Security Policy

We take security and privacy seriously, adhering to enterprise-level security standards that keep your customer data protected.


Security team

We have a globally distributed infrastructure and security team on-call 24/7. Our team is constantly monitoring security notifications from all 3rd party software libraries and if identified, we immediately apply any relevant security patches as soon as they are released.


Infrastructure

All of Quaderno's application and data infrastructure is hosted on DigitalOcean, a highly scalable cloud computing platform with end-to-end security and privacy features built in.

For more specific details regarding AWS security, please refer to https://www.digitalocean.com/legal/data-security/.


Application

Through the use of automated and manual analysis, as well as constant security review of 3rd party libraries, we ensure to the best of our abilities that we are delivering products that are free from security defects. All Quaderno web application communications support TLS v1.2.

Additionally, we support a number of security focused features to help keep your data safe:

  • access to the information stored within Quaderno's servers is restricted to a limited number of Quaderno employees who can access the information only in specific and limited circumstances and are bound by confidentiality.
  • Quaderno's servers are protected by (1) firewalls establishing a barrier between Our trusted, secure internal network and the Internet and (2) IP restrictions, limiting access to whitelisted IP addresses.
  • we use TLS v1.2 to encrypt all data-in-transit for all internal and external endpoints, providing secure transfer of data to prevent wiretapping and man-in-the-middle attacks.
  • public access to databases and developer endpoints are restricted with passwords and API credentials.

Engineering and operational practices

We design all services with high availability in mind. Our goal is to deliver 99.99% uptime across all our products. In order to achieve this goal, we follow a number of engineering best practices:

  • Immutable infrastructure - We don’t make changes to live code or running servers in production. Where applicable, we treat both our software and our infrastructure configuration as code. Which means all changes go through a formal code review, automated testing and automated deployment process.

  • Continuous integration and delivery - We are using continuous integration and deployment automation and configuration management tools to build, test and deploy code multiple times a day.

  • Incident response - Our dedicated infrastructure and security team is on a rotating on-call schedule to respond to any security or availability incidents immediately.


Reporting an issue

Our bug bounty program is temporary closed. Thanks for your interest.