Privacy Policy

Scope and legal basis

We process personal data in accordance with applicable laws, including Singapore's Personal Data Protection Act 2012 (PDPA), the EU General Data Protection Regulation (GDPR) where applicable to EU/EEA residents, the UK Data Protection Act 2018, and other national privacy laws relevant to where you access QNSI.

Our legal bases for processing include:

• Performance of a contract — to deliver QNSI Cloud and the services you have requested.
• Legitimate interests — to operate, secure, and improve QNSI, prevent abuse, and communicate with you about the service.
• Consent — where required, including for non-essential cookies and marketing communications.
• Legal obligation — to comply with applicable laws, tax obligations, and lawful requests from authorities.

Personal data we collect

Information you provide

• Account details: name, email, organization, role, country.
• Authentication credentials: passwords (hashed), WebAuthn/passkey identifiers, MFA tokens, API keys.
• Billing data: company name, billing address, tax identifiers, payment method tokens (processed by our payment provider, never stored on QNSI).
• Support correspondence: tickets, emails, chat transcripts, attachments.

Information collected automatically

• Service telemetry: API request metadata (endpoint, status, latency), request IDs, trace IDs, user agent, IP address.
• Audit events: tenant-scoped operations such as key creation, vault read/write, policy changes — these are stored in tamper-evident audit logs as part of the service.
• Cookies and similar technologies: see the Cookie Policy.

Information from third parties

• Marketplace activation events (AWS Marketplace, GCP Marketplace) when you subscribe to QNSI through a cloud marketplace.
• Identity provider responses (SAML, OIDC) when you sign in via an enterprise SSO your organization configures.

Customer Data vs personal data

"Customer Data" is the data you process through QNSI Cloud — secrets in the vault, objects in encrypted storage, search indexes, audit events your applications emit. CUI Labs is a data processor for Customer Data; you are the controller. See the Data Processing Addendum for processor terms.

This Privacy Policy primarily covers personal data HEOSSI collects as a data controller — for example, the data of users who sign up for accounts, request demos, or contact us.

How we use personal data

• Provide, operate, maintain, and secure QNSI.
• Authenticate users, enforce access controls, and prevent unauthorized access.
• Respond to support requests and communicate service updates.
• Detect, investigate, and prevent fraud, abuse, security incidents, and other harmful activity.
• Comply with legal obligations, including audit, tax, export control, and lawful requests from authorities.
• With your consent or where permitted by law, send product updates and marketing communications. You can opt out at any time.

Sharing and disclosure

We do not sell personal data. We share personal data only as described below:

• Service providers (sub-processors) — cloud hosting (AWS), email delivery, payments, analytics, customer support tooling. See the DPA for the current sub-processor list.
• Affiliates — HEOSSI group companies that operate QNSI under common controls and policies.
• Legal compliance — to comply with laws, lawful requests from authorities, or to protect rights, safety, and the integrity of the service.
• Business transfers — in connection with a merger, acquisition, or asset sale, subject to appropriate confidentiality and continuity of this policy.

International transfers

QNSI Cloud is operated from Singapore (ap-southeast-1) by default. We may transfer personal data to and process it in jurisdictions other than where you reside. Where we transfer personal data out of the EU/EEA, UK, or other regulated jurisdictions, we rely on appropriate transfer mechanisms (such as the EU Standard Contractual Clauses, the UK International Data Transfer Addendum, and equivalent safeguards under the PDPA).

Retention

We retain personal data for as long as necessary to provide QNSI and to meet legal, tax, accounting, and security obligations. Account data is retained while your account is active and for a defined period afterwards to support reactivation, dispute resolution, and audit. Telemetry and audit events are retained per the retention terms of your plan or any applicable audit-trail-retention add-on.

Security

We protect personal data with technical and organizational safeguards appropriate to the risk: PQC-signed audit trails, encryption in transit (TLS 1.3 with hybrid PQC for QNSI Cloud), encryption at rest, hardware-backed key management, SPIFFE-based service identity, least-privilege access, and continuous monitoring. See our Security overview for details.

Your rights

Depending on where you live, you may have rights to access, correct, delete, restrict, or port your personal data, and to object to certain processing. You can exercise these rights by contacting qnsi-legal@heossi.com. We will respond in accordance with applicable law. If you are an EU/EEA, UK, or Singapore resident and believe we have not handled your request properly, you may contact your local data protection authority (in Singapore, the PDPC).

Children

QNSI is not directed to individuals under the age of 16, and we do not knowingly collect personal data from children.

Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be flagged at this URL and, where appropriate, communicated via email. The "Last updated" date at the top reflects the most recent revision.

Contact

For privacy questions, complaints, or to exercise your rights:

• Privacy contact: qnsi-legal@heossi.com
• General: contact@heossi.com
• Registered office: HEOSSI (PTE.) LTD., 552 Ang Mo Kio, Avenue 10, #21-1982, Cheng San Place, Singapore 560552