Security

Effective: 28th of January, 2019

Security is one of the biggest considerations in everything we do. If you have any questions after reading this, or encounter any issues, please let us know.

Practises

Qualitista forces HTTPS for all services using TLS 1.2+ (SSL), including our public website and our app, to keep your data safely encrypted in transit. Your data is also encrypted at rest with LUKS.

Qualitista has servers in secure and ISO27001 compliant datacenters in Germany. We run our services on Google Cloud & Google Firebase. We protect all of those from attacks and abuse:

  • We harden our servers with additional security measures, like making sure restrictive firewalls are configured and login is only allowed in a secure manner
  • Access to our servers is tightly controlled and we keep audit logs of all issued commands
  • We regularly patch and update the software we run & we do periodic scans to find out-of-date software

We use HSTS to ensure browsers interact with Qualitista only over HTTPS. We use various other HTTP security headers to keep our network traffic as restricted as possible.

Team awareness

Qualitista employs and develops security-aware people. We demand MFA from our employees for all external services where possible, use a password manager for both personal passwords and secret management.

Account and data security

In addition to the work we do at the infrastructure level, we provide Account Administrators with additional tools to limit their users' access to Customer Data via role management. You can also configure Qualitista to never store sensitive Customer Data - we provide the option to mask out any contact details (e-mail, phone number), the client's name and their bank credentials. That way nothing sensitive will rest on our side.

Deletion of Customer Data

Qualitista provides the option for an account owner to delete Customer Data at any time via removing the Support Desk integration. Qualitista then hard deletes all information from currently-running production systems (excluding account, team and ticket internal IDs, embedded in URLs in web server access logs). Qualitista services backups are destroyed within 14 days.*

We send you emails only from qualitista.com addresses and we have set up DMARC reject mode to make it hard for criminals to send phishing emails from our domain.

Policies

We are GDPR-compliant; find out more from our Privacy policy.


If you have additional questions regarding security, we are happy to answer them. Please write to team@qualitista.com and we will respond as quickly as we can.