Data Hosting & Data Segregation FAQ:
All data is hosted on Azure West Europe Region (Amsterdam).
Quotiss is a multi-tenant service, which means that multiple customer deployments are stored on the same physical hardware. Quotiss uses logical isolation to segregate each customer’s data from the data of others. Segregation provides the scale and economic benefits of multi-tenant services while rigorously preventing customers from accessing one another’s data.
Encryption Control FAQ:
The application has an up-to-date and robust encryption mechanism at rest in transit. We’re using:
a) RSA2048 AES-256 Protocol
b) SHA-256 SHA-512
c) TLS 1.2 Protocol
Data at rest: The Azure Database for MariaDB service uses the FIPS 140-2 validated cryptographic module for storage encryption of data at rest. Data, including backups, are encrypted on disk, with the exception of temporary files created while running queries. The service uses the AES 256-bit cipher included in Azure storage encryption, and the keys are system managed. Storage encryption is always on and can't be disabled.
Data in transit: Azure Database for MariaDB secures your data by encrypting data in transit with Transport Layer Security. Encryption (SSL/TLS) is enforced by default.
We use MFA for all external services, like Azure, Gmail, Office365 integration, dev tools, etc.
Upon request, access to a customer’s domain can be secured with a VPN connection.
Data Logs & Data Storage FAQ:
- We do a full backup every week;
- Differential backups occur twice a day;
- Transaction log backups occur every five minutes.
All data logs are kept for at least 3 months within the contract validity.
Once the contract is terminated, system data can be transferred to the customer in a selected format. We will store customer data in a limited-function account for 30 days (the “retention period”) to give you time to extract the data or renew your subscription. During this period, Quotiss provides multiple notices, so you will be amply forewarned of the upcoming deletion of data.
After this 30-day retention period, we will disable the account and delete the customer data, including any cached or backup copies.
We take careful measures to logically separate customer data. This helps prevent one customer’s data from leaking into that of another customer, which also helps to block any customer from accessing another customer’s deleted data.
We will use a random key to encrypt the data before deleting it permanently from the system.
Software Documentation FAQ:
We have technical documentation, architecture diagrams, data flows, installation instructions, etc.
Application Code FAQ:
The Application Code is created using good design patterns and has the ability to replace modules that may be considered dangerous during use.
The application uses components supported by current suppliers (including current and recognized safe open-source solutions).
Quotiss Software Tests & Releases FAQ:
On average, there is one release per week to production and ten releases to dev servers.
Before every release of a new software version to the production server, the test release to a dev server and run automatic and manual tests.
Security tests are executed before and during every release of a new version of the software. Docker containers and system components are tested automatically to make sure they are up to date, without vulnerabilities.
We adhere to the rule of Zero Trust Security:
The zero trust model is founded on three pillars:
a) All networks should be untrusted: It can never be guaranteed that an account hasn’t been hacked.
b) Least privilege: Limit user access by granting employees just enough authorization to perform necessary tasks.
c) Assume breach: Breaches are inevitable, so an organization’s focus should be not on preventing them but on reducing their impact.
Quotiss Software Security FAQ:
Quotiss server management is handled by a 3rd party company called Hostersi. They are cloud & server experts, specializing in IT services such as server solutions architecting, cloud computing implementation and server management. They help to increase data security and operational capacities. Hostersi is official AWS partner and they are ISO 27001 certified. Hostersi does not have any access to customers' commercial data.
In order to prevent data breaches, we are following OWASP Top 10, scanning libraries, systems and containers, following zero trust, etc. There was no security breach since the day Quotiss was founded (26th of January, 2017).
System data will not be changed/deleted unintentionally.
System data is not shared with / can not be accessed by unauthorized persons.
User Access Control FAQ:
Each user must have their own individual account and access to the System. Access to the System must be preceded by user identification through its authentication.
Quotiss users may only access/process the data to which the Administrator authorizes them.
Users can change passwords anytime and all passwords are encrypted.
Users can have multiple roles and permissions (list of available roles in the system), can be assigned to a group, and share the permissions within a group.
The application has appropriate protection against unauthorized access at the level of all components (network, application, servers, etc.). The user can be blocked anytime.
The application is resistant to intercepting the session of the logged-in user.
The application is protected against SQL Injection and XSS.
Quotiss Organization Security FAQ:
We have a separate cybersecurity team in our organization.
We have a Security Officer role in our organization.
We have a documented security policy.
We have a documented password policy.
We have security procedures in place.
We’re constantly updating and scanning all our workstations.
We have a process to review and update user permissions in all our systems.
We have backup strategies, which are tested regularly.
We organize cybersecurity training for our employees on a regular basis.
Internal Data Access Control FAQ:
Quotiss management team and Quotiss support team have access to the customers' data.
We use two-factor authentication in all critical parts of the infrastructure and system.