Qualtir

Security at Qualtir

Qualtir is built on industry-leading standards to ensure your data remains private, protected, and compliant.

Last updated: January 2025

At Qualtir, security is not an afterthought — it is built into every layer of our products and infrastructure. We implement industry-leading measures to protect your data and ensure our services remain reliable, private, and compliant with international standards.

Certifications & Compliance

ISO 27001 Certified

Qualtir is certified under ISO/IEC 27001, the international standard for information security management systems. View our audit report.

GDPR Compliant

We fully comply with the EU General Data Protection Regulation. Review our Privacy Policy for details on data handling.

SOC 2 Infrastructure

Our infrastructure runs on Google Cloud Platform, which maintains SOC 2 Type II compliance across all its data centres.

Google Cloud Partner

Qualtir is a verified Google Cloud partner, building on one of the world's most secure and reliable cloud platforms.

1. Data Encryption

All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher. Data at rest is encrypted using AES-256, ensuring that your information is protected whether it is in transit or stored on our infrastructure.

  • In transit: TLS 1.2+ encryption for all data moving between clients and servers
  • At rest: AES-256 encryption for all stored data
  • Key management: Encryption keys are managed through Google Cloud Key Management Service
  • Database encryption: All databases are encrypted at the storage level

2. Access Controls

We follow the principle of least privilege. Access to customer data is strictly controlled and limited to employees who require it to perform their job functions.

  • Role-based access control (RBAC) across all internal systems
  • Multi-factor authentication (MFA) required for all employee accounts
  • Access logs are maintained and reviewed regularly
  • Privileged access is time-limited and subject to additional approval
  • Employee access is revoked immediately upon departure

3. Infrastructure & Hosting

Our entire infrastructure is hosted on Google Cloud Platform (GCP), one of the most secure and reliable cloud environments available. GCP data centres are physically secured, with multiple layers of protection including biometric access, 24/7 surveillance, and redundant power systems.

  • Data hosted in GCP data centres in the EU and US regions
  • Network-level firewalls and DDoS protection
  • Automated vulnerability scanning of infrastructure
  • Private VPC networks isolating production environments
  • Regular penetration testing by third-party security firms

4. Monitoring & Audits

We continuously monitor our systems for unusual activity, security threats, and performance anomalies. All significant actions within our platform are logged and retained for audit purposes.

  • 24/7 automated monitoring with real-time alerting
  • Security Information and Event Management (SIEM) integration
  • Annual third-party security audits and penetration tests
  • Regular internal audits against ISO 27001 controls
  • Comprehensive audit logs retained for a minimum of 12 months

5. Incident Response

We have a documented incident response plan that is regularly tested and updated. In the event of a security incident, we are committed to acting swiftly to contain the issue, assess the impact, and notify affected customers in accordance with our obligations under GDPR and other applicable regulations.

  • Defined escalation paths and on-call security response team
  • Target containment within 1 hour of confirmed incident
  • Customer notification within 72 hours of a confirmed breach (as required by GDPR)
  • Post-incident review and remediation to prevent recurrence

6. Data Retention & Deletion

We retain your data only for as long as necessary to provide our services and meet our legal obligations. When data is no longer needed, it is securely deleted using industry-standard methods.

  • Account data is deleted within 90 days of account closure
  • Backups are retained for 30 days and then permanently destroyed
  • Secure deletion procedures applied to all storage media
  • Data deletion requests are processed within 30 days

7. Google Workspace Extensions

Our Google Workspace extensions are designed with a minimal-permission approach. We request only the permissions that are strictly necessary to provide the functionality of each extension, and we do not store or process your Google documents beyond what is required.

  • Compliance with the Google API Services User Data Policy and Limited Use requirements
  • No persistent storage of Google Doc, Sheet, or Drive content on our servers
  • OAuth 2.0 used for all Google account authorisation
  • Users can revoke access at any time through Google Account settings
  • Extensions undergo Google's security review process before publication

8. Responsible Disclosure

We welcome responsible disclosure of security vulnerabilities from the security community. If you discover a potential security issue, please contact us at contact@qualtir.com. We commit to acknowledging your report within 48 hours and working with you to understand and address the issue as quickly as possible.

Questions About Security

If you have any questions or concerns about how we protect your data, we are happy to help.

Qualtir Security Team

Security inquiries: contact@qualtir.com

General inquiries: contact@qualtir.com