Security policy

Information about the security of the software, systems, and data that make up the Q-CTRL platform

Updated August 8, 2022

We know that our customers rely on us as an important part of their business and decision making processes. We take this responsibility to our customers very seriously, and the security and reliability of the software, systems and data that make up our platform are our top priority.

We have worked to establish the best possible security policy. Nonetheless we reserve the right to modify this at any time without notice.

1. 1. Infrastructure security
2. 2. Application security
3. 3. Payment security
4. 4. Security accreditations
5. 5. Contact us

1. Infrastructure security

Our platform is deployed on Amazon Web Services ("Cloud Service Provider"), allowing us to take advantage of the same secure-by-design infrastructure, built-in protection and global network that Amazon use to protect your information, identities, applications, and devices. Security measures in place at our cloud service provider, include:

• Employee background checks
• Security training for all employees
• Internal security and privacy events
• Dedicated security team
• Dedicated privacy team
• Internal audit and compliance specialists
• Collaboration with the security research community

1.1 Operational security

Our infrastructure is deployed using rigorous security practices. Operations teams at our cloud service provider detect and respond to threats to the infrastructure from both insiders and external actors, 24/7/365.

1.2 Communications

Communications over the Internet are encrypted in transit. Our cloud service provider's network and infrastructure have multiple layers of protection to defend our customers against denial of service attacks.

1.3 Identity

Identities, users, and services are strongly authenticated with multiple factors by our cloud service provider. Access to sensitive data is protected by advanced tools like phishing-resistant security keys.

1.4 Data

Data stored on our infrastructure is automatically encrypted at rest and distributed for availability and reliability. This helps guard against unauthorized access and service interruptions.

1.5 Hardware

From the physical premises to the purpose-built servers, networking equipment, and custom security chips to the low-level software stack running on every machine, our entire hardware infrastructure is cloud service provider-controlled, -secured, -built, and -hardened.

1.6 Compliance

Our infrastructure is subject to regular independent verification of security, privacy, and compliance controls, achieving certifications against global standards to earn your trust, including:

• Argentina Personal Data Protection Law 25,326
• Association of Banks in Singapore (ABS) Guide
• Australian Privacy Principles (APPs)
• Australian Prudential Regulation Authority (APRA) Standards
• California Consumer Privacy Act (CCPA)
• Cloud Computing Compliance Controls Catalog (C5)
• COPPA (U.S.)
• CSA STAR
• EBA Outsourcing Guidelines
• EU Model Contract Clauses
• Federal Financial Institutions Examination Council (FFIEC)
• FedRAMP
• FERPA (U.S.)
• FIPS 140-2 Validated
• FISC (Japan)
• GDPR
• HDS
• Higher Education Cloud Vendor Assessment Tool (HECVAT)
• HIPAA
• HITRUST CSF
• Independent Security Evaluators (ISE) Audit
• IRAP (Information Security Registered Assessors Program)
• ISAE 3000 Type 1 Report
• ISO 27001
• ISO 27017
• ISO 27018
• Monetary Authority of Singapore (MAS) Guidelines
• MPAA
• MTCS (Singapore) Tier 3
• My Number Act (Japan)
• NHS Digital Commercial Third-Party Information Governance Requirements
• NIST 800-171
• NIST 800-34 - Contingency Planning
• NIST 800-53
• OSPAR
• PCI DSS
• Privacy Shield
• SEC Rule 17a-4(f), CFTC Rule 1.31(c)-(d), and FINRA Rule 4511(c)
• SOC 1
• SOC 2
• SOC 3
• South Africa POPI
• Spain Esquema Nacional de Seguridad (ENS)
• The Personal Information Protection and Electronic Documents Act (PIPEDA)
• TISAX
• U.S. Defense Information Systems Agency Provisional Authorization
• UK's Cloud Security Principles

For more information, please see https://aws.amazon.com/security/

2. Application security

We adopt the Open Web Application Security Project (OWASP) Top Ten as a means of ensuring application code is free from flaws and security vulnerabilities. The OWASP Top Ten is a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce a list of the top ten security vulnerabilities affecting web applications. Adopting the OWASP Top Ten ensures our applications are protected against:

1. Broken access control
2. Cryptographic failures
3. Injection
4. Insecure design
5. Security misconfiguration
6. Vulnerable and outdated components
7. Identification and authentication failures
8. Software and data integrity failures
9. Security logging and monitoring failures
10. Server-side request forgery

For more information, please see https://www.owasp.org/.

3. Payment security

We use the Stripe payments platform for the secure transaction and storage of certain payment data. Stripe has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1. This is the most stringent level of certification available in the payments industry. To accomplish this, Stripe makes use of best-in-class security tools and practices to maintain a high level of security.

For more information, please see https://stripe.com/docs/security.

4. Security accreditations

5. Contact us

Please contact us for more information or if you have any security concerns. The best way to do this is via the contact form located at https://q-ctrl.com/contact.

You can also send a letter to us at the following address:

Q-CTRL Pty Ltd
℅ The Quantum Terminal
PO BOX K349 - Sydney Trains
490 Pitt Street
HAYMARKET NSW 1240
Australia