AboutProductsQV LEAgency QualificationQV FBILocked QIT-99QV OpsPrivate SecurityQV GlobalInternationalHardwareSecurityPartnersRequest Demo
Security & Compliance
Built for data that
has to hold up.

Qualification records are operational and legal documents. QValor's security architecture was designed accordingly — from the encryption stack to the chain of custody model to the cryptographic integrity layer.

Security Briefing Request

Architecture Language: QValor is designed to align with these standards and built toward these compliance postures. Formal certifications (SOC 2 Type II, CJIS audit) are pursued as the platform moves from development to full institutional deployment. "Designed to align with" is not equivalent to "certified under."

Compliance Architecture
Aligned with the standards that matter to LE procurement.

Every compliance decision in QValor traces to the specific regulatory and institutional requirements of law enforcement data handling, armed security operations, and defensible qualification documentation.

CJIS Alignment

StandardFBI Criminal Justice Information Services Security Policy
RelevanceRequired for systems handling law enforcement operational data
QValor PostureArchitecture designed to align with CJIS access control, encryption, and audit requirements
StatusAlignment-designed. Formal audit as deployment scales.

HIPAA-Ready

StandardHealth Insurance Portability and Accountability Act
RelevanceMedical accommodation and fitness data stored in platform
QValor PostureAccommodation data treated as PHI. Architecture designates a separate encryption key with planned quarterly rotation. Access separately permissioned and logged.
StatusHIPAA-aligned data handling architecture. Formal compliance posture established at institutional deployment.

SOC 2 Pathway

StandardAICPA Service Organization Control 2, Type II
RelevanceEnterprise procurement and institutional trust standard
QValor PostureArchitecture built toward SOC 2 Type II audit readiness. Annual audit cycle planned.
StatusPlanned annual audit as platform reaches institutional deployment.

ADA Title II

RelevanceAccessibility requirements for public agency software
PostureAccommodation tracking, accessible interface design, and accommodation workflow built into the platform.

Electronic Signatures

RelevanceLegal validity of digital instructor and supervisor signatures
PostureDigital signature architecture designed around ESIGN/UETA principles. PKI-based approach, 2048-bit minimum key length, with timestamped audit logging on every signature event.
Encryption Architecture
Data at rest. Data in transit. Both secured.
Data In Transit
TLS 1.3

All data moving between the mobile app, web console, and QValor servers is encrypted using TLS 1.3 — the current industry standard for transport security.

Data At Rest
AES-256

All stored data — qualification records, target images, officer profiles, and training history — is encrypted at rest using AES-256. Local mobile storage encrypted with the same standard.

Medical Data
Separate Key, Rotation Policy

Accommodation and medical data is architecturally isolated under a separate encryption key from the main data store. The access model requires a separate permission flag and logs every access event. Key rotation cadence is established at institutional deployment.

Target Images
Encrypted Blobs + EXIF Preservation

Target images are stored as encrypted blobs. Decryption requires an authenticated API call. EXIF data — including timestamp and capture metadata — is preserved as part of the evidence record.

Access Control
Role-based. Audited. Minimal privilege.

Every QValor user operates within a defined role with granular access controls. No user has access to data beyond what their role requires. All access is logged.

  • Multi-factor authentication (MFA) architecture required for all admin and instructor accounts.
  • Role-based access control (RBAC) with granular permission sets per role — no user accesses data beyond their defined scope.
  • Medical/accommodation data isolated behind a separate permission flag with access logging on every event.
  • Session timeout designed for 30-minute inactivity threshold.
  • Failed-login lockout architecture: 5 attempts triggers 15-minute lockout.
  • IP allowlisting capability designed for high-security agency deployments.

Digital Signatures

ApproachPKI-based digital signature architecture
Key Design2048-bit minimum, designed around ESIGN/UETA principles
ApplicationInstructor confirmation, supervisor authorization, record finalization — each event timestamped and audit-logged

Offline Security

Local StorageSQLite encrypted on device (AES-256)
Medical DataNot cached locally — privacy protection
Sync ValidationServer re-validates GPS, instructor certification, and file integrity on sync
Record Integrity
The record that cannot be quietly changed.

The integrity layer in QValor is not just about security. It is about the evidentiary value of the qualification record itself.

Hash Sealing
Cryptographic lock at finalization.

Once a record is finalized and instructor-confirmed, a cryptographic hash is applied. Any subsequent modification — even a single character — produces a different hash. The original record can be independently verified at any time.

Code of Reason
No silent corrections.

Score corrections require a documented reason code, supervisor authorization, and an audit entry. The original record is never deleted — it is superseded with a traceable correction chain visible to command and compliance roles.

Image Evidence
Raw and annotated. Both preserved.

The raw target image and the computer vision annotated scoring overlay are stored as separate files within the same record. The original target capture is never overwritten by the scoring layer.

Data Handling
Storage, retention, and validation architecture.
  • Target images, signature images, and override photos stored in encrypted object storage (S3-compatible).
  • CDN for reliable global access to qualification records.
  • Virus scanning on all uploaded content.
  • Image compression pipeline preserving evidentiary value while reducing storage cost.
  • EXIF data preservation on all target capture images.
  • Automatic watermarking on target images: timestamp, officer badge, qualification ID.
  • Agency-configurable retention policy.
Data validation on sync: GPS coordinates re-validated against registered ranges. Instructor certification re-checked. Safety briefing timestamps validated. File integrity confirmed. Failures trigger manual review — not auto-approval.
Offline Mode
Range-day reliability without connectivity dependency.

The QValor mobile app operates offline-first. Qualification sessions are captured and stored locally with AES-256 encryption, then synced automatically on reconnect. Minimum 100 sessions cached. Photos queued for upload with progress visibility.

  • 100+ offline sessions cached locally.
  • Chronological sync order on reconnect.
  • Medical accommodation data not cached locally.
Infrastructure
Purpose-built for institutional reliability.

QValor infrastructure is designed for the uptime and data integrity requirements of LE operational systems. Redundant storage, CDN-accelerated record access, and automated sync validation on every session upload.

Security Briefing
Security and compliance questions from your procurement team?

QValor can provide a security architecture briefing for agency IT, procurement, and legal teams evaluating the platform. Full technical documentation is available under NDA for institutional prospects.

Request Security Briefing About QValor