Incident Response Plan
- When security events are detected they are escalated to our emergency team who are notified and assembled to rapidly address the event.
- We notify affected customer(s) as soon as possible
- After a security event is fixed we write up a post-mortem analysis.
- The analysis is reviewed in person, distributed across the company and includes action items that will make the detection and prevention of a similar event easier in the future.
Build Process Automation
- We have functioning, frequently used automation in place so that we can safely and reliably rollout changes to both our application and operating platform within minutes.
- We deploy code every 2 weeks on average, and we can also deploy hotfixes in minutes, so we are confident that we can get a security fix out quickly when required.
- All of our services run in the cloud. Qondor does not run our own routers, load balancers, DNS servers or physical servers.
- All services and data are hosted in Microsoft Azure facilities in Ireland (within EU), and services have been built with disaster recovery in mind. Read more around Microsoft Azure Security at https://www.microsoft.com/en-us/trustcenter.
- All of our servers are within our own virtual private cloud (VPC) with network access control lists (ACL’s) that prevent unauthorized requests getting to our internal network.
- Qondor uses Microsoft Azure backup solution, keeping 30 days of historical backup data.
- All customer data is stored in the EU.
- Most customer data is stored in multi-tenant datastores. We have many unit and integration tests in place to ensure that privacy controls work as expected. These tests are run every time our codebase is updated and even one single test failing will prevent new code being shipped to production.
- All data is encrypted at rest using Azure SSE
- All customers can define their own Data Retention Policies to ensure the anonymisation of personal data when they are no longer needed.
- Qondor uses e-mail services provided by Mandrill (part of Mailchimp) in the US, and with transfer legally based on Mailchimp’s Standard Contractual Clauses (SCC). Mandrill encrypts all e-mails using opportunistic TLS when sending e-mails.
- Qondor uses SMS-services provided by the Irish company Twilio, and where Twilio’s processing in the US is based on Standard Contractual Clauses (SCC) and Twilio Binding Corporate rules.
- All data sent to or from Qondor is encrypted in transit using 256 bit encryption.
- On an application level, we produce audit logs for most activity.
- All customers can turn on Multi-Factor Authentication for Project Managers signing into Qondor.
We are committed to supporting our customers in complying with the General Data Protection Regulation (GDPR):
- Automatic breach detection and notification is in place
- Define Data Retention Policies
- Reviewed our contract commitments with our customers and vendors
- Privacy by Design is a core development principle at Qondor
- Read our GDPR Readiness Guide here
We're closely following the developing interpretations and guidelines on key provisions of the GDPR from the EU Article 29 Working Party and are adapting our plans accordingly.