Security Policies at Querio

Querio is dedicated to achieving and maintaining the highest standard of data security and protection, as evidenced by our existing security measures and commitments. As we strive for SOC2 compliance, aligning with our core values and current security stance, we have a comprehensive set of policies that adhere to SOC2 Trust Service Criteria: security, privacy, confidentiality, processing integrity, and availability. These policies are adhered to during regular operations and undergo continuous review to ensure compliance.

Information Security Policy

• Purpose: To define guidelines for protecting the confidentiality, integrity, and availability of information.
• Scope: Applies to all software applications, employees, contractors, and third-party vendors.
• Key Elements:
• Querio conducts regular auditing, monitoring, and reviewing of architecture, codebase, and logs.We execute internal vulnerability assessments with a dedicated response team.We adhere to privacy regulations, including CCPA and GDPR compliances.We leverage secure infrastructure using AWS cloud services with AWS SOC3 Certification.

Access Control Policy

• Purpose: To limit access to information to authorized personnel only.
• Scope: All systems, applications, and data within Querio's infrastructure.
• Key Elements:
• Querio employs role-based access control and follow the least privilege methodology.We regularly review and update access rights.We require strong, complex passwords and implement mandatory changes at defined intervals.We require employees to utilize multi-factor authentication (MFA) for all software.

Change Management Policy

• Purpose: To safely implement changes without impacting the secure and stable environment.
• Scope: All changes to IT systems, networks, and applications.
• Key Elements:
• All code changes are reviewed for security implications.Application patches are applied regularly to mitigate vulnerabilities.We have defined roles and responsibilities for personnel involved in change management.

Incident Response Plan

• Purpose: To effectively manage and respond to security breaches or incidents.
• Scope: All security and privacy incidents affecting information systems and data.
• Key Elements:
• Querio follows ISO27001-based security incident management processes.We have clearly defined incident response roles, responsibilities, and communication protocols.We have immediate containment procedures and subsequent investigation prototypes.

Risk Assessment Policy

• Purpose: To identify and minimize risks related to the security and integrity of customer data.
• Scope: All aspects of business operations, including people, processes, and technology.
• Key Elements:
• Querio regularly performs risk analysis and updates the mitigation strategies.We leverage Synk for weekly automatic vulnerability testing and reporting on our codebase. We have integrated security consideration in the Software Development Cycle.We conduct annual third-party Remote Penetration Tests.

Disaster Recovery and Business Continuity Plan

• Purpose: To ensure continued operation and data integrity in case of a disaster.
• Scope: All mission-critical operations and services.
• Key Elements:
• Querio follows ISO27001-based disaster recovery and business continuity processes.We have defined data backup and recovery protocols.We have establish clear communication plans and roles for disaster scenarios.

Data Privacy Policy

• Purpose: To manage personal data with respect and in line with privacy regulations.
• Scope: Collection, usage, retention, disclosure, and disposal of personal data.
• Key Elements:
• Querio signs an explicit Data Processing Agreement (DPA) upon onboarding to formalize data protection commitments.A detailed and up-to-date Privacy Policy publicly accessible on our website.

Vendor Management Policy

• Purpose: To ensure third-party vendors meet Querio's security standards.
• Scope: All sub-processors and vendors with access to Querio's data.
• Key Elements:
• Querio requires sub-processors to adhere to robust security and privacy practices.We assess and monitor vendors' compliance regularly.We make sure to include provisions in contracts that enforce SOC2 compliance.

Employee Training and Awareness Programs

• Purpose: To create a security-aware culture within the organization.
• Scope: All employees within Querio.
• Key Elements:
• Querio provides regular training on security, data protection laws, and organization-specific policies.We instill a clear understanding of individual roles in maintaining security.

Regular Audit and Monitoring Procedures

• Purpose: To continuously validate the effectiveness of security policies and practices.
• Scope: All systems and data under Querio's control.
• Key Elements:
• Querio performs scheduled internal audits and reviews.We maintain strict monitoring systems to detect security events.

Physical Security Policy

• Purpose: To protect physical resources and information.
• Scope: Physical servers, data centers, and document storage areas.
• Key Elements:
• As a remote-first company, we do not have any physical access requirements and all data is stored in the cloud with securely compliant providers. Querio employees are properly educated on the their responsibility for safeguarding their hardware to prevent unauthorized use.

Leveraging both our ongoing commitment to exceptional security standards and our current security measures, Querio's security policies help to ensure a secure, reliable, and trusted environment for our partners and customers. We continue to evolve our security posture actively while working towards the industry-standard SOC2, ISO 27001, and ISO 9001 certifications.

For additional information about Querio's security, data or compliance policies and processes, please contact hello@querio.ai