Resilience, Security, and Compliance
Embedded Trust
This Trust Center provides a clear overview of how we manage operational resilience, security, compliance and third-party risk across architecture, workflows and integrations. Quiddly is designed around structured governance, documented controls and built-in auditability. Our operational model aligns with DORA, EBA third-party expectations and GDPR requirements.
Resilience & ICT Risk
Digital operational resilience is part of how Quiddly is designed, monitored and governed. We work with a structured ICT risk framework covering infrastructure, applications, integrations and key external dependencies. Risk ownership, reporting and oversight are clearly defined, with regular reviews and management-level follow-up.
Incidents are handled through a documented process covering detection, classification, response, recovery and follow-up. This helps minimise impact, support clear communication and ensure that root causes are addressed through tracked remediation.
We also test resilience proactively. This includes independent penetration testing, backup and recovery validation, and additional testing after major architectural changes. Business continuity and disaster recovery are formally planned, reviewed and tested, with defined recovery objectives and leadership ownership.
BCP tested
Detect
Classify
Respond
Recover
Review
RBAC
MFA
Least privilege
Monitoring
Secured platform
Security & Information Protection
Security is embedded across identity, infrastructure, development and monitoring. Access to systems and data is governed through role-based access control, least privilege, multi-factor authentication and periodic access reviews.
Our development and change processes are structured to reduce risk before functionality reaches production. Security reviews, code review standards, OWASP awareness, formal change classification and documented release processes help ensure that changes are controlled.
Continuous monitoring gives us visibility across infrastructure, integrations, performance and availability. Centralised logging, observability and anomaly detection help us identify and respond to potential issues early. Security awareness is also reinforced through onboarding, recurring training and technical education.
Governance & Auditability
Compliance is built into the way Quiddly is governed and operated. Our risk framework is approved at board level, with operational accountability anchored in management and reviewed on a recurring basis.
The platform is designed for traceability. Agent activity, workflow events, case history, document handling and system changes are logged to support transparency, auditability and operational control.
Data protection is managed through structured governance, EU data residency, data minimisation, sub-processor oversight and documented processor responsibilities. Trust also extends beyond technical controls, with policies covering conduct, anti-corruption, and sustainability.
09:14 UTCAgent activity logged
09:16 UTCWorkflow event recorded
09:19 UTCDocument handling tracked
09:23 UTCSystem change classified
09:27 UTCRetention policy applied
09:31 UTCProcessor oversight reviewed
09:34 UTCCase history linked
09:38 UTCBoard-level review noted
HostingCritical
IdentityReviewed
MessagingContinuity
AdvisoryExit plan
Supplier control
Third-Party Governance
Third-party risk is managed through structured oversight and proportional control. Suppliers and sub-processors are assessed according to the criticality and risk level of the service they provide.
Our governance model includes due diligence, supplier classification, contractual safeguards, continuity considerations and exit planning. This helps customers understand how external dependencies are managed and how operational resilience is maintained across the service chain.
Architecture & Cloud Model
Quiddly is built on a modern cloud-native architecture designed for scalability, portability and resilience. The platform uses a modular product model, API-first integration architecture, containerised deployment principles and Infrastructure as Code practices.
Integrations are monitored for performance, availability and data integrity, with structured error handling and controlled API versioning. We also support data export, transition planning and contractual auditability to help customers maintain control and portability over time.
Core
ModulesAdd-ons
API & integrations
VersionedMonitoredErrors handled
Cloud & IaC
ContainersPortableTerraform
GDPR aligned
Pen test
Advisor review
Readiness
Client review
External Assurance
Independent validation strengthens confidence in our platform and operating model. Quiddly conducts annual penetration testing with OmegaPoint and works with external advisors such as Advisense to support regulatory readiness and control maturity.
We are preparing for ISO 27001 and SOC 2 readiness and regularly support security reviews from regulated clients. Our governance and control model is aligned with expectations from GDPR, DORA and financial-sector supervisory standards.
Vendor Due Diligence Pack
To make enterprise procurement and regulatory review easier, Quiddly can provide a vendor due diligence pack upon request. It includes summaries of our ICT risk management approach, incident response framework, security architecture, outsourcing governance, SLA and uptime metrics, and DORA control mapping.
DORA Alignment Overview
High-level mapping between DORA focus areas and Quiddly’s framework.
DORA Focus Area
Regulatory Expectation
Quiddly Implementation
ICT Risk Management
Structured identification, assessment and mitigation of ICT risks
Formal risk policy, annual board approval, risk lifecycle management and monitoring
ICT Incident Management
Detection, classification, response and reporting
Documented incident process, severity levels, communication model and root cause analysis
Resilience Testing
Regular validation of digital operational resilience
Annual penetration testing, resilience testing and remediation tracking
ICT Third-Party Risk
Oversight of critical ICT providers
Outsourcing policy, due diligence framework, exit and portability mechanisms
Governance & Accountability
Clear management responsibility
Board-approved framework, CEO accountability, management oversight group
Business Continuity
Ability to maintain operations during disruption
Documented BCP, defined RTO/RPO, annual testing
A detailed article-level mapping is available in our Due Diligence Pack.
Glossary
The risk that technology failures, cyber incidents or system weaknesses impact business operations or regulatory compliance.
EU regulation requiring financial institutions and their ICT providers to ensure digital operational resilience.
Supervisory expectations from the European Banking Authority regarding outsourcing and third-party risk management.
The ability to continue operating during disruptions such as cyberattacks, outages or system failures.
Risk introduced by external suppliers, cloud providers or integration partners.
A complete, time-stamped history of actions and system events for traceability and control.
A security principle where users receive only the access necessary to perform their role.
Independent security testing that simulates cyberattacks to identify vulnerabilities.
The maximum acceptable time a system can be unavailable after disruption.
The maximum acceptable amount of data loss measured in time.
Managing infrastructure through version-controlled configuration rather than manual setup.