Security Policies at Querio

Querio is dedicated to maintaining high standards of data security and protection. As the company works toward SOC 2 compliance, its security policies align with SOC 2 Trust Service Criteria, including: security, privacy, confidentiality, processing integrity, and availability. These policies are enforced in daily operations and reviewed regularly.

Information Security Policy

Purpose:
Defines guidelines for protecting confidentiality, integrity, and availability of information.

Scope:
Applies to all applications, employees, contractors, and third-party vendors.

Key Elements:

• Regular auditing, monitoring, review of architecture, codebase, and logs

• Internal vulnerability assessments with a response team

• Compliance with CCPA and GDPR

• Secure infrastructure on AWS cloud services (with AWS SOC3 certification)

Access Control Policy

Purpose:
Limits access to authorized personnel only.

Scope:
All systems, applications, and data within Querio infrastructure.

Key Elements:

• Role-based access control and least privilege methodology

• Regular access review and updates

• Strong passwords and mandatory change intervals

• Mandatory multi-factor authentication (MFA) for all software use

Change Management Policy

Purpose:
Ensures safe implementation of changes without impacting security and stability.

Scope:
All IT systems, network, and application changes.

Key Elements:

• Code changes reviewed for security

• Regular patching of applications

• Defined roles and responsibilities in change management

Incident Response Plan

Purpose:
Manage and respond effectively to security or privacy incidents.

Scope:
All incidents affecting systems and data.

Key Elements:

• Follows ISO27001-based processes

• Defined roles and communication protocols

• Procedures for containment and investigation

Risk Assessment Policy

Purpose:
Identify and minimize risks related to customer data security.

Scope:
All operational areas — people, processes, and technology.

Key Elements:

• Regular risk analysis and mitigation strategy updates

• Weekly automated vulnerability testing with Synk

• Security integrated into the development cycle

• Annual third-party penetration tests

Disaster Recovery & Business Continuity Plan

Purpose:
Ensure continuous operation and data integrity during disasters.

Scope:
All mission-critical operations.

Key Elements:

• ISO27001-based recovery procedures

• Defined data backup and restoration plans

• Clear communication roles during disaster scenarios

Data Privacy Policy

Purpose:
Manage personal data respectfully and in compliance with privacy regulations.

Scope:
Collection, use, retention, disclosure, and disposal of personal data.

Key Elements:

• Data Processing Agreement (DPA) signed upon onboarding

• Publicly accessible up-to-date privacy policy

Vendor Management Policy

Purpose:
Ensure third-party vendors comply with Querio’s security standards.

Scope:
All sub-processors and vendors with data access.

Key Elements:

• Vendors must follow strong security and privacy practices

• Regular vendor compliance monitoring

• Contract provisions enforcing SOC 2 requirements

Employee Training & Awareness Programs

Purpose:
Build a security-aware culture organization-wide.

Scope:
All employees.

Key Elements:

• Regular training on security and data protection laws

• Clear role understanding in maintaining security

Regular Audit & Monitoring Procedures

Purpose:
Continuously validate effectiveness of security practices.

Scope:
All systems and data under Querio’s control.

Key Elements:

• Scheduled internal audits

• Ongoing monitoring for security events

Physical Security Policy

Purpose:
Protect physical resources and information.

Scope:
Physical servers, data centers, document storage.

Key Elements:

• Querio is remote-first; physical servers are securely hosted in the cloud

• Employees are educated on safeguarding hardware to prevent misuse