QloudInvest Security Policy

1. General Security Practices

• Access to servers, source code, and third-party tools is secured with two-factor authentication (2FA).
• We employ strong, randomly generated passwords that are never reused across different platforms.
• Employees and contractors are granted the minimum level of access necessary to perform their duties.
• Automated tools detect and help remediate vulnerabilities in dependencies.
• Production data is never copied to external devices.

2. Organizational Security

• All employees and contractors sign NDAs before gaining access to sensitive data.
• We conduct annual third-party penetration tests.

3. Authentication and Access

• Passwords are hashed using bcrypt before storage.
• Sessions are managed with secure tokens that expire after 30 days of inactivity.

4. Data Encryption

• Data is encrypted in transit using TLS 1.2.
• Sensitive data is encrypted at rest.

5. Data Retention and Logging

• Logs are retained securely for 30 days then deleted.
• Users may request permanent deletion of their analytics data.

6. Software Development Practices

• Code is peer-reviewed and tested in staging before release.

7. Hosting and Infrastructure

• Servers are hosted on AWS infrastructure.
• AWS maintains certifications including ISO 27001 and SOC 2.

8. Vulnerability Detection

• Regular scanning for dependency vulnerabilities is conducted.
• Patches are applied and redeployed as soon as identified.

9. Third-Party Services

• We only integrate with partners that adhere to high security standards.
• Sensitive data is never transmitted unencrypted through third-party systems.

10. Frequently Asked Questions (FAQs)