Security Standards

Owned by David Chmielewski
Last updated: May 28, 2024 by Kristafanie Somers
2 min read

Overview

Quavo and the client are both responsible for the security of QFD's cloud:

  • Quavo is responsible for the security of the infrastructure, network and software components of the application

  • Clients are responsible for the security of access to the application in the privileges that are granted to users of the system

Technical and Organizational Controls

Encryption of personal data

Quavo encrypts all data at rest using 256-bit AES encryption.  Data in transit is encrypted with https (TLS 1.2) and digital certificates in all cases.

Ability to restore availability and access to personal data

Quavo maintains a commercially reasonable disaster recovery plan, including automatic failover to a like facility to meet the recovery point objective (RPO) and recovery time objective (RTO) parameters.

Notification of incidents

During the term of the Subscription Services, Quavo will notify clients without undue delay (unless otherwise required under applicable law) when Quavo confirms any actual security incident affecting the confidentiality, integrity or availability of client data at the infrastructure layer. In the event of such a security incident, Quavo will cooperate with Client in accordance with the law and regulations applicable to Quavo.

Process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures

Quavo performs a PCI review at least once per calendar year. Quavo performs, or has a qualified third party perform, external penetration tests of the QFD cloud and to conduct internal network security vulnerability assessments at least quarterly. We mitigate any critical or high vulnerabilities discovered during the penetration tests or network security vulnerability assessments.

Additional commitments to security:

  • Established security group configurations for secure client access.

  • Protecting all data in transit over the Internet.

  • Providing host-based virus protection services, scans, and signature updates.

  • Monitoring the security of the infrastructure components in each environment.

Physical and Environmental Controls

Quavo utilizes Amazon Web Services (AWS) exclusively in an Infrastructure-as-a-service (IAAS) capacity.  AWS provides extensive controls over physical access to infrastructure or network components, and Quavo inherits these controls as part of its security model. 

Access Controls

All Quavo access to systems hosted on AWS is granted according to a least-privilege principal model and is closely monitored and reviewed on a frequent basis.

  • All access to cloud resources is granted only according to a documented, current business need.

  • Quavo maintains lists of current access levels and individuals.

  • The lists are reviewed and modified at least quarterly, including removing personnel who no longer require access or the level of access currently held.

  • All access to environments is logged and monitored.

  • All administration of our cloud environments is done using role-based access control with multi-factor authentication.

Network Controls

  • Virtual network devices to establish the boundaries, network rulesets, and access controls to govern inbound and outbound traffic in any client environment.

  • Network security controls that limit access from untrusted sources.

  • Network architecture that limits the effects of distributed denial-of-service (DDoS) attacks.

  • An HTTP/HTTPS Internet gateway that provides access for clients who want connectivity to their virtual private cloud (VPC) environment directly from the Internet.

  • A secure IPsec virtual private network (VPN) connection that provides access between the clients' location and the QFD cloud.

  • Continuous monitoring of the infrastructure components.

Malware Protection

  • Quavo deploys host-based malware services, scans, and signature updates that cannot be disabled or altered by users.