Updated 1 February 2020
We know that our customers rely on us as an important part of their business and decision making processes. We take this responsibility to our customers very seriously, and the security and reliability of the software, systems and data that make up our platform are our top priority.
We have worked to establish the best possible security policy, articulated below. Nonetheless we reserve the right to modify this at any time without notice.
1. Infrastructure security
Our platform is deployed on Google Cloud Platform ("Cloud Service Provider"), allowing us to take advantage of the same secure-by-design infrastructure, built-in protection and global network that Google uses to protect your information, identities, applications, and devices. Security measures in place at our cloud service provider, include:
- Employee background checks
- Security training for all employees
- Internal security and privacy events
- Dedicated security team
- Dedicated privacy team
- Internal audit and compliance specialists
- Collaboration with the security research community
1.1 Operational security
Our infrastructure is deployed using rigorous security practices. Operations teams at our cloud service provider detect and respond to threats to the infrastructure from both insiders and external actors, 24/7/365.
Communications over the Internet are encrypted in transit. Our cloud service provider's network and infrastructure have multiple layers of protection to defend our customers against denial of service attacks.
Identities, users, and services are strongly authenticated with multiple factors by our cloud service provider. Access to sensitive data is protected by advanced tools like phishing-resistant security keys.
Data stored on our infrastructure is automatically encrypted at rest and distributed for availability and reliability. This helps guard against unauthorized access and service interruptions.
From the physical premises to the purpose-built servers, networking equipment, and custom security chips to the low-level software stack running on every machine, our entire hardware infrastructure is Google-controlled, -secured, -built, and -hardened.
Our infrastructure is subject to regular independent verification of security, privacy, and compliance controls, achieving certifications against global standards to earn your trust, including:
- Argentina Personal Data Protection Law 25,326
- Association of Banks in Singapore (ABS) Guide
- Australian Privacy Principles (APPs)
- Australian Prudential Regulation Authority (APRA) Standards
- California Consumer Privacy Act (CCPA)
- Cloud Computing Compliance Controls Catalog (C5)
- COPPA (U.S.)
- CSA STAR
- EBA Outsourcing Guidelines
- EU Model Contract Clauses
- Federal Financial Institutions Examination Council (FFIEC)
- FERPA (U.S.)
- FIPS 140-2 Validated
- FISC (Japan)
- Higher Education Cloud Vendor Assessment Tool (HECVAT)
- HITRUST CSF
- Independent Security Evaluators (ISE) Audit
- IRAP (Information Security Registered Assessors Program)
- ISAE 3000 Type 1 Report
- ISO 27001
- ISO 27017
- ISO 27018
- Monetary Authority of Singapore (MAS) Guidelines
- MTCS (Singapore) Tier 3
- My Number Act (Japan)
- NHS Digital Commercial Third-Party Information Governance Requirements
- NIST 800-171
- NIST 800-34 - Contingency Planning
- NIST 800-53
- PCI DSS
- Privacy Shield
- SEC Rule 17a-4(f), CFTC Rule 1.31(c)-(d), and FINRA Rule 4511(c)
- SOC 1
- SOC 2
- SOC 3
- South Africa POPI
- Spain Esquema Nacional de Seguridad (ENS)
- The Personal Information Protection and Electronic Documents Act (PIPEDA)
- U.S. Defense Information Systems Agency Provisional Authorization
- UK's Cloud Security Principles
For more information, please see https://cloud.google.com/security/.
2. Application security
We adopt the Open Web Application Security Project (OWASP) Top Ten as a means of ensuring application code is free from flaws and security vulnerabilities. The OWASP Top Ten is a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce a list of the top ten security vulnerabilities affecting web applications. Adopting the OWASP Top Ten ensures our applications are protected against:
- Broken authentication
- Sensitive data exposure
- XML external entities (XXE)
- Broken access control
- Security misconfiguration
- Cross-site scripting (XSS)
- Insecure deserialization
- Using components with known vulnerabilities
- Insufficient logging and monitoring
For more information, please see https://www.owasp.org/.
3. Payment security
We use the Stripe payments platform for the secure transaction and storage of certain payment data. Stripe has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1. This is the most stringent level of certification available in the payments industry. To accomplish this, Stripe makes use of best-in-class security tools and practices to maintain a high level of security.
For more information, please see https://stripe.com/docs/security/stripe.
4. Contact us
Please contact us for more information or if you have any security concerns. The best way to do this is via the contact form located at https://q-ctrl.com/contact.
You can also send a letter to us at the following address:Q-CTRL Pty Ltd
100 Harris Street
PYRMONT NSW 2009