Security of Customer Data

At Qualaroo, we treat the issue of security and confidentiality seriously.  

The Qualaroo Customer database and the Qualaroo Customer Dashboard Web Application are hosted in the Amazon Web Services (AWS) EC2 cloud.  The virtual servers allocated to Qualaroo are physically located in several Availability Zones in the Virginia Region of EC2.

Qualaroo also utilizes the AWS CloudFront (a CDN), which brings content closer to users.

Like any modern multi-tenant cloud services provider, Qualaroo uses a uniform database system to store all customers’ information and reporting data.  Through extensive testing of our software, we strive to eliminate any possibility of co-mingling customer data.  Since each customer has a unique ID in our database, their information is separated from that of others.

For user registration and login, Qualaroo uses a one-way hash to encrypt passwords in the user database.  The advantage of a one-way hash is that Qualaroo never needs to decrypt passwords created by our users.  Qualaroo also provides robust password reset capability.

All web accesses to the Qualaroo Customer dashboard are via SSL (HTTPS).  This ensures that all the configuration and reporting data will be accessible only by the authorized parties.

JavaScript files are generated dynamically by Qualaroo servers for every customer and are stored in an Amazon S3 Bucket.  The files’ S3 permissions settings allow only the owner of the account (Qualaroo) to update them.  This protects against a possibility of forgery by a malicious third party.  The files can be uploaded only with Qualaroo’s own AWS credentials.

The Qualaroo JavaScript application is written from ground up in pure JavaScript code.  It does not use any JavaScript frameworks or any third-party JavaScript scripts.  It was architected with many best practices as design principles, including modularity and isolation.

Specifically, the Qualaroo JavaScript uses strong namespace boundary encapsulation.  This hardens Qualaroo’s end-user client application by mutually isolating it from all other code that may be executing on customers’ web pages.  In addition, great care is taken at the architecture level to minimize the possibility of “CSS bleeds” (sloppy stylesheets on websites).

The Qualaroo JavaScript placed on Customer web pages has access only to the information that it is available to regular site visitors or users.  As the users interact with the Qualaroo Nudge units, their responses are sent to the Amazon Web Services S3 Bucket, apportioned to Qualaroo.  If a given page is HTTPS, then responses are sent to AWS S3 via HTTPS as well.

The Qualaroo JavaScript uses “first-party” cookies in order to manage the information about the Customers’ sites visitors.  This information pertains only to the capabilities provided by Qualaroo (e.g., “show the nudge to logged in users on their second visit to the site and after browsing at least two pages”).  The “first-party” cookies is the preferred mechanism (vs., say, “third-party” cookies), since it assures the users that all the content came from the Customer.  In order to provide such valuable tools to our customers as the Satisfaction Score, the Qualaroo cookies have a very long expiration period, allowing data refinement over time.

Thanks in large part to these provisions, thousands of customers rely on Qualaroo for gaining insights about their users in a trustworthy manner and helping them act upon these insights.