support → GRC → Legal/Management

Where required, complaints may be escalated to relevant regulatory authorities in accordance with applicable laws.

All complaints must be:

• Logged in a central Complaint Register
• Assigned a unique reference ID
• Tracked from receipt through to resolution

Records must include:

• Date received
• Nature of complaint
• Actions taken
• Resolution outcome
• Closure date

Records are retained for audit, compliance, and continuous improvement purposes.

This process does not apply to:

• General enquiries (non-complaint)
• Requests already handled through other formal processes (e.g., DSAR requests) 
• Issues outside the Company’s operational control

Misuse of the complaint process or submission of fraudulent claims may result in rejection and further action in accordance with the Company’s Terms of Use and Acceptable Use Policy.

The Company will periodically review complaints to:

• Identify trends and recurring issues
• Improve products, services, and processes
• Strengthen internal controls and governance

Findings may be used to support risk management and compliance initiatives.

This process will be reviewed periodically and updated to reflect:

• Changes in regulatory requirements
• Operational improvements
• Lessons learned from complaint handling activities

The Company is committed to maintaining the security and integrity of its Services and supports the responsible disclosure of vulnerabilities identified by security researchers, customers, and members of the broader community. This Policy establishes a framework for reporting vulnerabilities in a manner that supports coordinated remediation, responsible communication, and overall risk reduction.

This Policy forms part of the Company’s broader security and governance framework and operates in alignment with the Security Addendum, Incident Response Plan, and internal risk management processes to ensure consistent handling, escalation, and remediation of reported vulnerabilities.

Testing activities must be limited to systems, applications, and services that are explicitly owned, operated, or authorized by the Company (“in-scope systems”). The Company will maintain and publish a defined list of in-scope assets to ensure clarity for all participants. Any systems not expressly listed are considered out of scope.

Testing must be conducted in a controlled, ethical, and non-disruptive manner.

Testing must not:

• Disrupt, degrade, or impair service availability
• Access, exfiltrate, or modify data belonging to other users or third parties
• Exploit vulnerabilities beyond what is strictly necessary to demonstrate their existence
• Conduct automated or high-volume testing that may impact system stability without prior approval

Testing is authorized only within the boundaries of this Policy. Any activities that fall outside the defined scope or may introduce risk to service availability, data integrity, or confidentiality require prior written authorization from the Company.

Vulnerabilities should be reported to: info@qcss.com

Reports should include, where available:

• A clear description of the vulnerability
• Steps to reproduce the issue
• The potential impact
• Supporting evidence (e.g., logs, screenshots, or proof of concept)

The Company encourages responsible disclosure and requests that all information shared be handled in a confidential manner. Where appropriate, reporters are encouraged to use secure communication methods when submitting sensitive details.

Upon receipt, all vulnerability reports will be logged, tracked, and assessed in accordance with the Company’s internal vulnerability management and incident response processes. The Company will make reasonable efforts to acknowledge receipt of reports and provide updates on remediation progress where applicable.

Upon receiving a vulnerability report, the Company will: 

• Acknowledge receipt of the report within a defined and reasonable timeframe (typically within 2–5 business days)
• Log and assess the reported vulnerability in accordance with internal vulnerability management procedures
• Prioritize remediation efforts based on the severity, impact, and exploitability of the vulnerability
• Take appropriate steps to remediate validated vulnerabilities within a timeframe proportionate to the associated risk
• Communicate progress and resolution updates to the reporter where appropriate.

All reported vulnerabilities will be handled in alignment with the Company’s Incident Response Plan and risk management framework to ensure consistent evaluation, prioritization, and remediation.

The Company will not pursue civil or legal action against individuals who identify and report vulnerabilities, provided that such individuals:

• Act in good faith and with the intent of improving the security of the Company’s systems
• Comply fully with the terms of this Policy
• Conduct testing only within the defined scope and authorization boundaries
• Do not exploit vulnerabilities beyond what is necessary to demonstrate their existence
• Do not access, modify, or exfiltrate data that does not belong to them
• Do not engage in any activity that disrupts or degrades service availability

This Policy does not authorise:

• Social engineering attacks
• Physical security testing
• Denial-of-service or traffic flooding attack
• Accessing, modifying, or exfiltrating data beyond what is strictly necessary to demonstrate a vulnerability

Activities outside these boundaries are strictly prohibited.

Any actions that violate this Policy, or applicable laws and regulations, may result in disqualification from this program and may be subject to further action in accordance with the Company’s Terms of Use, Acceptable Use Policy, and other governing agreements.

All violations will be reviewed and handled in line with the Company’s internal incident response and escalation procedures to ensure appropriate investigation, risk assessment, and resolution.

The Company supports coordinated vulnerability disclosure and aims to resolve reported vulnerabilities in a timely manner.

Reporters are requested to allow the Company a reasonable period to investigate and remediate reported vulnerabilities before any public disclosure. The Company generally targets a remediation timeline of up to 90 days from the date of acknowledgment, depending on the severity and complexity of the issue.

In cases where a vulnerability presents a high or critical risk, the Company will make reasonable efforts to expedite remediation.

The Company will work in good faith with reporters to agree on an appropriate timeline for public disclosure where necessary. Public disclosure of vulnerabilities without prior coordination with the Company may be considered a violation of this Policy

This Data Processing Agreement (“DPA”) forms part of and is incorporated into the governing agreement (including Terms of Service) between Quest Consortium Security Solutions (QCSS) (“Processor”) and the Customer (“Controller”).

The Controller determines the purposes and means of processing Personal Data. The Processor processes Personal Data solely on behalf of the Controller and only for the purpose of providing the Services, in accordance with this DPA, the governing agreement, and applicable data protection laws, including the UK GDPR

The Processor processes Personal Data solely for the purpose of delivering cybersecurity services as defined in the governing agreement and product documentation.

Processing activities may include collection, storage, analysis, transmission, and deletion of Personal Data required to operate the Services. The Processor shall not process Personal Data for its own independent purposes.

The Personal Data processed may include:

• Basic identifiers (e.g., name, email address)
• Technical data (e.g., IP addresses, logs, device identifiers)
• Account and authentication data

Data Subjects may include:

• Customer employees
• Authorized users

Special category (sensitive) data is not intentionally processed unless explicitly agreed and subject to additional safeguards.

The Controller is responsible for determining the data submitted into the Services.

The Processor processes Personal Data only in accordance with documented instructions from the Controller, including use of the Services as defined in the governing agreement.

If the Processor believes an instruction violates applicable law, it shall inform the Controller without undue delay.

The Processor ensures that personnel authorised to process Personal Data are subject to confidentiality obligations and access data only where necessary.

The Processor maintains internal controls including training and access management to enforce confidentiality.

The Processor implements appropriate technical and organisational measures, including:

• Encryption in transit (TLS/HTTPS)
• Access controls and authentication mechanisms
• Logging and monitoring
• Risk-based security management practices 

Security measures are documented in the Security Addendum and reviewed periodically.

The Processor shall notify the Controller without undue delay and, where feasible, within 72 hours after becoming aware of a Personal Data breach affecting Customer data.

Notification shall include:

• Nature of the breach
• Likely consequences
• Measures taken or proposed

The Processor may engage subprocessors to support service delivery.

The Processor ensures subprocessors are bound by equivalent data protection obligations and subject to due diligence and risk assessment.

The Controller will be notified of new subprocessors where required.

The Processor shall notify the Controller of any Data Subject requests and shall not respond directly unless instructed.

The Processor shall provide reasonable assistance to the Controller in fulfilling such requests

Personal Data is retained only as long as necessary and in accordance with applicable law and internal policies.

Upon termination, data will be deleted or anonymised within defined timelines, including handling of backups.

Where Personal Data is transferred internationally, the Processor implements appropriate safeguards such as Standard Contractual Clauses (SCCs) or equivalent mechanisms in line with UK GDPR

Transfer risk assessments are conducted where required.

Liability under this DPA is subject to the limitations and exclusions defined in the governing agreement.