Overview

CorpQNA takes information security and privacy very seriously. Through a combination of internal controls, product features, and external security techniques, we verify the security of client data on an ongoing basis.

SDLC

Security is an integral part of our software development lifecycle (SDLC). Security testing is performed by developers and QA during the software development and test periods using both automated tools and manual testing. We conduct regular security code reviews before all software releases and build security and training for security into our day to day processes.

Security Features

In addition to our Secure SDLC, we have also built the following features into our products to ensure that our customers’ data is secure.
  • ALL database queries are parameterized, eliminating the possibility of SQL Injection attacks.
  • Passwords are one-way encrypted and stored in a salted SHA 256-bit format. One-way encryption ensures that no one, including CorpQNA, is able to discover plain text value of the passwords.
  • When using SSO, remote passwords for users are not stored at all.
  • Complete credit card numbers are not stored in CorpQNA databases. They are security transmitted to Stripe.com using their approved libraries.
  • Cross-site scripting (XSS) protection across the entire site.
  • CorpQNA is prevented from being embedded in Frames or an iFrame by default, except for explicit, user-created FAQ sharing via IFRAMES.
  • Cookies require SSL and are forced to HTTP-only.
  • Fine granted access control at the group and user level per Space and for the site as a whole.
  • User uploaded content is automatically passed through a HTML sanitizer to ensure that no invalid content is posted by users.
  • All site activity is logged for retrieval later in the event of a breach or mistakes posting content into incorrect areas by users.
  • Auditing and threat detection is active on all database servers and databases.

Infrastructure

All of our services run in the cloud. CorpQNA does not run our own routers, load balancers, DNS servers, or physical servers. The majority of our services and data are hosted in Microsoft Azure facilities hosted in the USA.

CorpQNA services have been designed and constructed with disaster recovery in mind. All of our infrastructure is spread across different data centers and will continue to operate should any one of those data centers fail unexpectedly. CorpQNA uses Azure's backup solutions for datastores that contain customer data.

Service Levels

We have system uptime of 99.9% or higher.

Data

All customer data is stored in the USA. Our databases are fully encrypted at rest, including all backups. ALL database queries are parameterized, eliminating the possibility of SQL Injection attacks.

Data Transfer

CorpQNA is served 100% over HTTPS. All data sent to or from CorpQNA is encrypted in transit using 256 bit encryption. Our API and application endpoints use TLS 1.2.

Authentication

We have two-factor authentication (2FA) and strong password policies on our source control and cloud management systems to ensure access to cloud services are protected.

Backup and Disaster Recovery

Many of the low-level components that make up the CorpQNA production infrastructure are provided Microsoft Azure and are designed with multiple redundancies for maximum uptime. At the database layer, all data is real-time replicated to a second master database located in a different geographical location. Regular database backups are stored in an off-site backup. The CorpQNA Disaster Recovery plan is updated at least annually and tested at least once a year

Application Monitoring

We keep audit logs for all application activity. All access to CorpQNA applications is logged and audited.

We continuously monitor for threats and vulnerabilities, taking proactive steps to ensure that our site and your data are secure.

Security Audits

We conduct regular internal security audits of our code-base and cloud environments. These activities allow us to proactively work to resolve potential issues. Auditing allows us to do ad-hoc security analysis, track changes made to our setup and audit access to every layer of our stack.

Incident Response

The CorpQNA incident response plan involves four steps – Detection, Analysis, Response, and Post-Mortem.
  • Detection – monitoring of systems, security alerts, vulnerability scanning, security code reviews, and penetration testing to detect security incidents.
  • Analysis – multi-faceted analysis and prioritization of detected security events.
  • Response – based on the prioritization. This phase may contain notification to affected customers and software or infrastructure updates.
  • Post-Mortem – recovery and lessons learned to prevent similar issues in the future.

The incident response process is tested at least once a year. During the Response phase, there are provisions in case of a breach involving customer or personal data.

PCI DSS

All payment instrument processing is outsourced to Stripe. We do not store full credit card numbers in our databases. All communication with Stripe occurs over HTTPS. Stripe is certified as a PCI Level 1 Service Provider.