Information security policy

Our approach to information security is based on the principles of Confidentiality, Integrity and Availability.  Confidentiality is mainly about protecting against unauthorised access. Integrity is mainly about ensuring that the data stored on the MRQual software platform is stored and backed up properly. And availability is about making sure the MRQual software platform works properly.

  1. The MRQual software platform is hosted by Amazon Web Services (AWS) at a data centre in the Republic of Ireland. AWS has ISO27001 certification for Information Security.
  2. The MRQual software platform is backed up daily.
  3. We continuously monitor the performance of The MRQual software platform using New Relic.
  4. The MRQual software platform incorporates automatic testing, which incorporates email alerts to us in case of problems.
  5. The MRQual software platform is SSL protected, which involves data encryption.
  6. The MRQual software platform is vulnerability-tested monthly by SecurityMetrics, and is PCI compliant.
  7. MRQual software platform Customers are responsible for controlling access to their account. For example, this includes preventing access by previous employees or contractors.
  8. Customers are responsible for deciding on the length and complexity of passwords. We do not enforce aging because we intend to incorporate AUGST (whereby participants can register with their Facebook username and password.
  9. MRQual employees and contractors are able to access data on a customer’s account by logging in as superusers. However, we only do this on request from customers.
  10. Contractors only access customer data on request from us, if we have received a request from a client which requires the contractor’s involvement.
  11. MRQual employees and contractors never download or copy customer data from MRQual.
  12. MRQual employees and contractors have confidentiality clauses built into their employment contracts.
  13. New MRQual employees are given training in information security within 2 weeks of starting work.
  14. Logins are revoked for MRQual employees leaving the business or contractors who we no longer work with.
  15. Our policy for MRQual employees is to use complex passwords.
  16. If there is any incident relating to the confidentiality, availability or integrity of customer data we inform the customer within 1 hour.
  17. We log all incidents, and determine what actions we need to take in order to prevent a recurrence. We take such actions as soon as in practically possible, and in accordance with the seriousness of the incident.
  18. We review incidents in a quarterly management meeting.