Is our data secure?

Owned by Angie McCune
Oct 01, 2015

Privacy

QLess will not share any of your data or customer information with any third party.  We promise to never sell your customers' phone numbers, or send unsolicited advertising to their phones.  Customers that do opt-in to receiving marketing messages from you through QLess may easily opt-out at any time.  Customer data from production servers is never used outside of our production environment, and is kept properly-secured.

Communication

All of your communications with QLess servers are protected by 256-bit SSL encryption, with certificates issued by a trusted third party.  QLess Web Services include mechanisms to prevent Cross-Site Request Forgery (XSRF) attacks, and are rate-limited to prevent Denial Of Service (DOS) attacks.  QLess Web Service URLs are never required to contain any sensitive information, such as customer phone numbers.  QLess servers are hardened and protected by firewalls, preventing access to unauthorized ports, and preventing IP spoofing.  All of our Java Applets are signed by a digital code signing certificate that is issued by a trusted third party.  All access to QLess servers by QLess Operations staff is authenticated, encrypted, and audited.

Authentication

Access to QLess UIs and QLess Web Services is authenticated by a userid and password, that may be distinct for each user.  QLess does not store any user passwords, only a secure one-way hash.  QLess locks an account out of the system after 20 unsuccessful authentication attempts.  Users are required to change their password on the first login attempt after their account has been initially created.

Authorization

You may use QLess role-based security to restrict which locations, which queues, and which capabilities its employees may access.  QLess uses role-based security that lets you restrict your employees' access to certain system functionalities. When employees don't have access to certain features, QLess user interfaces are automatically simplified to show them only what they need. Capabilities that may be enabled or disabled (on a per-queue or per-location basis) for individual users include:

  • Ability to add and remove customers to and from a queue
  • Ability to summon customers from a queue
  • Ability to mark customers arrived
  • Ability to activate and deactivate a queue
  • Ability to access reports

Traceability

Every action performed by your staff is permanently logged by QLess, and may be later audited.  Every time QLess releases a new version of its software to its own servers, we send a complete set of release notes to all customers with a description of each change included. Internally, every source code change is tracked to an issue that is contained in these release notes.

Data Centers

QLess data centers have regulated climate control, uninterrupted power with on-site diesel-powered generators, monitored closed-circuit television, a 24x7x365 on-site security team, military-grade pass cards, and biometric finger-scan/hand-scan units.  All QLess servers are backed-up off-site to cloud-based storage on a daily basis, and all backup data is encrypted before being transmitted.