Qstream Security Trust Center
We care about security. If you have any questions, or encounter any issues, please contact us.
Authentication
Authentication Enterprise sites are provisioned with individual dedicated sites and URLs. Access for users can be configured either to use a corporate Single Sign-On service or Qstream’s own in-built authentication system. Access to the Qstream service is via standard web-based user identifier and password, with the ability to enforce password length and complexity.
Clients requiring extended authentication options can also use one of the external single sign-on systems with which we integrate and move password and authentication management entirely outside of Qstream into a platform under their own control.
Using Qstream built-in authentication system, users are required to establish a password at initial log-in, and password length and complexity profiles can be enforced for the organization.
Passwords are always encrypted, stored in the database with a one-way salted hash. Passwords cannot be viewed in plaintext. Password reset requests are facilitated through single-use tokens, so passwords are never sent unencrypted.
Monitoring
The Qstream service is delivered using redundant clustered application and database servers hosted in multiple data centres, supported by a global operations team, with 24/7 service monitoring of all aspects of the service architecture, ensuring a typical average annual uptime in excess of 99.99%.
Logging for all application servers is collated centrally for both automatic and manual analysis by Qstream operations personnel for the purposes of detecting and troubleshooting abnormal conditions.
Any incidents our outages are detected by out of band monitoring services and trigger alerts to the operations team. Incidents involving actual or high probability of data loss or leakage are categorized, recorded, and actioned in accordance with Qstream’s incident response policy.
Encryption
Data is encrypted using the industry standard AES-256 encryption algorithm, and connections between database and application servers are encrypted using Transport Layer Security (TLS). User access to the service is also encrypted using TLS 1.2+.
Data Transfers
Qstream operates data centres in the US and EU and keeps customer data separate between these locations. Qstream employs encryption methods, such as AES-256 encryption at rest and asymmetric encryption for system backups, as well as KMS-based protection for customer secrets like passwords, access tokens, and API keys.
Backups
In addition to live data mirroring across data centres, full daily backups along with five-minute incremental snapshots are maintained. Backups are protected using AES-256 encryption and are stored in multiple geographically dispersed data centres. Backups are maintained for a period of 30 days. Disaster recovery plans are maintained and tested to facilitate rapid re-provisioned of service from backups in alternate data centres in response to loss of primary data centres.
Security
At Qstream, we adopt a hybrid security model that leverages a multi-layer approach, aligning with our SaaS framework. We have established a shared responsibility model, highlighting the security measures we have adopted from our cloud service providers, as well as the security obligations Qstream has towards our clients.
Datacentres
In provision of a reliable, enterprise service, Qstream uses only industry-leading service providers and has selected Amazon Web Services as its data centre provider. The service is hosted in multiple secure data centres owned and operated by AWS. Amazon has many years of experience in the operation of large-scale data centres and the infrastructure is designed and managed in alignment with security best practices and a variety of IT security standards.
Data centre access is strictly controlled both at the perimeter and at building ingress points by a 24/7 professional security staff utilizing video surveillance and intrusion detection systems. Access is only permitted for employees and contractors who have a legitimate business need and is revoked once there is no further business requirement for access. Authorized personnel must pass two-factor authentication a minimum of two times to access data centre floors and all access to data centres is fully logged and audited.
Data centres are designed to run without interruption 24/7 having fully redundant power, data and climate control services in addition to UPS and generator backup systems. The environment is protected by a variety of automated fire detection and suppression systems throughout all data centres. Data centres are in multiple geographical regions for optimum service protection and availability.
AWS publishes both SOC 1 / ISAE 3402 and SOC 2 Type II reports, and is certified under multiple accreditations including ISO 27001, ISO 9001, HIPAA, and PCI DSS. AWS has committed to maintain these certifications and continuously work to increase its level of compliance with industry security and audit standards.
Personnel Practices
At Qstream, we emphasise the importance of employee involvement in protecting customer information and company assets. When required by law, Qstream conducts thorough background checks for new hires. To maintain a secure environment, all Qstream employees receive regular privacy and security training tailored to their specific role. This role-based approach ensures that every employee has the necessary resources to effectively address the security-related challenges they may face in their day-to-day responsibilities.
Product Security
Product security is a top priority at Qstream. We embed security considerations into the initial design phase of our product development process. Our Agile approach to software development integrates security throughout the entire release cycle, enabling us to detect vulnerabilities early and resolve them promptly. Our change management policies and procedures provide clear guidelines for when and how changes can be made. This approach is essential to ensuring DevOps security and is a key factor in Qstream’s successful product development.
Security Patch Management
Qstream monitors both vendor and vendor-independent (e.g., CERT) security advisory channels concerning components used in the delivery of its services and assesses relevant notices based on the potential impact to the services. Patches or workarounds for vulnerabilities leading to a high risk of data loss, confidential data leakage or to significant service disruption, are classed as critical and typically evaluated and installed within 24 hours of release/notice.
As a SaaS solution, the service architecture is designed so that such releases can typically be deployed in a seamless manner with zero downtime, with full roll-back ability. Prior to deployment to production servers, all code changes are peer-reviewed and tested on independent development and test environments which are distinct and separate from production application and database servers. Qstream employs an automated continuous integration test system running a full suite of tests prior to deployment to staging servers. Staging servers are then subject to acceptance testing prior to approval for production deployment.
Certifications, Attestations and Frameworks
Qstream is committed to ensuring the security of our products and services. As part of this commitment, we are actively working towards SOC 2 compliance. This certification demonstrates that we have the necessary controls and processes in place to safeguard customer data and maintain the confidentiality, integrity, and availability of our systems. By striving for SOC 2 compliance, we are demonstrating our dedication to providing a secure environment for our customers and their data. At Qstream, we are confident in the security measures we have in place and are dedicated to continuously improving our security posture to meet the evolving needs of our customers.
Qstream utilizes Amazon Web Services for infrastructure hosting. AWS publishes both SOC 1 / ISAE 3402 and SOC 2 Type II reports, and is certified under multiple accreditations including ISO 27001, ISO 9001, HIPAA, and PCI DSS. AWS has committed to maintain these certifications and continuously work to increase its level of compliance with industry security and audit standards.
Laws and Regulations
Qstream’s solution is in compliance with the various data protection laws and regulations relevant to the services we offer.
GDPR
Qstream is fully compliant with the General Data Protection Regulation (GDPR) which came into effect on May 25, 2018. Qstream is committed to protecting the privacy of individuals who use its services, and has aligned its practices with the GDPR, and has published a comprehensive privacy policy describing what data is collected and for what purposes. Where required for transfer purposes, Qstream can execute EU Standard Contractual Clauses, and additionally, Qstream remains certified under the US-EU Privacy Shield Framework
Vendor Management
Qstream utilizes various third-party applications and services to efficiently deliver our products to customers. Our Security Team at Qstream recognizes the significance of the company’s information assets and vendor relationships in ensuring smooth operations and service delivery. To this end, Qstream’s Security and Vendor Management teams have established a vendor management program that outlines the requirements to be met when engaging with third parties or external vendors. These engagements are aimed at examining the technical, physical, and administrative controls in place to ensure they meet the standards set by both Qstream and our customers. Here is a list of Qstream’s sub processors:
Contact security@qstream.com for a full list of sub processors.
Disclosure
If you suspect the presence of a security bug in Qstream or want to report an incident, kindly reach out to us at security@qstream.com and we will respond within 24 hours.