Security
Questback is a European-based company. We take IT security and data security extremely seriously and are 100 % GDPR-compliant.
Data Storage Location – Questback uses ISO-certified high-performance data centers 100% hosted in Germany.
Penetration Testing – To achieve the highest level of security, Questback uses independent cyber security companies for regular penetration testing. The most recent test gave very good results.
Data Access – Questback tenant is protected by a best practice setup in terms of security, performance and redundancy that has been developed over years. Back-end services and databases are only accessible from inside the tenant and can not be reached from outside without using VPN access. All resources on the Questback tenant accessible from outside is encrypted with SSL. Direct access is performed by personal VPN access secured by two factor authentication (2FA).
Audit Logs – Further, Questback provides audit logs for administrator activities and when users access data.
Authentication – Every request – internal or external – is authenticated and validated for authorisation. All data requests come from authenticated and approved users, with forms-based and SAML 2.0 authentication.
Secure Login – Questback users are protected by using Single-Sign-on (SSO) and multi-factor authentication (MFA).
PII and Data Encryption – Volume encryption is activated on all volumes inside the Questback tenant for encryption at rest. The encryption keys are stored in a Hardware Security Module (HSM) that meet Federal Information Processing Standards (FIPS) 140-2 Level 3 security certification. The master key stored in the HSM is of the AES256 standard. In addition to the volume encryption, Questback databases are encrypted with TDE using another AES256 master key. TDE encrypts database storage files on the hard drive.
All incoming customer requests to the Questback tenant utilize SSL (encryption in transit)
Product Security – Security is incorporated into every phase of the software development life cycle. Security is baked into the code from inception rather than addressed after testing reveals critical product flaws. Security is part of the planning phase, incorporated even before code is written. We test code early and often. We employ static and dynamic testing throughout the development process. We consider software security requirements alongside the functional requirements. We conduct risk analysis during design so we can identify potential environmental threats.
Business Continuity – Questback Essentials application is configured to provide nearly full-time availability and it has redundant hardware and software that make it available despite failures. Multiple components can perform the same task and are distributed over 2 or 3 data centers. The problem of a single point of failure is eliminated as redundant components can take over a task performed by a component that has failed. As part of our preparation to possible disaster situation we test full restore procedure to insure that we are aligned to our expectations.
System redundancy and back-ups – Storage was designed to be highly durable. Multiple copies of the data are stored across servers in the different data centres. Additionally, data integrity is actively monitored using checksums. Corrupt data is auto detected and auto healed from redundant copies. Any loss of data redundancy is actively managed by recreating a copy of the data.
Besides high availability, we are running policy-based backups to perform automatic, scheduled backups and retain them based on a backup policy. Those backups can be restored across data centers.
IT and Data Security Training – Questback regularly trains it staff on IT and Data Security – just right now we have one IT security training including security threats simulations from independent external parties ongoing.
For more details look at our Trust Center https://www.questback.com/trust-center/