Qwil Messenger has been specifically designed to make chat safe and compliant when it matters most: between businesses, and their clients and partners. To achieve this, we have engineered our product from the ground up to ensure the protection and privacy of every user’s information. We take this responsibility very seriously, and are committed to be transparent about our approach and helping you understand how we deliver on this promise.
An important aspect of security is our company culture and the policies and processes we employ to deliver our software services. From the very beginning, we have taken an enterprise approach to ensuring we have the right control framework aligned to the ISO 27001 standard at Qwil Messenger. We obtained our ISO 27001 Certification on the 13th of November 2020.
We maintain a set of policies, standards, procedures and guidelines that provide all of us working in the company the rule book for operating Qwil Messenger’s Information Security Management System (ISMS). This framework helps ensure that our customers can rely on our employees and on our service to operate securely. Qwil Messenger has also assigned and defined roles to its three directors who are made personally responsible for operating the various aspects of our ISMS. The responsibilities of each role are detailed in Qwil Messenger security documents.
We have also partnered with some of the world’s largest financial firms to ensure our approach not only meets but, in many cases, exceeds the most stringent standards which are expected. This has been complemented by our “start-up-in-residence” experience with Schroders, and their subsequent strategic investment in our company which is public recognition of the robustness of our platform as an enterprise solution for financial firms.
Qwil Messenger has also successfully obtained Cyber Essentials Plus certification, demonstrating our ability to protect the firms assets from cyber threats.
Every person engaged in the delivery of our service that we employ directly or indirectly, is bound by strict terms and conditions. They must pass background checking, attend security training and confirm their understanding of our security policies and procedures (including acceptable use, data privacy, asset management and incident reporting etc.) before accessing their workstation. Every employee attends an initial on-boarding session about the Qwil Messenger platform and the broader security environment to ensure they are absolutely clear on what they can and cannot do.
On a periodic basis we provide refresher training to ensure our employees are up-to-date with our technology and best practices so that security and data protection always remain at the forefront of everything we do at Qwil Messenger.
Employee access control
Qwil Messenger operates all access control activities based upon the principle that default permissions are set as “deny all”, and specific permission is needed to enable access to be granted, in line with the individual’s role and bona-fide business needs. This rule also applies to our premises, IT systems and networks as well as cloud servers and services.
Our production service, where client data is available, is accessed using an entirely separate set of multi-factor account credentials. These are tightly managed by our technical executives and only under exceptional circumstances are any users authorised to access this environment with the limited permissions required to perform the task with all actions fully audited.
Once an individual (employee, contractor or 3rd party) leaves their employment or contract with us, access to all systems and premises is disabled immediately.
Workstation security & mobile device management
Qwil Messenger configures all workstations to comply with our security standards. These standards require all workstations to run the most up-to-date operating system with a default setup to encrypt data, enforce strong passwords, and auto-lock when idle. We run a MacOS desktop environment exclusively, with all staff workstations owned and maintained by the company.
We only support BYOD mobile device access to a limited set of company business using productivity tools such as email, file sharing and chat. All of these tools are centrally managed and required to be enrolled in the appropriate mobile device management systems, to ensure they meet Qwil Messenger’s security standards.
Remote access is only authorised via Qwil Messenger owned-equipment and using the preinstalled connection configuration (VPN and MFA tokens) that have been centrally provisioned.
No customer data used as part of the service is ever stored on physical premises, workstations or mobile devices. We rely on the most secure cloud providers for our data hosting environments and client data is exclusively stored in our production environment and is loaded by our customers into their own organisations. Data is never written to portable storage nor moved to another environment.
Whilst our core end user features are focused on creating rich chat-based, instant communication, every feature is delivered based upon doing so in a secure and compliant manner. Our product leadership are security experts whose pre-disposition going into each sprint (and the stories it involves) is with robust security being the overarching requirement.
Before starting any feature discussion, the design concepts and high-level requirements are validated against these core design principles to ensure we do not deviate from our key mission. This is fundamental to the DNA of our software delivery process.
We continuously test our software. We employ an agile software development methodology that focuses on a test drive approach with continuous integration. We have a high level of automated acceptance tests complimented by a comprehensive functional test model using industry leading tools.
In terms of managing environments, we keep everything separate. Development, Test and Production environments are completely segregated from one another using separate cloud accounts for each of these environments. All of our source code and other development artefacts are stored within a secure cloud environment that operates as an internal network (i.e. no internet access is permitted from this environment) and requires both VPN credentials and access from restricted IP ranges to be accessed.
System monitoring, logging, and alerting
Qwil Messenger monitors servers, workstations and mobile devices and takes full advantage of our cloud provider tools and features to keep our accounts and resources safe from unauthorised use. This includes credentials for access control, HTTPS endpoints for encrypted data transmission, the creation and management of secure separate user accounts (Identity and Access Management or “IAM”), user activity logging for security monitoring, alerts and Trusted Advisor security checks. Qwil Messenger has established policies and procedures for responding to potential security incidents. Our information Security Incident Management Policy includes suspected or actual breach of confidentiality, integrity or interruptions to the availability of our services and apply to all employees, contractors and third-party users of our information systems, and other related infrastructure. Qwil Messenger will notify impacted customer within 48 hours of any suspected or actual breach of personal data breach.
3rd party assessments
In addition to our own security practices we employ the services of global expert in cyber security and risk mitigation. With a world-class team of experts, supported by leading technology and processes, our partners work with us to make sure our platform is secure, and data is protected. This includes frequent, application and infrastructure-level penetration testing of our entire solution to keep us, and our customers, free from doubt. Our penetration testing reports are available upon request.
How we keep your data safe
Network security and production data access
Our production environments are managed using entirely separate cloud accounts (i.e. they are totally separate instances with no interconnection or access from within the other development environments). Production access is tightly controlled (usually only accessed under break glass scenarios) with different access controls applied according to a “minimum access required to complete a task” approach.
In our cloud-hosted production environments, control of network devices is retained by the hosting provider. For that reason, Intrusion Detection / Intrusion Prevention (IDS/IPS) are performed using host-based controls. For example, we have implemented tools to automatically assesses applications for vulnerabilities or deviations from best practice, and subscribe to all monitoring, track metrics and alerts so as to respond to any activity threatening the security of our operations.
To further reduce the risk of unauthorised access to data, Qwil Messenger fully utilises our cloud provider centralised mechanism for creating and managing individual users within our account. Each user has a unique name, and a unique set of security credentials not shared with other users. This eliminates the need to share passwords or keys. We define policies that control which cloud services our users can access and what they can do with them. We grant users only the minimum permissions they need to perform their jobs. We periodically review these permissions.
End user on-boarding processes, provisioning and access control
Security begins with being confident that you are engaging with verified organisations and chat participants on Qwil Messenger and not an impersonator. For this reason, Qwil Messenger is an invitation-only platform to which users cannot self-subscribe.
Before any organisation is given access to host their own branded chat space (“tenancy” or “Tenant Services”) on Qwil Messenger, we undertake a comprehensive know your business (KYB) onboarding process to verify that our subscriber organisations (and administration staff) are who they profess to be. This includes verification of the key individuals at the organisation who intend to setup the service. We control the name of each organisation (and not subscribers) and we monitor branding changes for suspicious activity. We intend to make some of these details available to chat users, so they too can confirm the company information we have confirmed is aligned with their own understanding.
We further extend this robust approach to user provisioning and on-going authentication. Our processes and controls have been architected using industry best practices to mitigate financial crime and fraud risks.
They are also defined to align with existing organisational process of our customers to maintain the integrity of the controls. Such measures include:
- Users are only provisioned by each organisation’s administrator using verified personal details managed as part of their own company’s client data management processes, thereby limiting the risk of fraudulent, self-registration.
- The account provisioning process is supported by multi-factor, time-bound activation codes that provide robust and infrequent windows to enter through.
- Sign-in to the service employs a multi-factor authentication process for all user access. This applies for both mobile and browser-based access on a computer.
- Limited access attempts are enforced, and failure beyond the limit results in access revocation and local data removal on mobile devices.
- User connections are only allowed via a secured connection (TLS) and on non-rooted or jailbroken devices.
- IP range restrictions for staff access to the web client can be enabled to ensure the platform can only be accessed on company authorised workstations.
- Qwil Messenger utilises an antivirus engine for detecting trojans, viruses, malware & other malicious threats. By incorporating this technology as part of our file exchange processes, we ensure that only appropriate files are able to be passed between users on the chat platform.
- Our customers can control allowable attachment types via a custom whitelist, and prevent users sending encrypted or password protected files in chats so compliance and audit staff have visibility of all content shared by users.
Data hosting & infrastructure
The complex and proprietary technology design that underpins our solution allows us to deploy your company's confidential communications in almost any data center, in any location, with any provider. We are cloud native, and prefer to use industry leading global cloud providers, who are able to provide a data center and network architecture built to meet the requirements of the most security-sensitive organisations. These providers support single click deployment of our infrastructure definitions that we maintain in our own secure infrastructure repository.
All the data centers which we deploy to are ISO-27001 certified. Physical security controls include but are not limited to perimeter controls such as fencing, walls, security staff, video surveillance, intrusion detection systems and other electronic means. Authorised staff must pass two-factor authentication a minimum of two times to access data center floors. Physical access points to server locations are recorded by closed circuit television camera (CCTV). Images are retained for 90 days, unless limited to 30 days by legal or contractual obligations.
Data handling & encryption
At rest, data on our servers is encrypted both at block level and at a logical level where we own and maintain our encryption keys. Each and every server deployment has unique encryption and access keys. On mobile devices, the Qwil Messenger app uses a local database encrypted with AES-256 and the key is stored as a device API credentials secured by the manufacturer (i.e. keychain on iOS). The local mobile databases are also excluded from device backups to enforce an ongoing two-factor authentication model using the device itself as a factor post provisioning.
In-flight data is encrypted using standard SSL termination using TLS 1.2 with no downgrade allowed. Our mobile apps use public key pinning (also referred to as certificate pinning SSL pinning) to detect and block “man-in-the-middle attacks”.
Between server components, authentication is session-based, supported by subdomain cookies as a way of limiting the transmission of long-term cookies. All traffic transmitted for the platform uses either the HTTPS and WSS secure protocols.
Where external services such as SMS or Push Notifications for mobile operating systems are used, transmission of non-sensitive data only can be enforced. When applied, this means access any underlying content requires authenticated access via the app.
Our internal access to each service component is restricted by IP access ranges and a separate Virtual Private Network (VPN) established for each service instance. Qwil Messenger servers securely communicate with each other from fixed, whitelisted IP addresses on a per deployment basis, supported by client certificate authentication.
Data integrity, removal and disposal
Our software deployment process is managed by a proprietary toolkit that allows us to deploy blue-green releases across all of our server components globally. A relational database underpinning this software tool stores the deployment versions and service definitions. This information, combined with the artefacts output from the Jenkins process are used to repeatably create a standardised and versioned instance of our servers globally with a very high degree of integrity.
Each tenant services’ persistence components (database and file storage) are the single master source of truth for all chat information and associated metadata. Only data that is successfully and securely committed to these components is reflective of the conversations shared between users and distributed across the Qwil architecture. Passwords and one-time access codes sent via SMS are stored as hash and salted values in the database. Although data resides on mobile devices for usability purposes, the master source of truth is the Qwil Tenant Service for each organisation. Local data is removed (and able to be redownloaded) when a user exceeds their device authentication attempts or they are removed from an organisation. Users can also manage their devices that have been provisioned access, and can remotely revoke the access and remove the data.
Customer conversational data for each user can be linked to their unique identifier at the customer organisation and can be deleted to meet data retention policies or other regulatory requirements. No data (chats or conversational data) can be deleted by any chat user or any logs modified.
Qwil Messenger disposes all of the customer data, including any back-ups in its possession upon termination of the contractual agreement. Our hosting providers are responsible for ensuring removal of data from disks allocated to Qwil Messenger’s use before they are repurposed.
Disaster recovery and business continuity
Qwil Messenger utilises services provided by our hosting provider(s) to distribute production data/environments across multiple separate physical locations. These multiple locations are spread across several jurisdictions (and equally dictated by client data requirements) which protects our services from location-specific failures (power, environmental etc). Production environment (and client data) are replicated among these discrete operating environments whilst staying encrypted, to protect the availability of Qwil Messenger.
Our identity and tenant services have been built with fault tolerance and high availability in mind, in line with the most stringent enterprise requirements. These include:
- Every component of the infrastructure has been engineered to include redundancy.
- Within each region’s Identity Service, all components are load balanced across multiple data centres, including servers, databases, cache, queues etc.
- The identity service also uses a DNS that is load balanced across multiple regions around the world, and the application will usually access the closed geographical deployment.
- For any Tenant Service within a single region, all components are load balanced across multiple data centres, including servers, databases, cache, queues, etc.
- Excluding the limited stateful components (database, file storage, cache and queues), all other components are stateless and can be completely replaced via automated deployment with no disruption of service.
- Our databases are clustered and with failover across data centres using our robust, partner cloud services. In addition, database snapshots are taken daily.
- Both managed and non-managed technologies are utilised to protect against DDOS attacks.
Maintaining Qwil Messenger’s operational activities can be conducted remotely and accessed on alternative devices respecting the access control policies in place. Non-critical activities and personnel with no remote functions are not necessary for the running of the day-to-day services. 8
At Qwil Messenger, security is a fundamental part of our DNA and is the foundation upon which we have built our customer proposition. Safeguarding user data is a critical responsibility we have to our customers. We work with the best cloud providers, using state of the art technology to fully utilise their global reach so that important business data always remains yours, and in the location you need it to be.
Whilst our user experiences are designed to mask much of the technical complexity so that chat works the way it should for the end user, you can rest assured that Qwil Messenger is a highly secure and compliant channel for your business.