Security
Our commitment to security is our highest priority, and we implement a comprehensive and continually evolving program to ensure this critical data is protected.
Source code protection
- Static analysis is performed on sandboxed containers running on AWS Fargate which are destroyed after each run
- Short-lived limited access tokens are used to fetch code from GitHub to prepare for analysis
- Qlty does not store clones of analyzed Git repositories
Product security
- Secure coding practices are integrated into the software design process from day one
- Authentication is provided by GitHub single sign-on (SSO). Qlty does not store passwords.
- Qlty automatically checks permissions for authorization directly in GitHub.
- Access to staff applications is additionally restricted behind a virtual private network (VPN).
- Code changes require pull request review and approval
- Third party penetration testing is performed at least annually
- Static analysis for security vulnerabilities (SAST) and software composition analysis (SCA) is run continuously
- Application performance and errors are monitored by Sentry
Infrastructure security
- Production data is hoted in the cloud on Amazon Web Services (AWS). To find out more information about AWS security practices, see: https://aws.amazon.com/security/.
- Services run within a virtual private cloud (VPC) with fine-tuned firewall rules
- Access to AWS is done using short-lived role assumption. We do not run SSH daemons or bastion hosts.
- Data in transit is encrypted with HTTPS using TLS (SSL) and enforced by HSTS. We maintain an A+ from SSL Labs.
- Data at rest is encrypted at the disk level. Additionally, sensitive fields are encrypted before being stored in the database using envelope encryption. Amazon Key Management Service (KMS) is used for key management.
- Infrastructure is managed as version controlled Terraform code (IaC) and subject to code review
- Mobile Device Management (MDM) is deployed on systems which may access production systems
- We implement a corporate security program including staff single-sign on (SSO), background checks, and security training
SOC 2
Qlty completed SOC 2 Type I certification in September 2024, and is in the process of completing SOC 2 Type II following the mandatory observation period.
PCI
Qlty uses Stripe for all payment processing. A PCI-certified auditor evaluated Stripe and certified us to PCI Service Provider Level 1. This is the most stringent level of certification available in the payments industry.
Report a vulnerability
Your input and feedback on our security, as well as responsible disclosure, is always appreciated. If you’ve discovered a security concern, please email us at security@qlty.sh.
We’ll work with you to make sure we understand the issue and address it. We consider security correspondence and vulnerabilities our highest priorities, and we will work to promptly address any issues that arise.