Security Policies
Security Policies at Querio
Querio is dedicated to achieving and maintaining the highest standard of data security and protection, as evidenced by our existing security measures and commitments. As we strive for SOC2 compliance, aligning with our core values and current security stance, we have a comprehensive set of policies that adhere to SOC2 Trust Service Criteria: security, privacy, confidentiality, processing integrity, and availability. These policies are adhered to during regular operations and undergo continuous review to ensure compliance.
Information Security Policy
Purpose
To define guidelines for protecting the confidentiality, integrity, and availability of information.
Scope
Applies to all software applications, employees, contractors, and third-party vendors.
Key Elements
Querio conducts regular auditing, monitoring, and reviewing of architecture, codebase, and logs.We execute internal vulnerability assessments with a dedicated response team.We adhere to privacy regulations, including CCPA and GDPR compliances.We leverage secure infrastructure using AWS cloud services with AWS SOC3 Certification.
Access Control Policy
Purpose
To limit access to information to authorized personnel only.
Scope
All systems, applications, and data within Querio's infrastructure.
Key Elements
Querio employs role-based access control and follow the least privilege methodology.We regularly review and update access rights.We require strong, complex passwords and implement mandatory changes at defined intervals.We require employees to utilize multi-factor authentication (MFA) for all software.
Change Management Policy
Purpose
To safely implement changes without impacting the secure and stable environment.
Scope
All changes to IT systems, networks, and applications.
Key Elements
All code changes are reviewed for security implications.Application patches are applied regularly to mitigate vulnerabilities.We have defined roles and responsibilities for personnel involved in change management.
Incident Response Plan
Purpose
To effectively manage and respond to security breaches or incidents.
Scope
All security and privacy incidents affecting information systems and data.
Key Elements
Querio follows ISO27001-based security incident management processes.We have clearly defined incident response roles, responsibilities, and communication protocols.We have immediate containment procedures and subsequent investigation prototypes.
Risk Assessment Policy
Purpose
To identify and minimize risks related to the security and integrity of customer data.
Scope
All aspects of business operations, including people, processes, and technology.
Key Elements
Querio regularly performs risk analysis and updates the mitigation strategies.We leverage Synk for weekly automatic vulnerability testing and reporting on our codebase. We have integrated security consideration in the Software Development Cycle.We conduct annual third-party Remote Penetration Tests.
Disaster Recovery and Business Continuity Plan
Purpose
To ensure continued operation and data integrity in case of a disaster.
Scope
All mission-critical operations and services.
Key Elements
Querio follows ISO27001-based disaster recovery and business continuity processes.We have defined data backup and recovery protocols.We have establish clear communication plans and roles for disaster scenarios.
Data Privacy Policy
Purpose
To manage personal data with respect and in line with privacy regulations.
Scope
Collection, usage, retention, disclosure, and disposal of personal data.
Key Elements
Querio signs an explicit Data Processing Agreement (DPA) upon onboarding to formalize data protection commitments.A detailed and up-to-date Privacy Policy publicly accessible on our website.
Vendor Management Policy
Purpose
To ensure third-party vendors meet Querio's security standards.
Scope
All sub-processors and vendors with access to Querio's data.
Key Elements
Querio requires sub-processors to adhere to robust security and privacy practices.We assess and monitor vendors' compliance regularly.We make sure to include provisions in contracts that enforce SOC2 compliance.
Employee Training and Awareness Programs
Purpose
To create a security-aware culture within the organization.
Scope
All employees within Querio.
Key Elements
Querio provides regular training on security, data protection laws, and organization-specific policies.We instill a clear understanding of individual roles in maintaining security.
Regular Audit and Monitoring Procedures
Purpose
To continuously validate the effectiveness of security policies and practices.
Scope
All systems and data under Querio's control.
Key Elements
Querio performs scheduled internal audits and reviews.We maintain strict monitoring systems to detect security events.
Physical Security Policy
Purpose
To protect physical resources and information.
Scope
Physical servers, data centers, and document storage areas.
Key Elements
As a remote-first company, we do not have any physical access requirements and all data is stored in the cloud with securely compliant providers. Querio employees are properly educated on the their responsibility for safeguarding their hardware to prevent unauthorized use.
Leveraging both our ongoing commitment to exceptional security standards and our current security measures, Querio's security policies help to ensure a secure, reliable, and trusted environment for our partners and customers. We continue to evolve our security posture actively while working towards the industry-standard SOC2, ISO 27001, and ISO 9001 certifications.
For additional information about Querio's security, data or compliance policies and processes, please contact hello@querio.ai
Start transforming data into insights today.
