Quadient Digital Trust Center

Quadient manages compliance to multiple certifications (e.g., ISO27001, ISO9001, HITRUST, PCI-DSS), frameworks (e.g., SOC2, NIST Cybersecurity Framework) and legal requirements (e.g., GDPR, HIPAA, ANDBR).

Actual compliance levels are reviewed multiple times per year by both internal audit teams and independent external auditors.

Please reach out to your Account Manager to understand, which of these are covering the scope you are interested in and what type of certificates and reports can be provided to you for reference.

Quadient global Information Security Management System (ISMS) responsibility lies with the Security Board, where executive management and Subject Matter Experts (SME) are present. The Security Board is held quarterly and focuses on ISMS topics affecting the Quadient group.

On Quadient solution level, there are quarterly Compliance meetings, where Quadient ICA executive management and SMEs are present. These meetings focus on Security, Privacy, Risk Management and other topics affecting Quadient ICA solutions, either SaaS or on-premise.

These two main platforms are supported by additional monthly, bi-weekly and weekly technical product and operational meetings, where Compliance topics are reviewed and discussed.

Quadient uses Microsoft Azure (Azure) and Amazon Web Services (AWS) as infrastructure (IaaS) for their SW solutions. Both Azure and AWS maintain a comprehensive set of certifications and assessments.

• Azure - https://www.microsoft.com/en-us/trust-center/product-overview
• AWS - https://aws.amazon.com/security/

Datacenter locations are the following.

Customer Data is always staying in the same region for both primary and secondary location, except for emergency failover of the third-party providers.

Data submitted to Quadient by customers, and being processed within Quadient ICA solutions, are processed and stored in multi-tenant environment, where logical segmentation (among other controls) is used to prevent co-mingling of Customer Data.

All Quadient internal users receive multiple awareness trainings throughout the year, including initial entry trainings to be performed within first two weeks of employment and before any access to confidential information or Customer Data (as defined in section Incident Management), and repeated training and ad-hoc trainings focused on important topics.

The contents of the trainings are regularly updated and vary depending on the role of the employee. Such trainings cover Security, Privacy and Data Protection, Secure Development and Deployment, Incident Management, Social Engineering, local legal requirements etc.

Attendance and completion of all trainings is regularly monitored by the responsible teams.

For users within Quadient (internal users), Acceptable Use Policies are made available for all major types of assets (e.g., End User Devices, Email) provided by Quadient. They also cover acceptable use of social media or instant messaging tools. Unacceptable Use is also clearly defined and disciplinary actions can be taken if such behavior is detected.

For our customers and their authorized end users, acceptable use terms are provided in the applicable contractual terms and conditions for the relevant solutions.

For internal users, logical access rights are assigned in line with Need to Know and Least Privilege principles. Access rights are managed using role-based account control (RBAC) approach and a regular access rights review is taking place. Access rights are revoked/modified latest within 24 hours after a user leaves Quadient or changes role. Systems have an access rights matrix in place, which highlights possibly conflicting roles. Such conflicts, if any, are quickly fixed by Asset Owners (as defined in Asset Management down below) for the specific systems. Single-sign-on (SSO) and Multi-factor authentication (MFA) is utilized where needed. Multiple consecutive failed login attempts lead to a locked account, which needs to be restored by designated admin roles. Virtual Private Network (VPN) connection is utilized for access to the Quadient ICA infrastructure.

For customers, it is up to the selected customer’s admin roles to setup access rights for the rest of the customers’ users and manage these accordingly, including SSO and MFA.

Quadient solutions features modern event driven architecture to provide maximum performance and stability. Each of our hosted virtual datacenters is designed as a failover and fully scalable system with its own replication logic. All requests are handled by multiple virtual machines via a load balancer, or serverless architectures which natively provide for massive scale usage.

Assets in Quadient have assigned dedicated Asset Owner and are listed within the documented asset inventory, which is regularly updated.

Specific rules on how assets can be handled are defined within Acceptable Use or Hardening Policies. Asset Owners are responsible, that assets are compliant with such rules and risks relevant to assets are managed accordingly.

Quadient uses Azure and AWS to store backups in different geographical regions globally to meet our customers’ needs.

Backup arrangements are made with AWS and Azure as further explained in the section Disaster Recovery below.

Backups are stored in georedundant locations, but always in a same geographic region as the relevant primary cloud instance contracted by the customer (either, EU, UK, United States, Canada or Australia) to comply with relevant legislations and are subject to same security measures (e.g., encryption) as the primary data (as further detailed in the section Data Centers down below).

Business Continuity (BC) Plans are created based on Business Impact Analysis (BIA) results by responsible Asset Owners. BC plans are tested at least annually. Where possible, different type of tests and test approaches are used to provide maximum efficiency of such exercises.

Action items from BC plan tests are tracked, have clearly assigned owner, action plan and due date.

A dedicated team of professionals participates in both BPC creation and testing to provide that plans are kept

up to date, and Quadient handles such situations in a structured and efficient manner.

Change Management is closely linked with Risk Management in Quadient, as all changes present a degree of risk which needs to be evaluated and approved by the appropriate design authority.

To unify approach to changes, standardized methods and processes are in place. Centralized data repositories and automated tools are used when possible. Clear notification, escalation and approval channels are defined and communicated within the teams.

Quadient maintains a dedicated annual cyber Insurance with an aggregated coverage of EUR 5.000.000 per loss per year with global geographical scope, although customers accessing to the USA ICA instance may benefit from additional cyber insurance of EUR 5.000.000 per loss per year.

To provide an appropriate disaster recovery (DR) mechanism, Quadient solutions use georedundant hosting (data is always stored in two separate geographic locations within the same region of AWS or Azure). In case of a disaster, we have contracted an availability of our systems in backup locations within 12 hours.

Quadient solutions have a Recovery Time Objective (RTO) of 12 hours and Recovery Point Objective (RPO) of 4 hours.  DR plans are tested at least twice per year for their ability to provide such RTO and RPO. Backup arrangements are made with AWS and Azure to provide for a Recovery Time Objective (RTO) of 12 hours and Recovery Point Objective (RPO) of 4 hours and their recovery tests are performed regularly to ensure, that backups are able to be used when needed.

Action items from DR plan tests are tracked, have clearly assigned owner, action plan and due date.

A dedicated team of professionals participates in both DR creation and testing to provide, that plans are kept up to date and Quadient handles such situations in the most efficient manner.

All data held by Quadient is encrypted. Quadient standard is AES 256bit for data at rest and TLS 1.2/HTTPS for data in transit.

Encryption keys for Quadient solutions are managed in a following way.

Assets in Quadient are subject to multiple industry practice hardening measures, including but not limited to:

• Antimalware tool with auto updated antimalware definitions
• Patched operation system
• Mobile Device Management (MDM)
• Storage encryption
• Auto-locking screens

All Quadient employees and contractors have a contract in place where security responsibilities are clearly specified. Non-disclosure agreement  is signed and is valid even after the termination of employment or contract.

Background checks are performed in line with local legislation and can be agreed with customers for specific regulated projects in the required form, like criminal record checks, credit checks etc.

Employees and contractors sign an agreement to follow all Quadient Security and Privacy Policies and Code of Ethics.

Disciplinary Actions Policy is in place and can be used when noncompliance with Quadient policies is detected.

A dedicated Security Incident Response Team (SIRT) is responsible within Quadient to provided effective solving of any Security or Privacy related topics. Incident reporting channels are identified, together with clear escalation paths. Root causes are identified for any incident, together with its impact and lessons learned.

Action items from incident investigations are tracked, have clearly assigned owners, an action plan and due date.

Customers are informed about any incidents directly affecting them or the  information or material, including personal data and customer content, that the customer or the customer’s end users may disclose or submit to Quadient or upload to the ICA service in the course of using the Service (“Customer Data”).

Brandon Batt, member of Quadient Executive Management is Quadient Data Protection Officer (DPO).

DPO is supported on local/regional level by Regional Data Protection Officers (RDPO).

Data breach is a situation, where sensitive, protected or confidential data, which may include customer’s personal data, is copied, transmitted, viewed, stolen, altered or used by an individual unauthorized to do so, either intentionally or unintentionally.

Subject to the terms of data processing addendums where applicable, Customers are informed about data breaches without undue delay after Quadient having become aware of such data breach.

Quadient will use commercially reasonable efforts to provide its customers with sufficient information to allow them at their cost, to meet any obligations to report or inform regulatory authorities, data subjects and other entities of such data breach to the extent required by applicable legislation.

Quadient solutions are processing data which are provided by the customer. Such data can go from public data, dummy data up to Credit Card Data, Personal Identifiable Information (PII) and Personal Health Information (PHI).

While processing and storing personally identifiable information (PII), Quadient solutions provide the following rights:

• Right to access: customers have full access to their data.
• Right to correct: we will correct Customer Data within 30 days upon a request to Quadient support.
• Right to be forgotten: we will remove Customer Data within 30 days upon a request to Quadient support.
• Right of data portability: customers can download all their data (e.g. JSON, CSV) at any time with no assistance required from Quadient.

Quadient is keeping the data for the term of the subscription and deletes it thereafter safely, subject to the terms of the agreements between Quadient and the customer. Data is only retained based on legal justifications for the respective purpose.

While majority of relevant reports are confidential and either Quadient does not share them, or only do so after a specific non-disclosure agreement is signed, there are some reports which are freely available upon request.

For other reports and records from BC/DR tests, HIPAA/GDPR/CCPA assessments, vulnerability assessments and penetration tests, incidents resolution, please reach out to your Account Manager to discuss what you require.