Missed Quantum LEAP '24?

Register for on-demand access to all the groundbreaking ideas and transformative insights shared by our leading speakers!

How we keep customer data secure.

Keeping customer data private and secure has never been more important. At Quantum Metric, we take this responsibility very seriously. We provide three capture options that occur on your customers’ devices, at the point of capture.

Data capture

As an enterprise service provider, Quantum Metric understands that the security of the user data collected, and stored, by our customers is of paramount importance, and we take this responsibility very seriously. As such, at the initial point of capture, we provide three secure options for data collection that all occur on the end user’s device. These are Capture, Do Not Capture, or Encrypt.

Capture

For the vast majority of public web pages or mobile app views, the data we capture is not sensitive in any nature. For example, this could be a product details page or a simple keyword search. For all of these data fields, Quantum uses a strong RSA 2048-bit public/private key encryption, coupled with AES256 symmetric key encryption, and forward secrecy TLS session, to protect all such customer data input within the customer’s browser. All data that is captured using this method is then transferred, fully encrypted, to Quantum Metric’s cloud service, and hosted in a secure Google Compute cloud environment.

Do not capture

Due to the nature of e-commerce, there may be situations where sensitive customer data is inputed, or displayed on a particular webpage. This data could be Personally Identifiable Information (PII) such as social security numbers, or PCI DSS classified data such as credit card numbers. Due to the extreme sensitivity of this type of data, we make sure to never capture it in the first place. Therefore, by default out-of-the-box, Quantum Metric automatically blocks the capture of any sensitive data, such as passwords, credit cards and CVV2 fields on any of your digital platforms. Moreover, we work closely with your team to make sure that any additional content you wish not to be captured, is configured to be ignored by the Quantum Metric parser, and is never transmitted to Quantum Metric’s servers.

Encrypt

There may also be some occurrences where PII needs to be captured for valid business reasons. Examples could be a customer’s name or contact details. To protect such identifiable data from any exposure, and to also assist our customers to stay compliant with GDPR and CCPA, Quantum Metric employs Pseudonymization (a technique recommended by GDPR), to separate any PII data that can be used to re-identify a user, from any analytical data collected. In doing so, whilst collecting PII, Quantum Metric is able to analyze aggregate data that has been successfully disassociated from individual user’s identities. This PII data is then separately encrypted, using a strong public/private key pair encryption unique to you, before being transmitted to Quantum Metric’s servers. Moreover only you own and use the private key to decrypt this sensitive data, if ever needed in the future. Quantum Metric has no ability to ever decrypt this data for any reason.

Data in flight and at rest.

Data in flight

Quantum Metric always supports the latest recommended secure cypher suites and protocols, to fully encrypt all customer traffic in transit. Once any data is captured and encrypted, it is transferred via a forward secrecy SSL/TLS connection, to Quantum Metric’s cloud service, which is securely hosted in Google’s world-class cloud environment.

Data at rest

Customer data is isolated and stored in a separate Google Cloud Platform (GCP) Project for every customer. Google uses the Advanced Encryption Standard (AES256) algorithm to encrypt all data at rest, within their GCP environment and in the region closest to your location. For detailed information about Google’s security, please visit https://cloud.google.com/security. No third-parties (Google and other providers/vendors) have any level of access to customers’ data.

Our encryption process.

Step one

Sensitive data is encrypted on your customers' devices.

Encrypted on device before transmission — RSA 2048 + AES 256 encryption

Step two

Data is sent encrypted.

Encrypted in flight — SSL (TLS 1.2+)

Step three

Data is stored encrypted.

Fully encrypted at rest — Additional AES256 encryption layer

Read how we protect your customer data and ensure you’re compliant with GDPR and CCPA.

AutoPII

SSO & RBAC

Single sign-on (SSO)

Access to customer data within our analytics platform can be restricted via a Single-Sign-On solution, such as OpenID and SAML 2.0, to ensure that only specific team members have the ability to securely view user data. In addition, we have audit policies in place, to make sure that all attempts to access any customer data are vetted and logged. Additionally, when our Privacy Audit feature is turned on, each decryption of any data is audit logged, including the user, session, time, and reason for re-identification. Also, only Quantum Metric clients authorized to use their own decryption key will be able to view any encrypted portions of customer data, and each session’s symmetric encryption key is unique, ensuring authorized users may decrypt only a single session at a time.

Role-based access control (RBAC)

Our unique Quantum Metric Teams functionality functionality provides strict role-based permissions to simplify user & group management within the analytics platform. It also ensures full control over any sensitive data, as well as regulatory compliance with GDPR, CCPA and other privacy/security laws.

Industry Certifications

As noted above, Quantum Metric manages an extensive set of IT security controls and policies, taking stringent measures to ensure the security of all data. Quantum Metric regularly conducts and maintains independent verification of security and privacy controls of our internal products and services. This is performed by respected auditing firms, to ensure the company is meeting its strict compliance obligations, and achieving SOC 2 Type II attestation, being fully ISO/IEC 27001 certified, as well as strict compliance with global privacy standards such as GDPR and CCPA. Because Quantum Metric takes stringent measures to avoid receiving PII from its customers, the data Quantum Metric processes on behalf of its customers, allows them to maintain their own compliance with PCI, HIPAA, GLBA or similar laws regulating PII.

See Continuous Product Design in action.

If you have found a security bug or vulnerability in Quantum Metric and want to report it to us, please email [email protected].