At Questence, security is foundational to everything we build. This policy outlines our approach to protecting your data.
Encryption
All data in transit is encrypted using TLS 1.3. Data at rest is encrypted using AES-256. Database backups are encrypted and stored in secure, geographically separate facilities.
Infrastructure Security
Our platform runs on AWS with SOC 2 compliant infrastructure. We employ network firewalls, DDoS protection, intrusion detection systems, and regular vulnerability scanning.
Access Controls
We enforce strict role-based access control (RBAC) for all systems. Multi-factor authentication (MFA) is required for all staff access. Access is reviewed quarterly and revoked immediately upon role change or departure.
Data Isolation
Each tenant's data is logically isolated at the database layer. We maintain strict separation between production, staging, and development environments.
Incident Response
We have a documented incident response plan that includes: immediate containment, forensic investigation, stakeholder notification within 72 hours, and post-incident review with remediation steps.
Compliance
Questence complies with: GDPR (General Data Protection Regulation), NDPR (Nigeria Data Protection Regulation), ISO 27001 standards (certification in progress), and SOC 2 Type II (certification in progress).
Third-Party Audits
We engage independent security firms to conduct annual penetration testing and security assessments. Reports are available to enterprise customers under NDA.
