Security
Data ownership and privacy
All Quality Clouds customers remain in full control of their data at all times as a result of the following set-up:
- You can define your own credentials with which Quality Clouds connects to your instance, remaining in full control of the data to be accessed.
- Quality Clouds only accesses the contents of the tables that hold code of Configuration Elements, and not the transactional or business sensitive data stored in the instance.
- It only stores the summary data related to the issues detected in the customer instance, as well as a list of Configuration items which have been modified. The source code is analysed in-memory, and it is never persisted.
- The user defined by you to access the instances can be an administrator with web services access only.
Additionally, you can always create restrictions by using ACLs (Access Control Lists) to the instance(s) tables.
Quality Clouds adheres to the following security recommendation to let you stay in full control:
- As owner of the data, you can always ask to have it deleted.
- No names, email address or any other personal user information are captured from the instance.
Access control
Quality Clouds is responsible for the management of user accounts within the scan instance under our software product with your SaaS platform.
This includes the creation of the customer record and each of your individual user accounts, the password expiration policy and an initial password which the user has to change on the first login.
Authentication and passwords
To access the application each user logs in with their own credentials (providing a unique username and password).
Quality Clouds enforces user password minimum strength, and it requires that the password has the following characteritics:
- Password must be at least 8 characters long
- Password can not be reused
- Password must contain at least one uppercase A-Z value, one lowercase a-z value, one numeric 0-9 value and one of the following symbols #?@$%^&*-_
Passwords have expiration policy, which can be set to a range from 1 day to 1 year period. When a password expires, you as the user are prompted for the current password, and will be asked to choose a new one.
The application automatically ends each idle user’s sessions (with no user interaction) after 10 minutes.
Encryption
Quality Clouds makes use of encryption for data in transit and sensible/personal data at rest. Any third party credentials needed to perform a software quality scan in a customer's application instance are stored encrypted using AES-256 algorithm. Any personal data registered in a Quality Clouds customer account: user name, emails and phone number, is encrypted before being persisted.
User passwords are stored hashed in the Quality Clouds database using SHA-256 algorithm. Raw passwords are never persisted.
Quality Clouds website owns an SSL certificate which forces use of Transport Layer Security (TLS) connections with 256 bit encryption.
Encryption in transit for user traffic
For all user access, Quality Clouds accesses customer instances over the Internet using forced TLS encryption.
IP whitelisting
If your infrastructure implements IP whitelisting, make sure that you add these IPs to the allowed origins, so that requests from Quality Clouds are not blocked:
All servers located in: EU (Ireland)
20.82.159.225 → 20.123.120.23820.82.221.17 → 20.123.123.7020.93.80.6
Important Note - 19 October 2022.
Due to changes in our infrastructure, the IPs in our EU cluster have changed. Please replace the old IPs (grayed out) with the current ones in your whitelist.