Keeping customer data private and secure has never been more important. At Quantum Metric, we take this responsibility very seriously. We provide three capture options that occur on your customers’ devices, at the point of capture.
As an enterprise service provider, Quantum Metric understands that the security of the user data collected, and stored, by our customers is of paramount importance, and we take this responsibility very seriously. As such, at the initial point of capture, we provide three secure options for data collection that all occur on the end user’s device. These are Capture, Do Not Capture, or Encrypt.
For the vast majority of public web pages or mobile app views, the data we capture is not sensitive in any nature. For example, this could be a product details page or a simple keyword search. For all of these data fields, Quantum uses a strong RSA 2048-bit public/private key encryption, coupled with AES256 symmetric key encryption, and forward secrecy TLS session, to protect all such customer data input within the customer’s browser. All data that is captured using this method is then transferred, fully encrypted, to Quantum Metric’s cloud service, and hosted in a secure Google Compute cloud environment.
Due to the nature of e-commerce, there may be situations where sensitive customer data is inputed, or displayed on a particular webpage. This data could be Personally Identifiable Information (PII) such as social security numbers, or PCI DSS classified data such as credit card numbers. Due to the extreme sensitivity of this type of data, we make sure to never capture it in the first place. Therefore, by default out-of-the-box, Quantum Metric automatically blocks the capture of any sensitive data, such as passwords, credit cards and CVV2 fields on any of your digital platforms. Moreover, we work closely with your team to make sure that any additional content you wish not to be captured, is configured to be ignored by the Quantum Metric parser, and is never transmitted to Quantum Metric’s servers.
There may also be some occurrences where PII needs to be captured for valid business reasons. Examples could be a customer’s name or contact details. To protect such identifiable data from any exposure, and to also assist our customers to stay compliant with GDPR and CCPA, Quantum Metric employs Pseudonymization (a technique recommended by GDPR), to separate any PII data that can be used to re-identify a user, from any analytical data collected. In doing so, whilst collecting PII, Quantum Metric is able to analyze aggregate data that has been successfully disassociated from individual user’s identities. This PII data is then separately encrypted, using a strong public/private key pair encryption unique to you, before being transmitted to Quantum Metric’s servers. Moreover only you own and use the private key to decrypt this sensitive data, if ever needed in the future. Quantum Metric has no ability to ever decrypt this data for any reason.
Quantum Metric always supports the latest recommended secure cypher suites and protocols, to fully encrypt all customer traffic in transit. Once any data is captured and encrypted, it is transferred via a forward secrecy SSL/TLS connection, to Quantum Metric’s cloud service, which is securely hosted in Google’s world-class cloud environment.
Customer data is isolated and stored in a separate Google Cloud Platform (GCP) Project for every customer. Google uses the Advanced Encryption Standard (AES256) algorithm to encrypt all data at rest, within their GCP environment and in the region closest to your location. For detailed information about Google’s security, please visit https://cloud.google.com/security. No third-parties (Google and other providers/vendors) have any level of access to customers’ data.
Read how we protect your customer data and ensure you’re compliant with GDPR and CCPA.
Get the white paper
We take a layered and automated approach to all data capture, continuously monitoring raw data ingested into our system. For any unintended PII that might come across the wire (for instance, due to changes on the customer’s website or native app), we also proactively scan data, and apply advanced Data Loss Prevention (DLP) algorithms to detect possible occurrences of PII.
These findings can then be reviewed right from the Quantum Metric user interface, so that they can promptly remediate any unintended misconfiguration on their site and work with us to remove it from our systems. This can be considered a form of ‘PII Loss Prevention’ for your subscription.
So by either fully blocking, or encrypting PII before it ever leaves any end user’s device, as well as proactively detecting any outlier PII data that may have been inadvertently captured, Quantum Metric works to ensure that unintended/unencrypted PII is never being captured by the platform.
Access to customer data within our analytics platform can be restricted via a Single-Sign-On solution, such as OpenID and SAML 2.0, to ensure that only specific team members have the ability to securely view user data. In addition, we have audit policies in place, to make sure that all attempts to access any customer data are vetted and logged. Additionally, when our Privacy Audit feature is turned on, each decryption of any data is audit logged, including the user, session, time, and reason for re-identification. Also, only Quantum Metric clients authorized to use their own decryption key will be able to view any encrypted portions of customer data, and each session’s symmetric encryption key is unique, ensuring authorized users may decrypt only a single session at a time.
Our unique Quantum Metric Teams functionality functionality provides strict role-based permissions to simplify user & group management within the analytics platform. It also ensures full control over any sensitive data, as well as regulatory compliance with GDPR, CCPA and other privacy/security laws.
As noted above, Quantum Metric manages an extensive set of IT security controls and policies, taking stringent measures to ensure the security of all data. Quantum Metric regularly conducts and maintains independent verification of security and privacy controls of our internal products and services. This is performed by respected auditing firms, to ensure the company is meeting its strict compliance obligations, and achieving SOC 2 Type II attestation, being fully ISO/IEC 27001 certified, as well as strict compliance with global privacy standards such as GDPR and CCPA. Because Quantum Metric takes stringent measures to avoid receiving PII from its customers, the data Quantum Metric processes on behalf of its customers, allows them to maintain their own compliance with PCI, HIPAA, GLBA or similar laws regulating PII.
If you have found a security bug or vulnerability in Quantum Metric and want to report it to us, please email [email protected].
© Quantum Metric, Inc. All rights reserved.