As a cloud-service, the security of your data has the highest priority at Qualee. We have outlined important measures to keep your data private below. We utilise a wide range of additional safeguards and protective measures that would be either (i) highly complicated to explain to the general public or (ii) a risk to share with the public. Please contact us if you have any specific questions.

Hosting

Our application is hosted on servers provided by Amazon Web Services in its Singapore data center. Amazon Web Services is a leading "platform as a service" provider that allows customers (including Siemens, Novartis, Nasdaq, GE and others) to develop, run and manage applications without the complexity of building and maintaining the infrastructure associated with it. It provides best-in-class security infrastructure, takes care of back-ups, logging, auditing and other infrastructure-related services.

Amazon Web Services is constantly auditing its services and has approved to be compliant with the following standards, among others:

Other subcontractors used by Qualee to provision its service include similarly renowned and certified companies such as

Any transfer of data to a state which is not a member state of either the European Union or the European Economic Area will only occur in compliance with the GDPR and if the specific requirements of Article 44 et seq. of the General Data Protection Regulation (GDPR) have been fulfilled. Specifically, a transfer requires a clear contractual agreement between Qualee and any subcontractor that guarantees at least the same level of data protection under standard contractual clauses (SCCs) as stipulated by the European Commission.

Passwords

Your passwords are always encrypted (hashed, with salts) and never saved in plain text. When a user tries to log in, their password is encrypted in the same way and the platform compares the encrypted versions to check if they match. This also means that we cannot recover a password for you (we only hold the encrypted version) and you have to reset your password in case you lose or forget it. For additional security, we enforce a minimum password length and complexity when a user signs up.

Cookies and Tokens

Our platform uses cookies and tokens to authenticate users across sessions. Tokens never contain your actual password or other sensitive information. All that gets saved is a randomly created token that allows you to access basic functionality. To access critical functionality, e.g. like changing your password, you have to re-enter your password. We will also inform users via email of any security related changes to their account.

Data Encryption

All communication between your users and our servers is SSL-encrypted. SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. SSL is an industry standard and is used by millions of websites in the protection of their online transactions with their customers.

Additionally, we employ encryption-at-rest to encrypt all data in our database with the industry-standard AES-256 algorithm. This means that your data is encrypted before and after accessing the database and never resides in plain text.

Secure Frameworks

In addition to a secure hosting environment, we build using only established software libraries to ensure that your data is secure and your users are not exposed to known vulnerabilities.

Our frontend framework, combined with the use of unique user tokens, protects your users against common threats such as cross-site scripting (CSS / XSS) and cross-site request forgery (CSRF / XSRF).

The use of an established middleware and input sanitation of all input adds additional protection.

As mentioned above, our application runs on AWS servers. AWS maintains the server software at all times and rapidly fixes any newly discovered security vulnerabilities.

Preventing access from within

Our application code checks each request and verifies that the database object's company ID matches the company ID of the user. Each database object is tagged with a company ID and any potential attempts to breach those trigger immediate notifications to our administrators.

We also apply a strict role-based model to all requests and views of the platform. This prevents employees from accessing functionality (like modifying user data, editing billing information etc.) that should be reserved to primary administrators only.

Access restrictions to code and database

Our application and database are hosted in a physically secured and guarded data center where professional staff takes care of the physical security of servers.

Remote access is strictly limited. Within our team, each deployment of new code has to be approved by one of two people that have access. The same access limitation applies to our databases and internal administration area. Access to the databases, to our central code repository and to our hosting environment is furthermore protected by 2-factor-authentication. We regularly update passwords and cycle security tokens.

In our internal administration data, we only display aggregated statistics and company level data, not the content of actual feedback, reviews, etc. We do not look into a raw customer data unless we have been granted permission to do so to fix a bug. However, most bugs can be fixed by analysing server logs and reproducing the problem with non-production (‘dummy’) data.

Data processing agreement (DPA)

Once you start using Qualee, you will need to accept terms of use and subscription agreements with us. They describe out how we may handle your data, explains the security measures deployed, states your rights and is needed to be fully compliant with the GDPR.

Internal security policies

Our team is highly security-aware. To avoid external hoaxes, we regularly hold internal security briefings, only deploy up-to-date and modern code, use password managers and different passwords for all sites, regularly update passwords and encrypt the hard drives of our devices.

Availability and disaster recovery

Our application and databases are distributed and replicated across various servers. In the event that one of those servers is unavailable, another instance would take over the activity of serving the application, usually without the end user being impacted.

Databases are backed up on a continuous basis and can be restored should the software or server ever fail in a significant way. Back-ups are stored in different availability zones for additional security.

Monitoring

We closely monitor the performance of our application and databases via AWS' in-built monitoring tools. Any internal errors or potential failures of our various integrations are logged and trigger notifications to our development team, usually allowing us to identify the problem and swiftly correct the situation.

User requests and bug reports

As we constantly update Qualee with new features and capabilities, on rare occasions users may notice a glitch or discover a bug in the software. In such situations, we encourage you to get in touch via our in-app support channels or email at [email protected] - we always appreciate feedback. If possible, please include a screenshot and exact description of the situation you encountered. Critical issues receive immediate attention and are usually fixed within 2 hours; we strive to deal with non-critical requests within 24 hours.

Security threat audits

We run regular external penetration tests / audits with industry-leading security specialists to detect any potential vulnerabilities and keep your data protected.

If you believe you have found a security threat in our system, please contact us immediately via [email protected]. Your information will remain confidential and we will manage your request immediately.

Full disclosure policy

If anything serious happens and your data is affected, we will provide full disclosure to enable you to take precautions and minimise any potential damage. Our leadership team’s experience at numerous Fortune 500 companies has taught us that transparency is paramount in earning and keeping your trust, if data security should ever be threatened.