Security Statement


This security statement applies to all the products, services and websites offered by Qualia Analytics Ltd., Qualia Analytics LLC, and affiliate or subsidiary brands, except where otherwise noted. We refer to those products, services and websites collectively as “services” in this statement. Unless otherwise noted, our services are provided by Qualia Analytics LLC. inside of the United States, and by Qualia Analytics Ltd. everywhere else.

At Qualia Analytics we make it a priority to take our users’ security and privacy concerns seriously. We strive to ensure that user data is kept securely, and that we collect only as much personal data as is required to provide our services to users in an efficient and effective manner.

Qualia Analytics uses best security practices that adhere to industry standards for storing and accessing data. This Security Statement is aimed at being transparent about our security infrastructure and practices, to help reassure you that your data is appropriately protected.

1. Application and User Security
  • more_vertSSL/TLS Encryption.

    Users can determine whether to collect survey responses over secured, encrypted SSL/TLS connections. All communications with the Qualia Analytics servers are encrypted using SSL/TLS. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) technology (the successor technology to SSL) protects communications by using both server authentication and data encryption. This ensures that user data in transit is safe, secure, and available only to intended recipients.

  • more_vertUser Authentication.

    User data on our database is logically segregated by account-based access rules. Users can only access surveys that are associated with their organisation. User passwords are hashed using bcrypt cipher and stored in our secure database that must be entered each time the user logs on. Qualia Analytics issues a encrypted session cookie after the user is successfully authenticated only to identify the user in the system for the duration of a specific session. The session cookie stores encrypted user information, protected by 256 bit AES encryption and cannot be deciphered.

  • more_vertUser Passwords.

    Each User Account needs a unique email address and an associated password. Passwords are randomly salted and hashed using industry standard bcrypt hashing function.

  • more_vertAPI Access.

    To access the stored data programmatically, Qualia Analytics APIs uses JTW authentication tokens to provide secure access with short-lived access tokens that can be refreshed programmatically.

  • more_vertData Encryption.

    Certain sensitive user data, such as account passwords are stored in hashed format. In addition, certain fields, if requested, can be stored encrypted directly in database (e.g. email addresses, addresses and names) and decrypted as needed to ensure the sensitive data cannot be leaked. However, by encrypting the data, the fields become unfilterable, aggregation and processing time increases.

  • more_vertData Portability.

    Qualia Analytics enables you to export your data from our system in a variety of formats such as"}} XLS, CSV, PDF, HTML, SPSS"}} so that you can back it up, or use it with other applications.

  • more_vertAPI Access.

    We have a comprehensive Privacy Policy that provides a very transparent view of how we handle your data, including how we use your data, who we share it with, and how long we retain it.

2. Availability
  • more_vertPower.

    Servers have redundant internal and external power supplies.

  • more_vertUptime.

    Continuous uptime monitoring, with immediate escalation to Qualia Analytics staff for any downtime.

  • more_vert Failover.

    Our database is log-shipped to standby servers and can failover in less than an hour.

3. Network Security
  • more_vertUptime.

    Continuous uptime monitoring, with immediate escalation to Qualia Analytics staff for any downtime.

  • more_vertThird Party Scans.

    Weekly security scans are performed by Qualys.

  • more_vertTesting.

    System functionality and design changes are verified in an isolated test “sandbox” environment and subject to functional and security testing prior to deployment to active production systems.

  • more_vertFirewall.

    Firewall restricts web server access to all ports except 80 (http) and 443 (https). Our database servers are only accessible from the internal network.

  • more_vertPatching.

    Latest security patches are applied to all operating system and application files to mitigate newly discovered vulnerabilities.

  • more_vertAccess Control.

    Role-based access is enforced for systems management by authorized engineering staff.

  • more_vertLogging and Auditing.

    Central logging systems capture and *archive all systems access and errors logs* including any failed authentication attempts.

4. Storage Security.
  • more_vertBackup Frequency.

    Automatic database backups are scheduled to run every hour. Backups are encrypted using a public-private key encryption and stored in multiple geographically disparate sites. Database backups are stored for 2 years allowing to fully restore a system from any point of time.

  • more_vertProduction Redundancy.

    Data stored on a RAID 10 array. O/S stored on a RAID 1 array.

5. Organizational & Administrative Security
  • more_vertTraining.

    We provide technology use training for employees and security training where appropriate..

  • more_vertAudit Logging.

    We maintain and monitor audit logs on our services and systems (our logging systems generate gigabytes of log files each day).

  • more_vertTwo-factor security.

    All our critical systems are protected with 2 Factor security to avoid password compromises.

6. Software Development Practices
  • more_vertStack.

    We code in JavaScript, Java, PHP and Go. Our data is stored in MongoDB, MySQL and Redis. Our productions servers run on Ubuntu LTS versions.

  • more_vertCoding Practices.

    Our engineers use best practices and industry-standard secure coding guidelines to ensure secure coding.

7. Handling of Security Breaches

Despite best efforts, no method of transmission over the Internet and no method of electronic storage is perfectly secure. We cannot guarantee absolute security. However, if Qualia Analytics learns of a security breach, we will notify affected users so that they can take appropriate protective steps. Our breach notification procedures are consistent with our obligations under various state and federal laws and regulation, as well as any industry rules or standards that we adhere to. Notification procedures include providing email notices or posting a notice on our website if a breach occurs.

8. Your Responsibilities

Keeping your data secure also depends on you ensuring that you maintain the security of your account by using sufficiently complicated passwords and storing them safely. You should also ensure that you have sufficient security on your own systems, to keep any survey data you download to your own computer away from prying eyes. Your password can be changed by accessing your Account Settings via the dashboard.

9. Custom Requests

Specific security questions can be addressed by contacting our System Administrators, and your question and accompanying details may be forwarded to a member of our Development Team.