Quartzy Security Practices
Effective: March 27, 2023
We take the security of your data very seriously at Quartzy. As transparency is one of the principles on which our company is built, we aim to be as clear and open as we can about the way we handle security.
If you have additional questions regarding security, we are happy to answer them. Please write to firstname.lastname@example.org and we will respond as quickly as we can.
Quartzy is a PCI Level 3 Merchant. We use a third party to process credit card information securely. Quartzy leverages a secure integration with Stripe.com to process all customer credit card transactions from the Quartzy application, requiring no personal credit card data stored in Quartzy systems.
The AWS environment that hosts the Quartzy services maintains multiple certifications and up to date examinations for its data centers including ISO 27001 compliance, FedRAMP authorization, PCI Certification, and SOC reports. For more information about their certification and compliance, please visit the AWS Security website, AWS Compliance website.
SOC (Systems and Organization Controls) Examinations
Quartzy maintains SOC 1 and SOC 2 compliance that can support your ICFR (Internal Controls over Financial Reporting) control objectives. To obtain a copy of our SOC reports, you can reach out to your account executive or customer success manager at Quartzy.
Quartzy’s Data Security; Disclaimer
1. The Security of Your Information is Important to Quartzy.
Quartzy takes reasonable administrative, physical and electronic measures designed to protect from unauthorized access, use or disclosure of the information that we collect from you. Quartzy servers are located in professional and secure hosting facilities designed to host servers with protection from unwanted attacks over the Internet and physical attacks to the building or server itself. In particular, the Site’s servers are in a private network with a dedicated firewall, and are protected by round-the-clock interior and exterior surveillance. For physical security, our data centers are all SSAE-16 and/or ISO 27001 compliant. Our software infrastructure is regularly updated with the latest security patches and encrypts sensitive data at rest. All access to the Site’s servers is protected by two-factor authentication and all traffic to Quartzy’s servers is encrypted as well.
2. Quartzy Will Notify You and Try to Fix any Breaches of Security.
If there is a suspected, threatened or actual security incident or breach of security involving Your Information (a “Security Breach”), Quartzy will at its own expense: (i) investigate and take all steps to identify, prevent and mitigate the effects of such Security Breach; (ii) promptly notify you of the incident; and (iii) as soon as reasonably possible (A) conduct any recovery reasonably possible to remediate the impact of such Security Breach and (B) comply with applicable law and industry practices relating to such Security Breach. Despite the foregoing, you acknowledge and agree that this clause constitutes notice by Quartzy to you of the ongoing existence and occurrence or attempts of Unsuccessful Security Incidents for which no additional notice to Client shall be required. “Unsuccessful Security Incidents” means, without limitation, pings and other broadcast attacks on Quartzy’s firewall, port scans, unsuccessful login attempts, denial of service attacks, and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure Your Information.
3. Quartzy Backs Up Your Information.
Quartzy stores all data in multiple secure locations, performs multiple daily backups of all critical data (including the database), and uses data retention and disposal policies to manage data assets. Quartzy also tests its backups in duplicate environments on a regular basis to ensure their correctness, and to test disaster recovery scenarios. Database backups are audited daily.
4. You Have Security Responsibilities.
You agree to: (i) Keep your password and online ID secure and strictly confidential; (ii) notify us immediately and select a new online ID and password if you believe your password may have become known to an unauthorized person; and (iii) notify us immediately if you are contacted by anyone requesting your online ID and password. You understand and accept that you are responsible for any and all transactions performed under your account, even those transactions that are fraudulent or that you did not intend or want performed. You agree to indemnify and hold harmless Quartzy from and against any and all liability arising in any way from the access to the Site using your online ID and/or online password.
5. Some Third Parties May have Incidental Access to Your Information.
Quartzy works with other companies to provide information technology services to users of the Site. These companies may have access to Quartzy's databases, but only for the purposes of providing service to Quartzy. For example, a third party may obtain access to Your Information in an effort to update database software, or manage data. These companies will operate under consumer confidentiality agreements with Quartzy.
6. The Internet is Not Guaranteed to be Safe.
Please be aware that no method of transmitting information over the Internet or storing information is completely secure. Accordingly, we cannot guarantee the absolute security of any information. QUARTZY SHALL HAVE NO LIABILITY TO YOU FOR ANY UNAUTHORIZED ACCESS, USE, CORRUPTION OR LOSS OF ANY OF YOUR INFORMATION, EXCEPT TO THE EXTENT THAT SUCH UNAUTHORIZED ACCESS, USE, CORRUPTION, OR LOSS IS DUE SOLELY TO QUARTZY’S GROSS NEGLIGENCE OR MISCONDUCT.
Security for Team Members & Administrators
In addition to the work we do at the infrastructure level, we provide Team Administrators of Quartzy services with additional tools to enable their own users to protect our Customer Data. For team member access to systems we follow the principle of least privilege access that limits a users' access rights to only what are strictly required to do their jobs.
We protect our team members and our customer’s data with physical badge access to all facilities, we deploy anti-spam/anti-phishing / email detection tooling, we employ best in class laptop security management tooling and practices, and we harden mobile devices with secure disk encryption technologies.
We understand that you rely on the Quartzy services to work. We're committed to making Quartzy a highly-available service that you can count on. Our infrastructure runs on systems that are fault tolerant, for failures of individual servers or even entire data centers. You can see the current and historical status of the availability of the Quartzy services here - https://status.quartzy.com/.
Customer Data is stored redundantly at multiple locations in our hosting provider’s data centers to ensure availability. We have well-tested backup and restoration procedures, which allow recovery from a major disaster. Customer Data and our source code are automatically backed up nightly. The Operations team is alerted in case of a failure with this system.
In addition to sophisticated system monitoring and logging, we have implemented two-factor authentication for all server access across our production environment and we employ intrusion detection system within our production environment. Firewalls are configured according to industry best practices and unnecessary ports are blocked by configuration with AWS Security Groups.
We perform automated network penetration tests and vulnerability scans on our production environment and remediate any findings that present a risk to our environment. We enforce screen lockouts and the usage of full disk encryption for company laptops.