Qstream Security Trust Center
We care about security. If you have any questions, or encounter any issues, please contact us.
Authentication Enterprise sites are provisioned with individual dedicated sites and URLs. Access for users can be configured either to use a corporate Single Sign-On service or Qstream’s own in-built authentication system. Access to the Qstream service is via standard web-based user identifier and password, with the ability to enforce password length and complexity.
Clients requiring extended authentication options can also use one of the external single sign-on systems with which we integrate and move password and authentication management entirely outside of Qstream into a platform under their own control.
Using Qstream built-in authentication system, users are required to establish a password at initial log-in, and password length and complexity profiles can be enforced for the organization.
Passwords are always encrypted, stored in the database with a one-way salted hash. Passwords cannot be viewed in plaintext. Password reset requests are facilitated through single-use tokens, so passwords are never sent unencrypted.
The Qstream service is delivered using redundant clustered application and database servers hosted in multiple data centres, supported by a global operations team, with 24/7 service monitoring of all aspects of the service architecture, ensuring a typical average annual uptime in excess of 99.99%.
Logging for all application servers is collated centrally for both automatic and manual analysis by Qstream operations personnel for the purposes of detecting and troubleshooting abnormal conditions.
Any incidents our outages are detected by out of band monitoring services and trigger alerts to the operations team. Incidents involving actual or high probability of data loss or leakage are categorized, recorded, and actioned in accordance with Qstream’s incident response policy.
Data is encrypted using the industry standard AES-256 encryption algorithm, and connections between database and application servers are encrypted using Transport Layer Security (TLS). User access to the service is also encrypted using TLS 1.2+.
Qstream operates data centres in the US and EU and keeps customer data separate between these locations. Qstream employs encryption methods, such as AES-256 encryption at rest and asymmetric encryption for system backups, as well as KMS-based protection for customer secrets like passwords, access tokens, and API keys.
In addition to live data mirroring across data centres, full daily backups along with five-minute incremental snapshots are maintained. Backups are protected using AES-256 encryption and are stored in multiple geographically dispersed data centres. Backups are maintained for a period of 30 days. Disaster recovery plans are maintained and tested to facilitate rapid re-provisioned of service from backups in alternate data centres in response to loss of primary data centres.
At Qstream, we adopt a hybrid security model that leverages a multi-layer approach, aligning with our SaaS framework. We have established a shared responsibility model, highlighting the security measures we have adopted from our cloud service providers, as well as the security obligations Qstream has towards our clients.
In provision of a reliable, enterprise service, Qstream uses only industry-leading service providers and has selected Amazon Web Services as its data centre provider. The service is hosted in multiple secure data centres owned and operated by AWS. Amazon has many years of experience in the operation of large-scale data centres and the infrastructure is designed and managed in alignment with security best practices and a variety of IT security standards.
Data centre access is strictly controlled both at the perimeter and at building ingress points by a 24/7 professional security staff utilizing video surveillance and intrusion detection systems. Access is only permitted for employees and contractors who have a legitimate business need and is revoked once there is no further business requirement for access. Authorized personnel must pass two-factor authentication a minimum of two times to access data centre floors and all access to data centres is fully logged and audited.
Data centres are designed to run without interruption 24/7 having fully redundant power, data and climate control services in addition to UPS and generator backup systems. The environment is protected by a variety of automated fire detection and suppression systems throughout all data centres. Data centres are in multiple geographical regions for optimum service protection and availability.
AWS publishes both SOC 1 / ISAE 3402 and SOC 2 Type II reports, and is certified under multiple accreditations including ISO 27001, ISO 9001, HIPAA, and PCI DSS. AWS has committed to maintain these certifications and continuously work to increase its level of compliance with industry security and audit standards.
At Qstream, we emphasise the importance of employee involvement in protecting customer information and company assets. When required by law, Qstream conducts thorough background checks for new hires. To maintain a secure environment, all Qstream employees receive regular privacy and security training tailored to their specific role. This role-based approach ensures that every employee has the necessary resources to effectively address the security-related challenges they may face in their day-to-day responsibilities.
Product security is a top priority at Qstream. We embed security considerations into the initial design phase of our product development process. Our Agile approach to software development integrates security throughout the entire release cycle, enabling us to detect vulnerabilities early and resolve them promptly. Our change management policies and procedures provide clear guidelines for when and how changes can be made. This approach is essential to ensuring DevOps security and is a key factor in Qstream’s successful product development.
Security Patch Management
Qstream monitors both vendor and vendor-independent (e.g., CERT) security advisory channels concerning components used in the delivery of its services and assesses relevant notices based on the potential impact to the services. Patches or workarounds for vulnerabilities leading to a high risk of data loss, confidential data leakage or to significant service disruption, are classed as critical and typically evaluated and installed within 24 hours of release/notice.
As a SaaS solution, the service architecture is designed so that such releases can typically be deployed in a seamless manner with zero downtime, with full roll-back ability. Prior to deployment to production servers, all code changes are peer-reviewed and tested on independent development and test environments which are distinct and separate from production application and database servers. Qstream employs an automated continuous integration test system running a full suite of tests prior to deployment to staging servers. Staging servers are then subject to acceptance testing prior to approval for production deployment.