Security assessments are performed by Inuit using an independent assessment team such as Cigital. This process includes a security assessment, audit, active vulnerability and active network penetration testing of the Qvinci live site. The most recent assessment was performed in May 2016 with only very minor suggestions. No serious threats were found. We addressed the suggestions and enacted solutions for them.
The servers, database and infrastructure for the Qvinci application is hosted at Amazon Web Services (AWS) which is FIPS, DoD, HIPPA, SOC 1, SOC 2 and SOC 3 compliant. An overview of AWS security and compliance is available online at https://aws.amazon.com/compliance/resources/
Data in transit across the Internet is encrypted using 2048 bit SHA2 SSL TLS 1.2. The keys are created on-the-fly and destroyed immediately thereafter. Unencrypted Internet connections are not allowed.
External access is firewall restricted to only ports 80 and 443 which route only to the front-end web servers. Access to the web sites and services running on those servers is further restricted by DNS name. Non-essential apps and services are disabled. Direct access from the Internet to the database is not allowed.
Attempts to spoof URLs or bypass security are trapped and ignored. Exception notifications are sent to an Office 365 shared mailbox that is monitored daily by our DevOps team, the Director of Development, and the VP of Technology.
Sensitive data at rest is encrypted in the database by Qvinci using the AES (Advanced Encryption Standard)/FIPS-197. The minimum key length employed is 128 bits. The encryption key for each client hosted by Qvinci is generated using PBE (Password Based Encryption) using a client supplied password.
Every customer has a unique organization key and all data is partitioned in the database using the organization key so there is never ambiguity about which organization the data belongs to. The application only permits the owning organization to access the underlying data with the same organization key.
Qvinci does not sync (e.g. download from QuickBooks into the Qvinci application) personal information such as social security numbers, bank account numbers, credit card numbers or employee data. Only financial reporting data is collected and stored in the Qvinci database.
Backups are contained within the AWS environment. Backups are not archived to external storage media.
Backup and Recovery
Servers, storage, and databases are backed up nightly using AWS snapshot technology. Backups are kept within the AWS environment and can be quickly recovered to existing or newly provisioned server, storage, and database instances if necessary. Backups are not archived to external storage media.
Servers are patched as part of our ongoing application maintenance, typically during maintenance windows late Thursday afternoon/evening. Patches are applied on a rotation starting with the QA servers to verify that patches do not cause problems or issues and then to the live production servers.
Patches are applied on a quarterly basis except for critical patches that are deemed urgent which are applied during the upcoming Thursday maintenance window. Emergency patches when necessary may be applied on other days and are applied to servers at a time to assure overall system stability.
Only a limited number of Qvinci employees or contractors have direct access to the live production environment or to customer data located within the secure AWS environment.
Connectivity to the live production environment is limited to a VPN from within the Qvinci corporate office network or via LogMeIn from a small group of employees or contractors for remote access. There is no direct access to the AWS servers or database from the open Internet except for ports 80 and 443 which are open from the Internet only to the front-end web servers.
All staff are under NDA and non-compete agreements where all rights and interests are assigned to Qvinci. We use search firms that perform background checks prior to hiring.
Computer and Information Security is documented in our employee manual, which is signed by each employee as part of their employment agreement.
Qvinci incorporate multiple tiers of logging including AWS, servers, and application logs:
- AWS CloudTrail retains audit logs with integrity validation of AWS API calls including: the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service, including calls made via the AWS Management Console, AWS SDKs, command line tools and higher-level AWS services. The AWS CloudTrail API call history enables security analysis, resource change tracking and compliance auditing. These audit logs are retained by AWS for at least one year.
- Each server’s event log includes a detailed access, change, variance and exception log that is used to analyze security, resources and compliance management of the server.
- The Qvinci application maintains an application audit log which tracks access and changes to data or configurations by individual application users including account specific changes made by account side administrators.
We subscribe to the alerts and notifications from us-cert.gov (US-CERT, ICS-CERT). They feed into an Office 365 mailbox that is shared with our DevOps team, our Director of Development, our VP of Development and our CIO/Founder. The incoming alerts and notifications are triaged daily for relevance, urgency and action if necessary.
Application Source Code
The Application Source Code is owned and maintained by Qvinci and resides on Qvinci source code repository within the secure AWS environment. Only a limited number of Qvinci employees who are members of the development team have access to the source code. The process of updating the application source repository, code reviews of changes to the source code, building the application binaries and deploying those binaries to the QA and Live servers all stays within secure AWS environment.
All credit card processing is outsourced to Vantiv (Litle) which is PCI-DSS compliant. No credit card data is stored in Qvinci systems.