Security measures

Contents

  1. Servers and Networking.
    1. All servers that run Qencode software in production are recent, continuously patched Linux systems. Additional hosted services that we utilize, such as are comprehensively hardened.
    2. Our web servers encrypt data in transit using the strongest grade of HTTPS security (TLS 1.2) so that requests are protected from eavesdroppers and man-in-the-middle attacks. Our SSL certificates are 2048 bit RSA, signed with SHA256.
    3. Internal tier-to-tier requests are signed and authenticated to prevent request forgery, tampering, and replay.
  2. Storage.

    All persistent data is encrypted at rest using the AES-128 standards or similarly high standards.

  3. Employee Equipment and Employee Access.
    1. Employee computers have strong passwords, encrypted disks, and firewalls.
    2. We follow the principle of least privilege in how we write software as well as the level of access employees are instructed to utilize in diagnosing and resolving problems in our software and in response to customer support requests.
    3. Access to administrative interfaces additionally enforce administrator permissions where applicable, and all administrative access is logged and auditable both in the form of traditional web server logs as well as via Qencode itself to make it easy to find and review any administrative activities with full fidelity.
  4. Code Reviews and Production Signoff.
    1. All changes to source code destined for production systems are subject to pre-commit code review by a qualified engineering peer that includes security, performance, and potential-for-abuse analysis.
    2. Prior to updating production services, all contributors to the updated software version are required to approve that their changes are working as intended on staging servers.
  5. Service Levels, Backups, and Recovery.

    Qencode’s infrastructure utilizes multiple and layered techniques for increasingly reliable uptime, including the use of autoscaling, load balancing, task queues and rolling deployments. Due to the very large amount of data that Qencode stores, we do not currently make point-in-time backups, although we do use highly redundant data stores and/or rapid recovery infrastructure, making unintentional loss of received data due to hardware failures very unlikely.

  6. Product Security.
    1. Product security is of paramount importance at Qencode. Qencode uses a software development lifecycle in line with general Agile principles. When security effort is applied throughout the Agile release cycle, security oriented software defects are able to be discovered and addressed more rapidly than in longer release cycle development methodologies. Software patches are released as part of our continuous integration process. Patches that can impact end users will be applied as soon as possible but may necessitate end user notification and scheduling a service window.
    2. Qencode performs continuous integration. In this way we are able to respond rapidly to both functional and security issues. Well defined change management policies and procedures determine when and how changes occur. This philosophy is central to DevOps security and the development methodologies that have driven Qencode adoption. In this way, Qencode is able to achieve extremely short mean time to resolution for security vulnerabilities and functional issues alike. Qencode is continuously improving our DevOps practice in an iterative fashion.
  7. Corporate Security.

    All Qencode personnel undergo regular security and privacy awareness training that weaves security into technical and non-technical roles; all employees are encouraged to participate in helping secure our customer data and company assets. Security training materials are developed for individual roles to ensure employees are equipped to handle the specific security oriented challenges of their roles.

  8. Client and Server Hardening.
    1. Exposed server endpoints are recurrently tested for vulnerabilities using multiple types of scanning software as well as manual testing. Request-handling code paths have frequent user re-authorization checks, payload size restrictions, rate limiting where appropriate, and other request verification techniques. All requests are logged and made searchable to operations staff.
    2. Client code utilizes multiple techniques to ensure that using the Qencode application is safe and that requests are authentic, including:
      • IFRAME sandboxing;
      • XSS and CSRF protection;
      • signed and encrypted user auth cookies;
      • and remote invalidation of extant sessions upon password change/user deactivation;
  9. API and Integrations.

    All access to Qencode REST API endpoints require an access key that can be regenerated on demand by customers.

  10. Customer Payment Information.

    We use Stripe, Inc. for payment processing and do not store any credit card information. Stripe is a trusted, Level 1 PCI Service Provider.

  11. Incident Reporting and Ongoing Improvements.

    Qencode encourages users to submit vulnerability reports. If you have a security concern or are aware of an incident, please send an email to security@qencode.com, a carefully controlled and monitored email account.