Regulatory Architecture

Compliance is architecture.
Not a checkbox.

Every compliance claim on this page has a technical basis. We've documented what we've built, what it supports, and what's on the roadmap — because you should be able to verify it.

Current Claims

What we support today.

These regulations are addressed at the platform architecture level — not through policy documents or configuration options. Each entry includes the specific technical controls that satisfy the requirement.

Active
FERPA
Family Educational Rights and Privacy Act

FERPA governs the privacy of student education records at institutions receiving federal funding. Compliance requires that student data be accessible only to authorized school officials with a legitimate educational interest, and that students retain rights to inspect and correct their records.

Technical Basis
  • Per-tenant PostgreSQL database isolation — cross-tenant access is structurally impossible
  • Role-gated API layer — every endpoint enforces role-based access control before data is returned
  • AES-256-GCM credential encryption with per-tenant keys — plaintext never written to disk
  • Audit log retention of 90 days — all access events recorded with timestamp, user, and action
  • SAML 2.0 / Shibboleth SSO — authentication federated to institutional IdP, no credential storage
  • TLS 1.2+ enforced on all endpoints — no plaintext transport
Active
GLBA Safeguards Rule
Gramm-Leach-Bliley Act — Financial Data Protection

GLBA's Safeguards Rule requires financial institutions and their service providers to implement a comprehensive information security program protecting non-public personal financial information (NPI). Higher education institutions handling financial aid data are covered. So are insurance, financial services, and lending verticals.

Technical Basis
  • Designated security officer role — infrastructure and application security managed by Rubicon Technologies LLC
  • Encryption at rest: LUKS AES-256 disk encryption + AES-256-GCM application-layer encryption
  • Encryption in transit: TLS 1.2+ enforced on all connections, HSTS enabled
  • MFA enforced for all administrative and infrastructure access (TOTP)
  • Access controls: role-gated APIs, per-tenant isolation, no shared schemas
  • Penetration testing: OWASP Top 10 methodology, zero Critical/High findings
  • Incident response: defined escalation procedures, 90-day audit log retention
Active
CCPA / CPRA
California Consumer Privacy Act / California Privacy Rights Act

CCPA and CPRA give California residents rights to know what personal data is collected, rights to deletion, rights to opt out of sale, and rights to correct inaccurate data. As a service provider, QuadHub must support the data subject rights of client organizations' users.

Technical Basis
  • Data residency in the United States — all data stored and processed at Tier 3 colocation in Durham, NC
  • Quad Digital does not sell or share personal data with third parties for commercial purposes
  • Tenant admin portal enables data subject access requests: tenant admins can export or delete user records
  • Per-tenant data isolation makes individual deletion operations clean and auditable
  • Data processing agreements available upon request
HIPAA-Ready
HIPAA
Health Insurance Portability and Accountability Act

HIPAA governs the use and disclosure of Protected Health Information (PHI) by covered entities and their business associates. QuadHub's platform architecture satisfies the technical and physical safeguard requirements of the HIPAA Security Rule. We provide Business Associate Agreements (BAAs) for healthcare clients.

Technical Basis
  • Technical safeguards: AES-256 encryption at rest and in transit, role-based access controls, automatic session timeouts, audit controls (90-day log retention)
  • Physical safeguards: dedicated hardware at Tier 3 colocation facility with physical access controls
  • Administrative safeguards: documented security policies, workforce training, incident response procedures
  • Business Associate Agreement (BAA) available upon request
  • Per-tenant database isolation ensures PHI for one organization is structurally inaccessible to another
COPPA-Ready
COPPA
Children’s Online Privacy Protection Act

COPPA applies to online services directed at children under 13, or services with actual knowledge they are collecting data from children under 13. For K-12 clients and trade school clients with minors, QuadHub provides the controls needed to operate a COPPA-compliant deployment.

Technical Basis
  • No third-party tracking, advertising, or behavioral analytics — QuadHub does not monetize user data
  • Tenant-controlled user provisioning — schools control all account creation and access
  • Data minimization: QuadHub collects only what is operationally necessary to deliver the platform
  • FERPA-aligned data handling (FERPA provides COPPA safe harbor for school-directed use)
  • Parental consent workflows available for K-12 deployments upon request
Ready
PIPEDA
Personal Information Protection and Electronic Documents Act (Canada)

PIPEDA governs how private organizations in Canada collect, use, and disclose personal information. QuadHub is US-hosted; Canadian organizations using the platform must obtain meaningful consent for cross-border transfer. We support Canadian clients with the necessary disclosures and data handling agreements.

Technical Basis
  • Data residency disclosure: all data stored in the United States — clearly communicated in client agreements
  • Cross-border transfer agreements available for Canadian clients
  • Accountability principle satisfied: Rubicon Technologies LLC is the designated responsible party
  • Individual access and correction rights supported through tenant admin portal
Platform Architecture

How compliance is built in — not bolted on.

Every compliance claim above traces back to one of six architectural layers. These layers were designed before any regulatory requirement was written down. Compliance is a consequence of good architecture.

Layer 1
Per-Tenant Data Isolation
Every client organization gets a dedicated PostgreSQL database. No shared schemas. No shared credentials. No shared audit logs. Cross-tenant access is structurally impossible — not just policy-prohibited.
Layer 2
Encryption at Every Layer
LUKS AES-256 disk encryption on all storage volumes. AES-256-GCM application-layer encryption on all integration credentials, with per-tenant keys. TLS 1.2+ on all network traffic. Three independent encryption layers.
Layer 3
Role-Gated Access Control
Every API endpoint enforces role-based access before returning data. Roles are mapped from the organization's identity provider via SAML 2.0 or OIDC on every login. Role drift is impossible — the IdP is authoritative.
Layer 4
Audit & Accountability
All access events are logged with timestamp, user identity, action, and outcome. Logs are retained for 90 days minimum. Admin and infrastructure access requires TOTP MFA — every privileged action is attributable to a specific person.
Layer 5
Zero-Touch Credential Vault
Integration API keys and tokens are encrypted before storage. Platform operators can query the encrypted vault and see ciphertext only. The decryption key is inaccessible outside the API runtime. This is an architectural constraint, not just a policy.
Layer 6
Dedicated Infrastructure
QuadHub runs on dedicated hardware operated by Rubicon Technologies at Tier 3 colocation in Durham, NC. No hyperscaler shared tenancy. No egress to third-party analytics platforms. Data stays where you expect it to stay.
Roadmap

What’s coming.

We build compliance in phases. Active means it's supported today with technical controls in production. In Progress means the controls exist but documentation or attestation is pending. Planned means it's on the build calendar.

FrameworkStatusNotes
FERPAActiveFull architectural support. Used in all higher education deployments.
GLBA Safeguards RuleActiveControls implemented. Applies to financial services, insurance, and higher ed financial aid workflows.
CCPA / CPRAActiveUS data residency, no data sale, deletion support, DPA available.
HIPAA (BAA available)ReadyTechnical and physical safeguards implemented. BAA available. Healthcare vertical requires BAA execution before PHI handling.
COPPA (K-12)ReadyNo third-party data monetization. FERPA safe harbor covers most K-12 school-directed use.
PIPEDA (Canada)ReadyCross-border transfer disclosure and agreements available for Canadian clients.
GDPR (EU/UK)ActiveData subject rights implemented: GET /api/v1/users/export (Art. 20 portability) and DELETE /api/v1/users/me (Art. 17 erasure). DPA template available for EU clients.
ADA / Section 508In ProgressWCAG 2.1 AA accessibility audit scheduled. Required for government and higher education verticals receiving federal funding.
SOC 2 Type IPlannedControls exist and are operating. Third-party CPA attestation planned for post-revenue milestone.
NIST SP 800-171PlannedControls map well to existing architecture. Documentation sprint planned for government vertical launch.
ISO 27001PlannedISMS documentation and formal certification planned for enterprise sales cycle.
FedRAMPDeferredAuthorization requires formal partnership with a 3PAO and significant process investment. Deferred until government vertical reaches sufficient scale.
StateRAMPIn ProgressState-level cloud security authorization program. Architecture alignment in progress. Target for government and public education verticals requiring state procurement compliance.
Documentation Available

Need a BAA, DPA, or compliance brief?

We provide Business Associate Agreements (HIPAA), Data Processing Agreements (GDPR/CCPA), and detailed compliance documentation packages for enterprise procurement and legal review.

Request Compliance Documentation