Security — BoringQMS

Infrastructure

01 Cloud hosting: Deployed on SOC 2 Type II certified cloud infrastructure with redundancy across multiple availability zones.
02 Network security: All traffic is encrypted in transit via TLS 1.3. Internal services communicate over private networks with mTLS.
03 DDoS protection: Edge-level DDoS mitigation with automatic traffic filtering and rate limiting.

Data Protection

01 Encryption at rest: All data is encrypted at rest using AES-256. Database backups are encrypted and stored in geographically separate locations.
02 Tenant isolation: Multi-tenant architecture with strict logical isolation. Each tenant's data is segmented and inaccessible to other tenants.
03 Backups: Automated daily backups with point-in-time recovery. Backup integrity is verified regularly.

Access Controls

01 Authentication: JWT-based authentication with short-lived tokens. Support for SSO via SAML 2.0 and OAuth 2.0 on enterprise plans.
02 Role-based access: Granular RBAC with predefined roles (Admin, Manager, Agent, Viewer) and custom role support.
03 Audit logging: Comprehensive audit trail of all administrative actions, access events, and configuration changes.

Compliance

SOC 2

Type II certified. Annual audits covering security, availability, and confidentiality.

HIPAA

Business Associate Agreements available. PHI handling follows HIPAA Security Rule requirements.

GDPR

Data Processing Agreements in place. Standard Contractual Clauses for international transfers.

Incident Response

We maintain a documented incident response plan with defined severity levels and escalation procedures. Security incidents are communicated to affected customers within 72 hours, in compliance with GDPR notification requirements.

Responsible Disclosure