Last revised on July 1, 2023 and effective as of August 1, 2023.
Qualitative.io handles data related to your users. So keeping your company's data secure is a top priority. As a data company, we understand and stress the importance of complying with global privacy protocol. As such, data privacy and security are things that we take very seriously at Qualitative.io. Our goal is to provide a secure environment, while also keeping our application's performance at the highest quality to provide you with best overall user experience.
From time to time, customers ask us security questions about Qualitative.io. In general, we don't like to expose much information about our security practices, because it only helps the very people we're securing ourselves against. But we're serious about transparency and realize security is important to our customers. Below we share answers to the questions we feel are most important for our customers to know.
Security is the responsibility of all Qualitative.io employees, and we take measures to ensure that access to our systems and your data is restricted only to those who need access in order to provide you awesome support.
Our Site Reliability Engineering (SRE) team is tasked with the operational aspects of our business, and ensures information security.
All backend machines that run our infrastructure are kept up to date and patched. All software installation is strictly controlled. Access to these machines is restricted to members of the SRE & backend server team.
Our organization's Development, Test, and Operational systems are separated.
We also have strict requirements for all employees, including but not limited to the following.
All staff machines must comply with our Confidentiality Policy which includes a requirement to "take all reasonable measures to protect the security and prevent the unauthorized access or disclosure of all confidential information".
The majority of our staff are fully remote and adhere to specific requirements such as: encryption of storage media, using two-factor authentication (2FA), requiring strong passwords, and specific recommendations such as configuring computers and phones to lock after a certain period. Additionally, all communication is done through securely encrypted channels using modern, strong encryption.
For the employees that work from our San Francisco Headquarters, our office has cameras and requires a key to access.
A thorough employee termination/access removal process is followed for outgoing employees.
All communication between users and the Qualitative.io application is over secure, encrypted channels with 128-bit TLS encryption and any requests to retrieve or alter data must be authenticated.
Qualitative.io account passwords are hashed. Our own staff can't even view them. If you lose your password, it can't be retrieved -- it must be reset. Qualitative.io monitors ongoing security, performance and availability 24/7.
Periodic audits are run by our manager to review compliance with security policies, and procedures. If violations are found, corrective actions are taken immediately.
We offer and recommend that all team members enable 2FA for added protection on your account.
Qualitative.io is compliant with the EU-U.S. Data Privacy and the Swiss-U.S. Data Privacy Frameworks as set forth by the U.S. Department of Commerce (https://www.dataprivacyframework.gov/). Qualitative.io is compliant with the EU General Data Protection Regulation (GDPR) (https://gdpr.eu/).
Our data centers manage physical security 24/7. More specifically, our website and app (https://qualitative.io/) are hosted on Amazon Web Services (https://aws.amazon.com/security/).
Our servers are located in the US, and are restricted to infrastructure engineers and maintenance staff. Each employee is given access through a unique key that can be revoked, if needed, and required to connect to our 2FA enabled VPN.
If you require compliance with the U.S. Health Insurance Portability and Accountability Act (HIPAA), it's generally a best practice to not send sensitive personal health information (PHI) over email. We always recommend the approach of sending your customers an email with a link back to a secure area on your site, where they can properly authenticate themselves with your service prior to viewing any sensitive information.
You can view our privacy policy, which outlines specific details about how we safeguard information. Qualitative.io complies with the EU-U.S. Data Privacy and the Swiss-U.S. Data Privacy Frameworks as set forth by the U.S. Department of Commerce.
If you have more in-depth questions about our security program, let us know at security@qualitative.io.
If your organization requires a Data Processing Agreement (DPA), you can download our signed agreement at https://qualitative.io/document/DPA-GDPR.pdf. After completing the document, please email it to security@qualitative.io. If you need to contact our Data Protection Officer, please email security@qualitative.io.