Security at Qualtir

Certifications & Compliance

Every byte of data moving between your browser and our servers travels over TLS 1.2 or higher. At rest, we use AES-256 — the same standard governments and banks rely on. There's no scenario where your data sits unencrypted on our infrastructure.

• In transit: TLS 1.2+ for all traffic between clients and servers
• At rest: AES-256 across all stored data
• Key management: handled through Google Cloud Key Management Service
• Database encryption: applied at the storage layer, not just application level

The principle is simple: nobody gets access to something they don't need. We use role-based access across all internal systems, and that includes our own engineers. Customer data is off-limits unless there's a specific, approved reason.

• Role-based access control (RBAC) across every internal system
• MFA required on all employee accounts — no exceptions
• Access logs kept and reviewed on a regular schedule
• Elevated access is time-limited and requires explicit approval
• When someone leaves the company, access is revoked the same day

We run entirely on Google Cloud Platform. GCP's data centres have physical security that goes well beyond a locked door — biometric entry, 24/7 monitoring, redundant power. We picked GCP because we didn't want to make security trade-offs.

• All data hosted in GCP's EU and US regions
• Network-level firewalls and DDoS mitigation built in
• Automated scanning for infrastructure vulnerabilities
• Production environments isolated in private VPC networks
• Third-party penetration testing conducted regularly

Our systems run under constant surveillance. Automated alerts fire the moment something looks off — unusual login patterns, unexpected API calls, anything that deviates from baseline. And beyond the automation, humans review what machines flag.

• 24/7 automated monitoring with real-time alerts
• SIEM integration for unified security event tracking
• Annual third-party security audits, plus penetration testing
• Internal audits run against ISO 27001 controls throughout the year
• Audit logs kept for at least 12 months

We have a written incident response plan that gets tested — not just filed away. If something goes wrong, we move fast. Our team has defined escalation paths, and we don't wait to communicate. GDPR requires notifying affected customers within 72 hours of a confirmed breach, and we treat that as a floor, not a ceiling.

• Clear escalation paths with an on-call security team
• Target: contain confirmed incidents within 1 hour
• Customer notification within 72 hours of a confirmed breach (GDPR requirement)
• Post-incident review to understand what happened and prevent a repeat

We don't hold onto data longer than we need to. Once your account closes or you request deletion, the process starts immediately — not after some indefinite review period.

• Account data deleted within 90 days of closure
• Backups retained for 30 days, then permanently destroyed
• Secure deletion procedures applied to all storage media
• Data deletion requests processed within 30 days

Our extensions ask for only the permissions they genuinely need. We don't store your Google Docs, Sheets, or Drive content on our servers — we process what's required for the feature you're using, and that's it.

• Compliant with Google's API Services User Data Policy and Limited Use requirements
• No persistent storage of Google Doc, Sheet, or Drive content on our servers
• OAuth 2.0 for all Google account authorisation
• You can revoke access any time through your Google Account settings
• All extensions go through Google's security review before release

8. Responsible Disclosure

Found something? We want to hear about it. If you've spotted a potential security issue, reach out to us at contact@qualtir.com. We'll acknowledge your report within 48 hours and work with you to understand and address it properly.

Questions About Security

If something's unclear about how we handle security, or you'd like more detail on any of the above, just ask.