BEST PRACTICES
Incident Response Plan
When security events are detected they are escalated to our emergency team who are notified and assembled to rapidly address the event.
We notify affected customer(s) as soon as possible
After a security event is fixed we write up a post-mortem analysis.
The analysis is reviewed in person, distributed across the company and includes action items that will make the detection and prevention of a similar event easier in the future.
Build Process Automation
We have functioning, frequently used automation in place so that we can safely and reliably rollout changes to both our application and operating platform within minutes.
We deploy code every 2 weeks on average, and we can also deploy hotfixes in minutes, so we are confident that we can get a security fix out quickly when required.
INFRASTRUCTURE
All of our services run in the cloud. Qondor does not run our own routers, load balancers, DNS servers or physical servers.
All services and data are hosted in Microsoft Azure facilities in Ireland (within EU), and services have been built with disaster recovery in mind. Read more around Microsoft Azure Security at https://www.microsoft.com/en-us/trustcenter.
All of our servers are within our own virtual private cloud (VPC) with network access control lists (ACL’s) that prevent unauthorized requests getting to our internal network.
Qondor uses Microsoft Azure backup solution, keeping 30 days of historical backup data.
DATA
All customer data is stored in the EU.
Most customer data is stored in multi-tenant datastores. We have many unit and integration tests in place to ensure that privacy controls work as expected. These tests are run every time our codebase is updated and even one single test failing will prevent new code being shipped to production.
All data is encrypted at rest using Azure SSE
All customers can define their own Data Retention Policies to ensure the anonymisation of personal data when they are no longer needed.
Qondor uses e-mail services provided by Mandrill (part of Mailchimp) in the US, and with transfer legally based on Mailchimp’s Standard Contractual Clauses (SCC). Mandrill encrypts all e-mails using opportunistic TLS when sending e-mails.
Qondor uses SMS-services provided by the Irish company Twilio, and where Twilio’s processing in the US is based on Standard Contractual Clauses (SCC) and Twilio Binding Corporate rules.
DATA TRANSFER
All data sent to or from Qondor is encrypted in transit using 256 bit encryption.
APPLICATION MONITORING
On an application level, we produce audit logs for most activity.
ACCESS CONTROL
All customers can turn on Multi-Factor Authentication for Project Managers signing into Qondor.
GDPR COMPLIANCE
We are committed to supporting our customers in complying with the General Data Protection Regulation (GDPR):
Read our Privacy Policy
Automatic breach detection and notification is in place
Define Data Retention Policies
Reviewed our contract commitments with our customers and vendors
Privacy by Design is a core development principle at Qondor
We're closely following the developing interpretations and guidelines on key provisions of the GDPR from the EU Article 29 Working Party and are adapting our plans accordingly.
PCI OBLIGATIONS
Qondor is not subject to PCI obligations. All payment instrument processing is outsourced to Stripe and Nets.