Welcome to Qount’s Trust Center. We build with privacy and security at the core. Explore our security practices and request access to compliance and security documentation.
Certifications
Trusted by
Documentation
Certifications
Privacy & Legal
Controls
Organizational Governance and Structure
The Board of Directors meets quarterly, at minimum, to provide oversight and guidance to Qount management, including organizational, internal control, and information security risk management strategies.
The Board of Directors includes members who operate independently from Qount management to provide guidance and help ensure business objectives are met.
Qount's leadership engages with a third-party advisor to help support the oversight of risk management and data security initiatives.
The Board of Directors' oversight responsibilities are defined, documented, and acknowledged by the Board on an annual basis.
Roles and Responsibilities
Qount has a formal organizational structure that defines reporting lines, segregation of duties, authorities and roles.
Qount maintains and communicates documented job descriptions that identify the skills and requirements for the position.
Qount management establishes performance goals to help ensure employees understand their responsibilities. Performance against these goals is evaluated annually.
Qount has formally assigned the role and responsibilities for oversight of information security and risk management.
Hiring and Onboarding
Qount has a formal candidate screening and hiring process to help ensure hiring is performed according to Company hiring standards and job requirements.
Background checks are performed on employees prior to onboarding.
Employee Training and Development
Qount provides information security training to employees upon hire and annually thereafter.
Policies and Procedures
Qount establishes control activities through the information security policy, including acceptable use, that employees are required to acknowledge upon hire and are continuously available to all employees. The policies are reviewed and approved by management on an annual basis.
Qount defines data classification and data handling practices within their Information Security and Data Protection Policy.
Qount employees acknowledge the Employee Handbook upon hire. The handbook includes the code of conduct and sanctions for policy violations.
Internal Communications
Qount's CEO meets weekly with each department head to review key organizational metrics and evaluate whether service commitments and system requirements are being met.
The Security team meets throughout the week to review security events and the status of ongoing initiatives.
The Cybersecurity Steering Committee meets on a monthly basis.
Control implemented November 2025
Qount maintains network and architecture diagrams to help accurately communicate system components and the flow of data across the system components.
External Communications
Qount maintains a ticketing system to track and prioritize inbound customer communications through resolution.
Qount provides system users with contact information to report matters affecting security concerns within their publicly-posted Privacy Policy.
Qount's Terms of Service define the responsibilities of Qount and their customers as it relates to the protection of data and the availability of the platform.
Qount maintains a publicly-available status webpage to communicate uptime issues and security incidents.
Risk Assessment
Qount has a Risk Management Program to help manage, monitor, and mitigate information security, confidentiality and availability risks.
Qount performs a risk assessment on an annual basis to help identify information security-related risks, including the risk of fraud. Identified risks are logged in a risk register, and risk mitigation actions are assigned and tracked to completion.
Internal Control Monitoring
Qount assigns internal control responsibilities to control owners within their GRC platform.
Penetration Testing and Third-Party Assessments
Qount contracts with an independent third-party to perform penetration tests annually. Test results are reviewed and high-risk findings are tracked through remediation.
User Access Management
AWS Root User activity is logged for awareness and accountability.
MFA is enforced for AWS Root User log in.
Users are required to authenticate to the VPN prior to access Qount's AWS production environment.
Qount restricts access, including administrative access, to production systems to authorized personnel based on the principle of least privilege.
Qount enforces minimum password length, password complexity, and multi-actor authentication (MFA) for user log in to production systems.
Qount performs an independent review of user access to production systems based on job duties annually, at minimum. Users are removed accordingly and removal is documented in the ticketing system.
Qount has a formal employee offboarding process and system access is removed within two business days of termination. As part of the offboarding process, the terminated employee's devices are (wiped and/or locked).
Qount has a formal user provisioning process to help ensure production system access is restricted to authorized users. User provisioning requires approvals from system owners.
Data Storage and Encryption
Object storage buckets housing customer data are configured to not allow public access.
Databases and object storage buckets housing sensitive customer data are encrypted at rest, including backups.
Qount stores database encryption keys within KMS and access is restricted to authorized users.
Data Retention and Disposal
Qount has a documented policy and procedure for the retention and disposal of data.
Perimeter Security
Qount deploys non-internet facing resources in private subnets. Private resources are behind a NAT gateway.
A web application firewall is in place to help prevent unauthorized access threats from outside of Qount's production environment.
Qount configures security groups to restrict access to production environment resources to authorized traffic.
Transmission of Information
Qount enforces encrypted data connections from Qount's document management service to customers' local storage drives and customer workstations.
Qount enforces encrypted data connections from web browsers to the web application to help ensure data is secured over public networks.
Workstation Security
Qount enforces antivirus on company workstations. Definition updates are automatically pushed to the workstations.
Qount uses an MDM to manage and enforce security policies on company workstations, including encryption, OS updates, lockout, password parameters, and MFA.
Security Monitoring
Antivirus is installed on virtual machines running Windows operating systems to help protect against viruses and malicious software.
Qount has configured a SIEM tool to aggregate event logs from production monitoring tools and alert the Security team.
Qount has enabled S3 access logs to log access requests made to S3 buckets storing customer data.
Qount has enabled VPC flow logs to log production network traffic to and from the VPC and to help detect unusual or anomalous activities.
Qount has configured their cloud infrastructure to log and retain account activity related to user actions throughout the production environment. Buckets storing cloud infrastructure logs are stored encrypted and access to logs is restricted to those who require access to perform their job duties.
Qount uses infrastructure monitoring and threat detection tools to monitor the production environment for potentially anomalous or malicious activity. The monitoring tools are integrated with Qount's SIEM tool for analysis and alerting.
Qount scans container images for vulnerabilities each time a new image is sent to the container registry. Identified critical and high-risk vulnerabilities are logged and tracked through remediation.
Performance Monitoring
Autoscaling has been configured for critical production resources.
Qount uses a system capacity and performance monitoring tool that alerts the Security team of high-risk events. Events requiring remediation are logged and tracked through resolution.
Qount uses web application performance and availability monitoring tools to help ensure awareness of service uptime. Uptime alerts are sent to the DevOps team for review and remediation.
Incident Response
Qount has a formal process for employees to report identified or suspected security incidents, including fraud or data breaches.
Qount has Incident Response Policies and Procedures that include an escalation plan based on the nature and severity of the incident.
Qount performs a root cause analysis and reviews lessons learned for security-related incidents.
Security incidents are documented in a ticketing system, resolved in a timely manner, and resolution is communicated to the appropriate internal and external parties.
Qount performs and documents a test of their Incident Response Plan at least annually.
Change Management
Qount maintains separate development and production environments.
Code changes, including emergency changes, are systematically required to be peer-reviewed and approved by authorized reviewers prior to merging code into the main branch.
Code changes, including emergency changes, are systematically configured to undergo vulnerability scanning, dependency scanning, and static application security testing prior to release to production.
The Testing team tests the functionality of new features prior to new code being deployed to production.
Deployment of application and infrastructure changes to the production environment is restricted to authorized employees.
Production data is not used outside the production environment.
Qount has documented software development lifecycle procedures that address segregation of duties and secure coding practices.
Data Backup and Restoration
Object storage buckets storing customer data are versioned.
Qount has configured their production databases with daily automated daily backups or shapshots, and backups are retained based on business need.
Qount performs backup restoration testing for databases, object storage, and configuration files annually.
Critical production resources are replicated across Availability Zones to help ensure failover capabilities.
Failover testing is performed annually to help ensure Qount is prepared in the event of a scenario requiring failover.
Disaster Recovery and Business Continuity
Qount has a Disaster Recovery and Business Continuity Plan.
Qount tests their Disaster Recovery and Business Continuity Plan on an annual basis. Testing includes scenarios related to information system recovery and the continuity of business operations.
Qount has a cybersecurity insurance policy to help mitigate the potential impact of cyber-related disruption to the business.
Vendor Management
Qount has a formal vendor management program to help define and assess vendor risk, implement controls to mitigate vendor-related risks, and mange vendor relationships.
Qount performs due diligence activities over high-risk vendors prior to contract execution and on an annual basis thereafter. Due diligence activities include the documented review of third-party attestation reports.
Agreements are established with high-risk vendors and contractors that include clearly defined terms, conditions, and responsibilities related to information security.
Documentation
Certifications
Privacy & Legal
No subprocessors available
No updates available

