The security and privacy of your Quorum account and the data you put in Quorum is incredibly important to us. As such, our company follows best-in-class security practices with regards to both our technical setup and our personnel to ensure that clients’ data is appropriately protected. Quorum has passed extensive security reviews at many of the world’s largest companies and hires a third party security firm to attempt to hack into its systems twice a year. Our approach to security and privacy is centered around five pillars:
Application security ensures that Quorum’s applications—the website, mobile app, and desktop app through which our clients access Quorum—are protected. We encrypt all data in transit and at rest (and maintain an A rating on encryption from Qualys), enforce enterprise-grade login controls including optional two-factor authentication and SSO, and have designed built-in protections against XSS, SQLi, and many other common attack patterns.
Quorum is entirely hosted on Amazon Web Services (AWS), a best-in-class infrastructure as a service provider, and uses a combination of AWS-provided, third party, and in-house systems in order to protect the servers, databases, firewalls, backups, and other components that Quorum is built on.
To protect the laptops and computers used by employees, we contract with Crowdstrike, an endpoint security firm used by many government organizations and Fortune 100 companies and which is well known for investigating the DCCC hacking that occurred during the 2016 Presidential campaign. Crowdstrike’s endpoint security system identifies and blocks issues before they occur and serves as a powerful monitoring and anti-virus system. Our hardened server endpoints are protected by both Crowdstrike as well as a variety of other intrusion detection and prevention systems.
Even the best security systems cannot be successful if the individuals involved are not well-equipped to follow standard practices. Every Quorum employee undergoes a background check prior to the start of employment, signs a non-disclosure agreement (NDA) as part of the employment agreement, passes mandatory data security training on their first day, and adheres to strict internal access limitations with regards to client data.
Any data that a client enters into Quorum’s system is owned by that client, not Quorum, and we do not share any information between different client accounts or with third parties. Quorum maintains complete GDPR compliance and provides guidance to its clients on how they can use Quorum’s products to remain GDPR compliant themselves.