Security of Customer Data in Qualaroo

At Qualaroo, we treat the issue of security and confidentiality seriously.  

The Qualaroo Customer database and the Qualaroo Customer Dashboard Web Application are hosted on the Amazon Web Services (AWS) EC2 cloud. The virtual servers allocated to Qualaroo are physically located in several Availability Zones in the Virginia Region of EC2.

Qualaroo also utilizes the AWS CloudFront (a CDN), which brings content closer to users.

Qualaroo uses a uniform database system to store all customers’ information and reporting data like any modern multi-tenant cloud service provider.  Through extensive software testing, we strive to eliminate any possibility of co-mingling customer data.  Since each customer has a unique ID in our database, their information is separated from that of others.

Qualaroo uses a one-way hash to encrypt passwords in the user database for user registration and login. The advantage of a one-way hash is that Qualaroo never needs to decrypt passwords created by our users. Qualaroo also provides a robust password reset capability.

All web access to the Qualaroo Customer dashboard is via SSL (HTTPS). This ensures that all the configuration and reporting data will be accessible only by authorized parties.

JavaScript files are generated dynamically by Qualaroo servers for every customer and are stored in an Amazon S3 Bucket. The files’ S3 permissions settings allow only the owner of the account (Qualaroo) to update them. This protects against the possibility of forgery by a malicious third party. The files can be uploaded only with Qualaroo’s own AWS credentials.

The Qualaroo JavaScript application is written from the ground up in pure JavaScript code. It does not use any JavaScript frameworks or any third-party JavaScript scripts.  

It was architectured with many best practices, including modularity and isolation, such as design principles.

Specifically, the Qualaroo JavaScript uses strong namespace boundary encapsulation. This hardens Qualaroo’s end-user client application by mutually isolating it from all other code that may be executed on customers’ web pages.  In addition, great care is taken at the architecture level to minimize the possibility of “CSS bleeds” (sloppy stylesheets on websites).

The Qualaroo JavaScript placed on Customer web pages has access only to the information available to regular site visitors or users. As the users interact with the Qualaroo Nudge units, their responses are sent to the Amazon Web Services S3 Bucket, apportioned to Qualaroo. If a given page is HTTPS, then responses are sent to AWS S3 via HTTPS as well.

The Qualaroo JavaScript uses “first-party” cookies to manage the information about the Customers’ site visitors. This information pertains only to the capabilities provided by Qualaroo (e.g., “ showing the nudge to logged-in users on their second visit to the site and after browsing at least two pages”).  The “first-party” cookies are the preferred mechanism (vs., say, “third-party” cookies) since they assure the users that all the content comes from the Customer.  

To provide such valuable tools to our customers as the Satisfaction Score, the Qualaroo cookies have a very long expiration period, allowing data refinement over time.

Thanks in large part to these provisions, thousands of customers rely on Qualaroo for gaining insights about their users in a trustworthy manner and helping them act upon these insights.