Organizational Security
Q4’s mission is to ensure that important principles such as security, compliance and privacy are at the forefront of every product and service we provide . We believe in ensuring that data remains secure, and that protecting it is one of our most important responsibilities. Q4 is committed to maintaining transparency about our security practices and helping you understand our methodology. Q4’s industry-leading security program is based on the concept of defense by design: securing our organization, and your data, at every layer, and at every step of the process. Our security program is aligned with ISO 27000 and SOC2 standards, and is constantly evolving with updated guidance and new industry best practices. Q4’s security team is responsible for the implementation and management of our security program. The Q4 Security Team focus on Security Architecture, Product Security, Security Engineering and Operations, Detection and Response, and Risk and Compliance.
Introduction
Protecting Customer Data
The focus of Q4’s security program is to prevent unauthorized access to customer and proprietary data. To this end, our team of dedicated security practitioners, working in partnership with peers across the company, take exhaustive steps to identify and mitigate risks, implement best practices, and constantly develop ways to improve.
Secure By Design
Q4’s product security team has built a robust secure development lifecycle. While we strive to catch all vulnerabilities in the design and testing phases, we realize that sometimes mistakes happen. With this in mind, we encourage anyone to submit bug reports to our support team for consideration. All identified vulnerabilities are validated for accuracy, triaged, and tracked to resolution.
External Validation
Security Compliance Audits
Q4 is continuously monitoring, auditing, and improving the design and operating effectiveness of our security controls. These activities are regularly performed by both third-party credentialed assessors and Q4’s internal security, privacy, risk and compliance teams. Audit results are shared with senior management and all findings are tracked to resolution in a timely manner. Q4 has achieved SOC 2 Type 2 certification. Please reach out to our Support team for a copy if required.
Penetration Testing
In addition to our compliance audits, Q4 engages independent entities to conduct application-level and infrastructure-level penetration tests at least annually. Results of these tests are shared with senior management and are triaged, prioritized, and remediated in a timely manner. Customers may receive executive summaries of these activities by requesting them from their Q4 account representative.
Customer Driven Audits and Penetration Tests
Our customers are welcomed to perform either security controls assessments or penetration testing on Q4’s environment. Please contact your account representative to learn about options for scheduling such activities.
Encryption
Data in transit
All data transmitted between Q4 clients and the Q4 service is done so using strong encryption protocols. Q4 supports the latest recommended secure cipher suites to encrypt all traffic in transit, including the use of TLS 1.2 protocols, AES256 encryption, and SHA256 signatures, whenever supported by the clients.
Data at rest
Data at rest in Q4’s production network is encrypted using NIST compliant encryption standards, which applies to all types of data at rest within Q4’s systems: disk, volumes, database backups, etc. All encryption keys are stored in a secure server on a segregated network with very limited access. Q4 has implemented appropriate safeguards to protect the creation, storage, retrieval, and destruction of secrets such as encryption keys and service account credentials. Each Q4 customer’s data is hosted in our multi-tenant infrastructure and logically segmented from other customers’ data. We use a combination of storage and caching technologies to ensure customer data is protected from hardware failures and is served quickly, from anywhere in the world, when requested. The Q4 service is hosted in data centers maintained by industry-leading service providers, offering state-of-the-art physical protection for the servers and infrastructure that comprise the Q4 operating environment.
Network Security and server hardening
Q4 divides its systems into separate networks to better protect sensitive data. Systems supporting testing and development activities are hosted in a separate network from systems supporting Q4’s production infrastructure. All servers within our production environments are hardened (e.g. disabling unnecessary ports, removing default passwords, etc.) and have a base configuration image applied to ensure consistency across the environment. Network access to Q4’s production environment from open, public networks (the Internet) is restricted, with only a small number of production servers accessible from the Internet. Only those network protocols essential for delivery of Q4’s service to its users are open at our perimeter and there are mitigations against distributed denial of service (DDoS) attacks deployed at the network perimeter. Additionally, for host-based intrusion detection and prevention activities, Q4 logs, monitors, and audits all relevant logs and has alerting in place for logs that indicate a potential intrusion through the use of an IDS.
Endpoint Security
All workstations issued to Q4 personnel are configured by Q4 to comply with our standards for security. These standards require all workstations to be properly configured, updated, and be tracked and monitored by Q4’s endpoint management solutions. Q4’s default configuration sets up workstations to encrypt data at rest, have strong passwords, and lock when idle. Workstations run up-to-date monitoring software to report potential malware and unauthorized software. Client data is prohibited from being stored on any mobile device or transferred outside of approved repositories.
Access Control
Provisioning
Q4 adheres to the principles of least privilege and role-based permissions when provisioning access. Employees are only authorized to access data that they reasonably must handle in order to fulfill their current job responsibilities. All production access is reviewed at least quarterly through a thorough access audit.
Authentication
To further reduce the risk of unauthorized access to data, Q4 employs multi-factor authentication for all access to systems with highly sensitive data, including our production environment, which houses our customer data. Where possible and appropriate, Q4 uses private keys for authentication, in addition to the previously mentioned multi-factor authentication on a separate device.
Password Management
Q4 requires personnel to use an approved password manager in accordance with a strict and best-practice password complexity policy. Password managers generate, store, and enter unique and complex passwords to avoid password reuse, phishing, and other password-related risks.
System Monitoring, Logging, and Alerting
Q4 monitors servers, workstations and mobile devices to retain and analyze a comprehensive view of the security state of our corporate and production infrastructure. Administrative access and activity on all servers in Q4’s production network are logged and retained. Analysis of logs is automated to the extent practical to detect potential issues and alert responsible personnel. All production logs are stored in a separate network that is restricted to only the relevant security personnel.
Data retention and disposal
Q4 hard deletes all information from currently running production systems and backups are encrypted and destroyed securely using NIST data disposal standards. Q4’s hosting providers are responsible for ensuring removal of data from disks is performed in a responsible manner before they are repurposed.
Disaster Recovery and Business Continuity Plan
Q4 utilizes services deployed by its hosting provider to distribute production operations across two separate physical locations. These two locations are both US based (California and Virginia), and protect Q4’s service from loss of connectivity, power infrastructure, and other common location-specific failures. Production transactions are replicated among these discrete operating environments to protect the availability of Q4’s service in the event of a location-specific catastrophic event. Q4 also retains a full backup copy of production data in this redundant location, significantly distant from the location of the primary operating environment. Full backups are saved to this remote location at least once per day. Q4 tests backups at least quarterly to ensure they can be successfully restored.
Responding to Security Incidents
Q4 has established policies and procedures for responding to potential security incidents. All security incidents are managed by Q4’s Incident Response Team. The playbooks define the types of events that must be managed via the incident response process and classifies them based on severity. In the event of a confirmed incident, affected customers will be informed via email from our Communications team. Incident response procedures are tested through the use of fire-drills and updated at least annually.
Vendor Management
To run efficiently, Q4 relies on sub-service organizations. Where those sub-service organizations may impact the security or reliability of Q4’s production environment, we take appropriate steps to ensure our security posture and uptime is maintained by establishing agreements that require service organizations to adhere to confidentiality & uptime commitments we have made to users, while ensuring redundancy between vendors as required. Q4 monitors the effective operation of the organization’s safeguards by conducting reviews of all service organizations’ controls before use and at least annually.
Conclusion
At Q4, we have an unwavering mission to protect your data. Security is the beating heart of our organization, and is a cornerstone of every facet of the business we perform. Safeguarding your data is of utmost importance to us a responsibility we hold to our customers. We continue to work hard and improve our security posture year over year, in the effort of building a level of trust between ourselves and our customers.
Please contact your account representative or our support team if you have any questions or concerns.