Quantify IP is committed to data security and customer privacy. Quantify IP’s Cloud Services utilize a hosting provider
who shares this commitment. LiquidWeb hosts QIP’s Cloud Services website
as well as application software and data servers, as well as the Dashboard data server and website.
The scope of this page covers the Quantify IP Cloud Services applications, data, and the Dashboard.
Architecture
The Cloud Services website (ras.quantifyip.com), hosted by
LiquidWeb, provides a user interface with access to the Quantify IP
hosted applications, such as Portfolio Estimator, Portfolio Estimator Trademarks and the Dashboard. Each customer assigns an
internal administrative manager to create and maintain individual user accounts, thus controlling password protected access to the data.
If using one of these hosted applications, this site also becomes the gateway to retrieve reports produced within the PE applications.
Additionally, this login is used when uploading new data to the Dashboard from PE, whether from the cloud or desktop application.
The Application server(s) store the hosted PE applications, along with independent Access Databases containing the imported and/or
manually entered docketing data and custom user settings. These folders are under strict user level security, and are labeled using
a numeric coding system to maintain anonymity. Access to the information stored on these servers is only available to authorized users
for each company via the published applications and the report repository. End users do not have desktop access to these servers, and
reports can only be retrieved by downloading them from the Cloud Services portal.
This structure enables folder level security, allowing each company to control their own access using the Cloud Services website,
account administration. The Application server(s) are only available to authorized QIP Administrators for setup and maintenance.
The SQL Database server(s) are the backend SQL data storage for the Dashboard. When a user ‘Uploads’ data from the Portfolio Estimator
Reports/Dashboard menu, a unique, numerically named database is created or updated. The uploaded fields have been carefully selected to
minimize exposure, while not compromising reporting results. Besides authorized QIP administrators, only the customer’s Manager User
account defined on the Cloud Services website has permissions on that database, and authentication to these servers is necessary to
perform the ‘Upload’ function.
The Dashboard utilizes data uploaded from the Portfolio Estimator to the SQL Database server(s). This framework uses a dynamic link to each
company’s unique SQL database. These dashboards are labeled using an internally created numbering schema to maintain anonymity. As an extra
layer of protection, this frame/data is published and only accessible via the Cloud Services website for authorized users who are setup under
the primary company account.
Security Policies
In addition to those of our partners, Quantify IP maintains an internal Information Security Policy and Risk Assessment Policy.
The policies are updated and reviewed with employees on at least an annual basis.
LiquidWeb provides a SOC 2 SSAE 16 and SOC 3 reports. Certifications are available at
https://www.liquidweb.com/about-us/policies/certifications.
Partner Service Levels
LiquidWeb has an SLA for 100% network and power uptime. More information is available at
https://www.liquidweb.com/support.
Privacy
Quantify IP, along with our partners, are compliant with the EU General Data Protection Regulation.
Quantify IP Privacy Policy:
https://www.quantifyip.com/quantify-ip/legal/privacy-policy.aspx
Liquid Web Privacy Policy:
https://www.liquidweb.com/about-us/policies/privacy-policy
Access Control
Quantify IP grants access on a need to know basis of least privilege rules, reviews permissions quarterly, and revokes access
immediately after employee termination. Access to system and application components are limited to only those users whose job
requires such access.
Highly-sensitive duties and areas of responsibility are segregated to reduce opportunities for unauthorized modification, fraud,
or misuse of assets.
Multi-factor authentication is required for employee remote access to internal systems.
Hosting providers are restricted from access to Quantify IP data.
Vulnerability Testing
Vulnerability assessments, scans and penetration tests are performed by Quantify IP at least annually on both internal
and external networks and services.
LiquidWeb conducts quarterly internal vulnerability assessments and external network assessments. See Network Security at
https://www.liquidweb.com/wp-content/uploads/2018/05/Liquid-Web_SOC-3_Final.pdf.
A plan is in place to remediate all issues that were ranked Critical or High within 90 days.
Event and Communications Management
An Incident Management process is utilized to investigate and track identified and reported security issues to resolution.
A Change Management process ensures a review for potential security impacts when changes are made.
Internal Data Security
Internally, Quantify IP utilizes multilayered end point security as well as a firewall and SMTP and DNS filtering. A network
intrusion detection/prevention system and audit logging is in place, and detected issues enter into the Incident Management process.
All servers and workstations are backed up according to a specified schedule, and back up data is securely stored off-site.
Disaster recovery testing is conducted to ensure proper restoration.
Client data is encrypted in storage and transmitted to cloud services using industry-standard SSL/TLS encryption for data in transfer.
Remote users connect to Quantify IP resources using SSL/TLS and AES-256 encryption.
Critical security patches are evaluated and applied with one month of issuance.
Encryption keys are stored and managed in a central location, separate from the data it encrypts.
A data destruction and disposal program is in place to ensure data protection at the time of system retirement.
Physical Security
In addition to those of our hosting providers, Quantify IP maintains a documented internal physical security policy
that is approved by management and communicated to employees.