Security

Security is the product, not a feature

QuantivoGate is built around one job: making sure only the right people, on the right devices, can reach your infrastructure. Every layer of the platform is designed with that goal in mind.

VPN protocols

Encrypted tunnels using industry-standard protocols

We don't roll our own cryptography. All traffic between your team and our nodes uses battle-tested, open-source VPN protocols that have been scrutinized by the security community for years.

Default choice

WireGuard

Modern, fast, and minimal.

WireGuard is a next-generation VPN protocol shipped with the mainline Linux kernel since 2020. It uses only modern, peer-reviewed cryptographic primitives and is drastically simpler than OpenVPN or IPsec.

  • Modern cryptography only Uses ChaCha20 for encryption, Poly1305 for authentication, Curve25519 for key exchange, BLAKE2s for hashing. No legacy algorithms.
  • Tiny attack surface About 4,000 lines of code total. OpenVPN has ~100,000. Less code means fewer bugs, fewer vulnerabilities, and easier security audits.
  • Much faster than alternatives Runs in kernel space on Linux, uses UDP, and adds minimal overhead. Benchmarks typically show 2-4× the throughput of OpenVPN and IPsec.
  • Silent when idle Doesn't respond to unsolicited packets. To an attacker scanning random IPs, the server appears offline — a strong property for stealth.
  • Fast reconnection Roaming between networks (Wi-Fi to mobile data, for example) is seamless. No dropped sessions, no need to re-authenticate.
Universal compatibility

OpenVPN

Time-tested and universally supported.

OpenVPN has been an industry standard for over 20 years. It's heavily audited, works in environments where WireGuard is blocked, and integrates with every client and platform you can think of.

  • Strong, configurable encryption TLS 1.3 for control channel, AES-256-GCM for data. Perfect forward secrecy — even if a long-term key leaks, past sessions remain secret.
  • TCP and UDP support When WireGuard gets blocked by restrictive networks (hotels, some enterprise firewalls), OpenVPN over TCP on port 443 usually gets through because it looks like HTTPS.
  • Heavily audited Two decades of public scrutiny, multiple formal security audits, open-source codebase — you can read every line yourself at openvpn.net.
  • Certificate-based authentication Each device gets a unique certificate signed by your org's CA. Revoking access is immediate and scales to thousands of devices.
  • Client ecosystem Official clients for every OS. Mobile apps that handle profiles elegantly. Enterprise tools integrate natively with OpenVPN.

Members can choose either protocol when they add a device. We default to WireGuard for speed and efficiency, with OpenVPN as an automatic fallback when the network blocks WireGuard traffic.

Defense in depth

Multiple layers of security controls

Every layer makes the next attack harder. Click to expand each section and see what we do at each level.

Identity & authentication
  • Passwords hashed with bcrypt (work factor 12) — even if the database leaks, passwords stay protected. Bcrypt is resistant to GPU-based cracking.
  • TOTP-based 2FA — 6-digit time-based codes, compatible with Google Authenticator, Authy, 1Password, or any RFC 6238 authenticator.
  • Backup recovery codes — 10 single-use codes provided when 2FA is enabled. Essential if you lose your phone.
  • JWT session tokens — short-lived (1 hour default) with refresh rotation. Compromised tokens expire quickly.
  • No password-only access to VPN configs — downloading a new config requires the authenticated session plus 2FA confirmation.
Network & firewall
  • Reverse VPN architecture — your firewall accepts connections only from QuantivoGate IPs. All other IPs are dropped at the edge. Random attacks are physically impossible.
  • Rate limiting on all public endpoints — brute force attempts trigger progressive delays. Repeated abuse gets the source IP banned automatically.
  • DDoS protection — all QuantivoGate nodes sit behind upstream DDoS mitigation. Volumetric attacks never reach your network.
  • Isolated node infrastructure — each VPN node runs as a hardened appliance with minimal attack surface. No web interfaces exposed, SSH restricted to management VPN.
Data & transport encryption
  • TLS 1.3 for all HTTPS traffic — dashboard, API, and billing. Older TLS versions are disabled entirely.
  • HSTS enabled — browsers refuse to connect over plaintext HTTP, preventing downgrade attacks.
  • Encrypted VPN tunnels — ChaCha20-Poly1305 (WireGuard) or AES-256-GCM (OpenVPN). Industry-leading algorithms, no compromises.
  • Perfect forward secrecy — session keys are ephemeral. Capturing encrypted traffic today and breaking a key years from now still won't decrypt past sessions.
Audit & monitoring
  • Full audit log of privileged actions — every invite, every login, every device change, every 2FA toggle is logged with user, IP, and timestamp.
  • Immutable logs — logs cannot be edited by anyone, including Org Admins. Retention per plan.
  • Alerts for suspicious activity — login from new country, multiple failed 2FA attempts, or unusual access patterns trigger email notifications.
  • Uptime monitoring — all public services monitored 24/7. Public status page shows current and historical uptime.
Infrastructure & operations
  • Principle of least privilege — every service runs with minimum required permissions. Database credentials differ per service. Compromising one component doesn't compromise the whole platform.
  • Automated patching — OS and dependencies updated within hours of security advisories. No lingering known vulnerabilities.
  • Encrypted backups — daily snapshots to geographically separate storage, encrypted at rest. Tested restoration procedure.
  • Secrets management — API keys, database passwords, and TLS certificates stored in encrypted secrets manager. Never in code, never in logs.
Organizational controls
  • Invite-only access — no public signup. Org Admin controls exactly who can join. No rogue account creation possible.
  • Per-device enrollment — a stolen password alone isn't enough. Each device needs its own registered config that can be revoked individually.
  • Instant device revocation — lost a laptop? Revoke its access in one click. The device can't reconnect, even if it has a valid config file.
  • Role separation — Org Admin sees team-wide data but can't read individual users' personal data beyond what they need for access management.
Compliance & standards

Built to help you meet your obligations

GDPR

We are data processors for EU customers. We maintain a Data Processing Agreement (DPA), store minimal personal data, and honor deletion requests within 30 days.

HIPAA

The on-premise deployment option is designed for healthcare customers. Your patient data never leaves your hardware.

ISO 27001

Internal controls aligned with ISO 27001 framework. Formal certification in progress.

SOC 2

Security, availability, and confidentiality controls being implemented toward SOC 2 Type II audit.

Ready to secure access to your network?

Eliminate publicly exposed services. Give employees simple, secure access — with full control and visibility.

Get started today Contact us