Technical & Organizational Measures to Ensure the Security of Customer Data

Last Updated January 1, 2024

These Technical and Organizational Measures to Ensure the Security of Customer Data (“Technical & Organizational Measures”) form a part of the QNOPY Hosted Services & Subscription Agreement (“HSSA”) or other agreement(s) entered into between you or the entity which you represent (“Customer”) and QNOPY (“QNOPY”). These Technical & Organizational Measures present the industry best practice information security policies, procedures, controls and customizable features that QNOPY employs for the protection of Customer Data that is transferred by Customer into the Products, or otherwise stored, created, processed or modified pursuant to the Agreement.

Measures of pseudonymization and encryption of customer data All Data transmitted between the Customer and the QNOPY application over public networks, as well as all Data stored on QNOPY’s servers is encrypted, using preferred encryption capabilities that prevent unauthorized data access.
Measures for ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services QNOPY enforces the rule of least privilege for all systems. Access to designated systems and customer data is limited to personnel for whom access is required based on job function. Access to all systems is deleted or suspended upon termination of employment. Only secure transfer protocols are used to transfer data from one system endpoint to another.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident QNOPY utilizes multi-availability zone deployments, which provide enhanced availability and durability for database instances. A primary database instance is automatically created and synchronously replicates the data to a standby instance in a different availability zone (AZ). Each AZ runs on its own physically distinct, independent infrastructure, and is engineered to be highly reliable. In case of an infrastructure failure, an automatic failover is performed to the standby read replica. Infrastructure is set up such that the system can be restored to the last backup image within 30 minutes of a disaster.
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing QNOPY regularly engages a third-party to conduct penetration tests of the service, which is performed at least annually.
Measures for user identification and authorization Where a Customer’s account contains a password for authentication, QNOPY stores the password encrypted and unreadable to anyone including the QNOPY Admins. All devices accessing QNOPY’s services are mapped to named user accounts. Access to any device can be blocked.
Measures for the protection of data during transmission QNOPY encrypts Data for all transactions to and from the mobile devices in the field as well as the web-based reporting engines, applications, dashboards, and web portal.
Measures for the protection of data during storage Customer Data stored on QNOPY’s servers is encrypted.
Measures for ensuring physical security of locations at which personal data are processed The service is hosted and Data is stored within data centers provided by Amazon Web Services (AWS). As such, QNOPY relies on the physical, environmental, and infrastructure controls of AWS. QNOPY periodically reviews certifications and third-party attestations provided by AWS relating to the effectiveness of its data center controls.
Measures for ensuring events logging QNOPY maintains detailed server transaction logs along with automated incident tracking and alarms. All the original data and changes are saved and can be traced back.
Measures for tracking changes to electronic records Whenever possible, QNOPY maintains detailed data modification notes to keep track of how, when, and by whom electronic data was modified or amended. All the original data and changes are saved and can be traced back.
Measures for ensuring system configuration, including default configuration QNOPY hardens its server infrastructure using a hardening standard based on a common industry standard.
Measures for internal IT and IT security governance and management QNOPY staff access to Customer Data is role-based and follows the principle of least privilege. QNOPY has established and will maintain procedures for password management for its personnel, designed to ensure passwords are personal to each individual and inaccessible to unauthorized persons. Access to data is controlled by user roles. Roles can be defined on organization level or project level.
Measures for ensuring data minimization QNOPY minimizes the Data it requires from Customers and the Data it processes to only what is necessary to provide the service requested.
Measures for ensuring data quality For data which is available to QNOPY within its systems, QNOPY ensures data quality by ensuring such details are up to date, reviewing data regularly, and following data deletion practices. QNOPY also allows users to update the information in their accounts themselves or via requests to the Customer Success Team.
Measures for ensuring limited data retention QNOPY maintains a Data Retention Policy, setting out the retention periods for various types of data based on legal requirements, justified interests of QNOPY, and the purposes of collection.
Measures for ensuring accountability All QNOPY employees are required to abide by a data handling and classification standards. Any violation of these requirements will result in disciplinary procedures up to and including termination.
Measures for allowing data portability and ensuring erasure QNOPY ensures data portability by allowing customers to retrieve any data placed within the service into an industry standard data format. QNOPY has an automated process for deleting Customer Data on request within 30 days.