The /security page describes the architecture and controls. This page is the itemized list of documents behind that description — what each one covers, who it's written for, and how to get it.
Not a brochure — the actual control documentation.
The security docs pack is the set of documents a reviewer needs to evaluate QuietNode before a pilot: what is enforced in code, what is stored and for how long, and where the platform's own claims come from.
Self-attested from the product source — every claim in the pack names the file or test that enforces it, not a slide that asserts it.
Covers both products: QuietNode BI Analyst — QuietLens's compliance matrix, data handling, and eval methodology, and QuietNode Data Engineer — Pumpkin's access-control model and SOC 2 readiness map.
It is the same documentation our own engineers read, not a version written for marketing.
QuietLens · /security (in-app)
Demo scenario · real product outputThe product's in-app security page, written for the strictest reviewer
What's inside
Eight documents, itemized.
No bundled zip of unrelated PDFs. Each item below is a specific, current document — request the whole pack or ask for the ones relevant to your review.
QuietNode BI Analyst — QuietLens
Compliance control matrix
Every implemented control — password hashing, TOTP MFA, SSO, RBAC, the hash-chained audit log, the SELECT-only SQL gate — mapped to SOC 2 Trust Services Criteria, ISO/IEC 27001 Annex A, and CIS Controls v8, each linked to the enforcing code and test.
QuietNode BI Analyst — QuietLens
Data-handling & retention policy
Exactly what is stored (users, workspaces, conversations, connector config, audit events), where, and for how long, including the optional PII-redaction and idle-conversation purge settings.
QuietNode BI Analyst — QuietLens
Data processing agreement (template)
A counsel-reviewable DPA template describing the customer-VPC deployment model, under which QuietNode holds no customer data and performs no processing outside the customer's own environment.
QuietNode BI Analyst — QuietLens
Architecture map
The deployment topology and trust boundaries: the customer-VPC container, the read-only svc-quietlens identity, connector data flows — and the strict separation from Pumpkin's own VPC, with no shared credentials, roles, or network.
QuietNode BI Analyst — QuietLens
Eval methodology & scorecard
How the golden eval is produced — 121 cases, 121/121 passing, 0 grounding violations, deterministic fixtures, no network, no live LLM call — enforced as a CI regression gate on every commit. The count matches the current release scorecard.
QuietNode BI Analyst — QuietLens
Release provenance (SBOM + signed image)
Each tagged release attaches a CycloneDX SBOM and the eval scorecard; the container image is keyless-signed by CI with SLSA build provenance, recorded in the public Rekor transparency log, and the README documents the cosign verify command. Image access is granted per pilot.
QuietNode Data Engineer — Pumpkin
Access-control model
The ticket-native, metadata-first, escalate-on-approval model: no standing access, and a two-phase Plan / Access-Request comment gate before any scoped, time-boxed credential is issued.
QuietNode Data Engineer — Pumpkin
SOC 2 readiness map
The deny-by-default policy engine, no-standing-admin design, and append-only audit log mapped against the five SOC 2 Trust Services Criteria — a readiness map, not an independent audit.
Who it's for, how it arrives
Written for reviewers. Delivered by a person.
The pack is request-gated, not a public download — that keeps it current and lets us point you at the documents that matter for your review instead of everything at once.
Who it's for
Security reviewers
Evaluating QuietNode ahead of a pilot — architecture, access model, and enforced controls.
Compliance & procurement
Building a vendor risk file and need the control matrix, data-handling policy, and DPA in one place.
Engineering leads
Who want to see what is enforced in code and tested in CI, not asserted in a sales deck.
How delivery works
01
Request it
Choose “Security review” in the contact form and note what you’re evaluating.
02
A founder reads it
The person building the product replies personally — no ticket queue, no handoff to sales.
03
The pack goes out
Matched to your review — the relevant documents, sent directly.
Request the pack
Ready for your reviewer to see it directly.
Pick “Security review” in the contact form and note what you’re evaluating. A founder replies with the relevant documents — no download link, no ticket queue.