Privacy and security

Privacy and security policy information

Data management & security

The Qhub application is hosted on Amazon web services (AWS). AWS ensures data centre security through physical security, network security, environmental controls, data encryption, identity and access management, monitoring and logging, DDoS protection, and compliance. AWS maintains secure facilities, employs robust network defences, encrypts data, manages access, monitors for threats, protects against DDoS attacks, and adheres to industry regulations. Our team takes additional proactive measures to ensure a secure infrastructure environment.

For additional, more specific details regarding AWS security, please refer to… https://aws.amazon.com/security/

AWS servers & Mongo DB Atlas

Our AWS EC2 servers are located in the London region and can only be accessed via restricted IP-based SSH access for support staff allowed to perform any necessary operations over a special protocol system for limited access only. The server itself doesn’t have any data stored on it, only our base code runs on it responsible for making Q-HUB run. Once the actions are performed, the access is removed.

Mongo Db Atlas is used to store data captured on the application when using the various hubs. MongoDB Atlas is also hosted on AWS servers, located in Ireland. Mongo DB ensures the security of your data in the following ways: 

1. Encryption: Data is encrypted both at rest and in transit using strong encryption standards.

2. Access Control: You can define who can access your database using IP-based access lists and authentication mechanisms. 

3. Auditing and Logging: Detailed logs are available to track database activity and detect any potential security issues. 

4. Backup and Recovery: Automated backups and point-in-time recovery options are provided to protect against data loss. 

5. Compliance: MongoDB Atlas complies with industry standards and regulations, ensuring data protection and privacy. 

6. Network Security: VPC peering and private endpoints allow you to isolate your database and enhance network security.

By utilising these security measures, MongoDB Atlas provides a secure environment for your data storage and management.

Infrastructure Security

AWS EC2 instance infrastructure security ensures that each instance is isolated and runs on secure infrastructure. Network security features control inbound and outbound traffic, while regular security updates are applied. Data can be encrypted at rest and in transit. IAM allows for access control, and monitoring tools track performance and security. AWS prioritises compliance and undergoes audits for industry certifications. We, QHUB also perform our regular internal audits on our processes and systems to ensure maximum security and compliance in line with industry standard and benchmarked standard.

Backups and data retention

We take daily backups of all of our databases to ensure maximum data reliability. Data can be retrieved and restored to accounts upon a support ticket request through our internal app ticket system or by contacting the customer care team. 

Our EC2 Instances have a weekly snapshot to ensure that our servers are quickly up and running in case of any hardware failure with minimum down-time.

Data is kept for 30 days after contract termination. And subject to contract conditions, upon cancellation of the application customers will be provided with a copy of all data and files requested. Once the period is over, all relevant data is permanently deleted from our database servers.

File encryption

With customer-side encryption of S3 buckets in AWS, the customer encrypts their data before uploading it. They manage the encryption keys, and AWS doesn’t have access to them. When the customer wants to retrieve the data, they decrypt it using their own keys. This ensures that only the customer can see and access their data. AWS acts as a secure storage platform, maintaining the encrypted data within the S3 bucket. And we, Q-HUB also don’t have access to the data uploaded as they are decrypted in transit, only when accessed by the end-user.

Application security

  • We use a rotating keys system to ensure all production clusters and instances never have the same key longer than 14 days. 
  • Access for production level clusters and instances are done via our internal protocol system which requires a granular access and request system to make sure that the correct personnel can access systems in need of any debugging, updates and/or bug fixes.
  • We have a vast notification system provided by AWS and MongoDB to notify if there is a breach and we respond to it immediately. We also use our internal tools to get notified if we come across any breach. 
  • Any data breach affecting our customers will be immediately cascaded to the company admins and named account owner. Notifications will repeat until acknowledgement of the situation by the affected account. 
  • Our databases can only be accessed via an approved list of IP addresses and any unused addresses are removed regularly, through internal processes, routine tasks and audits. 
  • We do not store any passwords of customers and are hashed with the SHA-256 bit algorithm in the database. Furthermore, we provide 2FA to customers to ensure that only the correct person accesses the application. 
  • Our application updates are made during the low-traffic time and require the minimum down-time from our CI/CD operations to reach our customers. 

Additional Q&A

  1. What data do we collect? Data is held in accordance with GDPR
    1. IP address/browser information/OS Information as part of using our application 
    2. Email Address/Username 
    3. First Name and Last Name
    4. Company Name 
    5. Job Title
    6. Phone Number
  2. How do we use your data? Initial information is used to identify each individual company and user in our system. 
  3. Where does data get transferred? All data is instantly stored on Cloud Storage as explained above by our MongoDB Atlas servers.
  4. How long is data stored? Explained in the Retention, for around 30 days.
  5. How can I request my data be removed? When your contract is being terminated, you may request your data to be removed.