Quadient Digital Trust Center

Quadient manages a comprehensive set of policies, integrated within a structured Integrated Management System (IMS). The IMS consists of Security, Privacy, Quality and ESG topics.

All policies are approved by the Quadient executive management and have dedicated owners, which are responsible for their regular review and update. Policies are supported by lower tier documents (e.g., standards or processes) which also have their assigned owners and are reviewed at least annually, or after a material change of a system.

With few exceptions, as available within the "What can be shared" section, all Quadient ICA internal documentation can be shared only if non-disclosure agreement (NDA) is signed by both Quadient and requesting third party.

The Quadient organizational structure contains specific roles to support the ISMS. The Security Board that includes members of the senior and executive management oversees the ISMS on the corporate level and is led by the Director of Information Security.

Information Security Manager is responsible for whole Compliance system of Quadient ICA Solutions globally.

Global roles are supported on local level by local Security and Compliance Managers, Regional Data Protection Officers, Cyber Security Analysts, Application Security Analysts, Penetration Testers and other roles.

Quadient SMEs working in the area of security are experienced professionals who hold multiple security and privacy relevant personal certifications including, but not limited to: CISSP, CISM, CISA, CRISC or CCSK.

Quadient does not want and does not need access to Customer Data. In very exceptional circumstances (e.g., to solve specific problems on customer request) this can be arranged but needs to be mutually agreed upfront in the relevant contractual agreements between Quadient and the customer.

For such exceptional cases Quadient has a special procedure available, and a dedicated file exchange with specific retention policies.

Quadient regularly updates list of sub-processors used within their solutions. Such list is available to Quadient ICA solutions customers here.

Customers are informed about changes at least one calendar month before such change takes effect. Such changes can be either addition of new sub-processor or change of processing for existing sub-processors.

Quadient is proactively notifying only customers affected by such change, or where there is a legal/contractual commitment to do so. 

A dedicated Security Incident Response Team (SIRT) is responsible within Quadient to provided effective solving of any Security or Privacy related topics. Incident reporting channels are identified, together with clear escalation paths. Root causes are identified for any incident, together with its impact and lessons learned.

Action items from incident investigations are tracked, have clearly assigned owners, an action plan and due date.

Customers are informed about any incidents directly affecting them or the  information or material, including personal data and customer content, that the customer or the customer’s end users may disclose or submit to Quadient or upload to the ICA service in the course of using the Service (“Customer Data”).

Throughout the year, multiple audits take place in Quadient, focused on different scopes, standards, frameworks and legal requirements. Such audits are performed by internal teams of skilled professionals, and at least annually confirmed by independent external auditors.

Findings from audits are tracked, have clearly assigned owners, an action plan and due date.

Quadient stores security and audit logs to ensure auditable traceability of important actions, in line with industry standards. Such logs include user id, type of action, time stamp.

Logs are kept for at least one year and will be generally deleted within twelve months, unless specific reasons require differently. The logs are monitored by internal, and sometimes also dedicated external teams. Any suspicious events are investigated.

All production systems and network devices are constantly monitored on an application level. Application-is-running monitoring measured in 5-minute intervals to provide maximum availability. For Infrastructure Monitoring, various performance indicators are monitored on used Virtual Machines, databases, and storage to provide an overview of the health status as well as utilization (capacity planning).

Status pages for customers are made available to inform about any planned or unplanned downtime at the following links.

• AP – https://quadientap.statuspage.io
• IDA – https ://university.quadient.com/group/site/quadient-cloud-status
• CXM – https://university.quadient.com/group/site/quadient-cloud-status
• HUB - https://university.quadient.com/group/site/quadient-cloud-status
• AR - http://yp-status-page.s3-website-us-east-1.amazonaws.com

Quadient utilizes multiple technical tools within its network. This includes (not full list):

• Web filtering
• Firewall rules management
• Auto-terminated sessions
• Network zoning concept
• Virtual Private Networks (VPN)
• Intrusion Detection System (IDS)
• Security Information and Event Management(SIEM)
• Intelligent Threat Detection
• Distributed antivirus software with centralized management
• Automated policy management and violation detection
• Zero Trust Architecture (ZTA)

Networking cables within offices are protected from interception, interference or damage. Wireless networks are protected by username/password (WPA2).

Network events are monitored by internal and external Secure Operations Center (SOC) teams and incidents are escalated and investigated according to internal procedures.

Data Loss Prevention tool (DLP) is not yet implemented within Quadient fully, but future implementation is regularly reviewed. Currently it is substituted by other technical and administrative controls in place.

Unique passwords are assigned to internal users and are forbidden to be shared. The password construction guidelines follow latest industry practices, to provide appropriate security. Passwords use salt and are encrypted. Usage of password management tools is recommended internally.

For customers, password management within Quadient solutions is configurable as needed. It is up to the customer’s admin to set it up according to their standards.

Quadient R&D offices are protected by Close Circuit Television (CCTV) systems, physical keys, ID cards and other controls. Zoning concepts are implemented to highlight more critical areas (e.g., server room, HR office). Only restricted number of users have access to such areas. Clean Desk Policy is implemented, and offices are locked, and security is monitored by alarm system after business hours.

Physical and environmental security of the datacenters remains the responsibility of the hosting providers, Azure and AWS.

Quadient’s Cloud platform takes advantage of Azure cloud service infrastructure which provides the physical and environment security. Azure’s high-standard certifications and its top class security mechanisms and measures ensure maximum safety of Customer Data (see Azure Trust Center at https://www.microsoft.com/en-us/trust-center/product-overview for more details).

Further information about the physical security provided by AWS is available from the AWS website at: https://aws.amazon.com/compliance/data-center/controls/

Quadient has implemented a sophisticated quality assurance (QA) system. Each new release of all Quadient applications is thoroughly tested using a high multitude of scenarios. Different types of tests are used, such as automated/manual regression tests, security tests, functional tests and high availability tests.

Risk Management within Quadient is based on ISO 27005 and uses an asset-based risk approach. Asset Owners are responsible that risks affecting assets in their responsibility are within Quadient defined acceptable levels, or to put in place risk treatment plans to mitigate such risks.

Risk assessment is performed at least annually and its results, together with proposed risk treatment plans, are approved by executive management.

Quadient incorporates security into its software development life-cycle using the OWASP SAMM framework, for more information on the SAMM project see https://owasp.org/www-project-samm/. Security by Design, Security by Default, Privacy by Design and Privacy by Default principles are followed. Compliance is regularly checked by internal QA/QE teams and confirmed by external independent parties. All code is tracked, version controlled, and peer reviews are performed prior to deployment. Quadient uses separate development, test and live environments. Production Customer Data is never used in development or test environments.

We publish the Security Bulletins and/or Status Reports for Quadient solutions on a monthly basis, which list the Security Fixes for Open Source Libraries that we have made to protect Quadient software from newly recognized vulnerabilities. We also publish the results of the Security Scans on Quadient Cloud that we have performed to prevent penetration of our online services.

The Security Bulletin is published in password-protected web locations made available to customers for each ICA Service as applicable (e.g. Quadient Academy for IDA, Quadient University for CXM or YayPay HelpJuice for AR), where customers can view and download it. Customers are not proactively informed about the release of new Security Bulletins.

As Quadient ICA solutions operate in cloud as SaaS model, there is a concept of shared responsibility with the Customer administrators. For some security aspects Quadient is solely responsible, for others customer is solely responsible and for the rest, the responsibility is shared.

Q = Quadient

C = Customer

Quadient ICA solutions are development environments in which our customer can create their own business workflows. Such systems can enable our customer to import, store, process and distribute information. Often this information is personal data which can be considered sensitive or is protected by law. Our Quadient components provide an extensive set of security-related features and multiple levels of data protection, as described in this document.

However, when developing the customer’s own logic within the customer’s licensed area of Quadient ICA environment, the customer shares the responsibility for the security of the solution. We strongly recommend that the customer designs the licensed solutions along the highest security standards available in our components. The customer may contact our support for more information on how to achieve maximum security in the customer’s solution.

Quadient is not liable for any damage or loss caused by insecure practices or development on our customer’s side.

To keep the confidentiality of the communications sent to customers’ clients and to prevent disclosure of personally identifiable information (PII) or protected health information (PHI), this PII or PHI information shall be included only with extended security as set forth in the data processing addendum where applicable according to the contractual agreement between Quadient and the customer for the relevant ICA Service. Quadient strongly recommends the customer to follow best industry practice to either inform their client of the ICA Service output within their account or to send a URL link to a secure web portal managed by the customer, where their client’s user must log into.

The customer may reach out to our relevant Account Manager if the customer needs to clarify any specific questions on its responsibilities, so the customer may be directed to the respective Quadient ICA support expert.

Quadient understand risks relevant to supply chain management and, as a result, regularly reviews its suppliers. New suppliers need to go through due diligence process, which is evaluated by multiple Quadient internal departments. Current suppliers are evaluated on periodic basis, at least annually. This review can go from self-assessment to full audit performed by independent third party, depending on the criticality of the supplier.

Quadient uses wide range of Vulnerability Assessments and Penetration Tests, which are performed based on approved timeline depending on the assets, which may be weekly for specific assets.

They are performed by dedicated internal and external teams, using industry leading tools (e.g., Qualys, Goose), utilizing both Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST).

Identified vulnerabilities are fixed according to internal process, prioritizing more critical vulnerabilities.

Information on customer access to ICA Services or logs and any other related transactional data (“Technical Data”) and/or Customer Data is regularly deleted from Quadient ICA solutions after a specific amount of time.

You can contact us by using these options:

• Using the access request form here https://www.quadient.com/en/preferences
• Emailing Us at: PrivacyTeam@Quadient.com
• Calling Us at +1-800-636-7678

The general Quadient Privacy Statement is publicly available here https://www.quadient.com/en/quadient-website-privacy-statement.

The Privacy Notice for California Residents can be found here https://www.quadient.com/en/california-consumer-privacy-act.

Quadient policies (including relevant standards etc.) are possible to be shared when non-disclosure agreement (NDA) is signed between both parties. Please reach out to your Account Manager if you wish to receive them.