Certifications & Credentials

What we are aligned to, and what we are not.

Honest framing of the standards QUANT LAB USA aligns to. We distinguish carefully between aligned with, aware of, and certified in. Three different things.

Up front

QUANT LAB USA is a founder-led shop. We are not SOC 2 audited. We are not a PCI-certified service provider. We are not a HIPAA-certified vendor. Anyone who tells you their small shop holds all three is selling you a story.

What we do is build to those standards, document the methodology, and make our work easy for your auditor to understand. The table below is the honest version of which frameworks shape our engineering and which ones we hold formal certifications for.

Standards Alignment

Frameworks that shape how we build.

OWASP ASVS Level 2

Aligned

Every web application penetration test we deliver is scoped against the OWASP Application Security Verification Standard, Level 2. Findings reports cross-reference ASVS sections so your developers can fix the root cause, not just the symptom.

Web app pentests →

MITRE ATT&CK Framework

Mapped

Adversarial assessments map observed techniques to MITRE ATT&CK tactics. Executive summaries reference tactic IDs so leadership can read a report without translating from infosec jargon, and remediation can be tracked against industry-standard nomenclature.

MITRE ATT&CK assessments →

PCI-DSS

Aware (not certified)

We build Stripe integrations using Checkout, Elements, and Payment Element flows so that cardholder data never lands in client infrastructure or QUANT LAB systems. The goal is to keep clients in the lowest PCI scope possible. We are not a PCI-certified service provider, and Stripe is the certified processor.

Stripe integration →

HIPAA

Aware (not a Covered Entity)

Healthcare-adjacent builds are architected with HIPAA Security Rule considerations in mind: encrypted PHI at rest and in transit, granular audit logging, role-based access, and infrastructure that can sit behind a Business Associate Agreement when one is needed with a hosting provider. We are not a HIPAA-certified vendor and we will tell you so before any contract.

Custom business software →

SOC 2

Readiness aligned

Our internal controls (access management, secrets handling, change management, logging) are aligned with SOC 2 Type I readiness. That alignment is intended to make us a low-friction vendor for clients pursuing their own SOC 2 audit. We have not undergone a SOC 2 audit ourselves, and we will not claim to be SOC 2 certified.

Our security practices →

Georgia Business Entity

Registered

QUANT LAB USA INC is a Domestic Profit Corporation registered with the Georgia Secretary of State, Control Number 26086454, EIN 42-2039870. Registered office: 3489 Rocky Creek Dr, Douglasville GA 30135. The company is marketed from Macon, Georgia and serves clients nationally.

Contact corporate →

Vercel Deployment Standards

Implemented

Production deployments run on Vercel with environment-isolated secrets managed in the platform (never committed to source), automatic preview deployments per pull request, branch-protected promotion to production, and instant rollback to any prior deployment.

Cloud infrastructure →

Entity Verification

Verifiable company information.

Legal Name

QUANT LAB USA INC

Entity Type

Domestic Profit Corporation, Georgia

Georgia SOS Control Number

26086454

Federal EIN

42-2039870

Registered Office

3489 Rocky Creek Dr, Douglasville GA 30135

Operating Market

Macon, GA — serving clients nationally

Entity verification is searchable on the Georgia Secretary of State business search. W-9 available on request via our contact page.

Founder Credentials

Hands-on, not paper.

Bill Beltz, the founder and lead engineer, is a full-stack software developer with a decade-plus of production experience and an active offensive-security practice. The credentials that matter for client engagements are the standards alignment above and a portfolio of shipped systems you can read about on the work page.

We do not list a wall of acronyms. We will list the frameworks our work is actually held to, name them specifically, and let you pressure-test the methodology on a discovery call. For more on who is actually doing the work, see team & leadership.

Continuing Education

Standards move, so do we.

OWASP releases. MITRE ATT&CK techniques get added. Stripe changes how Payment Element handles SCA. We track the changes that affect client work and update our internal playbooks accordingly. The alignment claims on this page are reviewed quarterly.

For long-form writing on how we apply these standards in practice, see the deep-dives on penetration test cost and scoping, custom CRM development, and pentest firms in Georgia.

Need a custom compliance write-up?

If your procurement team needs a specific standards or compliance attestation, we will prepare one for the engagement. Tell us what you need and we will tell you what we can credibly attest to.

Call (770) 652-1282or emailbeltz@quantlabusa.dev

Talk to Bill See penetration testing