Sicherheit
Zuletzt aktualisiert: März 2026
Introduction
QFacts is a web application that provides quality professionals with all the tools they need to manage the quality processes in their organizations. The application is built by QFacts BV (hereafter referred to as “QFacts”), a company located in Belgium, Decosterstraat 23, 3545 Halen with VAT number 1007.864.939.
In this security policy, we clarify how QFacts guarantees the quality and security, and prevents unauthorized usage of information. Below, we explain our technical and operational principles.
1. Roles and permissions
At the organizational level, there are 2 groups of users in QFacts. Organisation admins can invite new users to an organisation, add or alter roles, and edit organizational settings:
- Create a team
- Invite team members to the team
Users that are not registered as organizational admins do not have the aforementioned functionality. To perform actions in QFacts, a user has to be connected to at least one organization.
At the quality management level, there are different roles with their own responsibilities, access rights and authorisations:
Operator
Can view documents and trainings and download them but cannot alter or create any content.
Action Owner
Has more access than the operator and can create changes to investigations, CAPA plans, events and documents and submit them for approval.
QA
Can do everything an action owner can and can also approve the approval requests submitted by other users.
2. Infrastructure
QFacts is fully hosted by Google Cloud Platform, a recognized and publicly traded company with ISO27001:2013 certification. This certificate is the result of an extensive external audit in the field of security management and offers the most far-reaching guarantees regarding the security of the hosting environment.
Google Cloud Platform guarantees 99.9% uptime according to the Service Level Agreement (SLA).
Infrastructure components
- App Engine — servers for back-end and front-end applications
- Cloud SQL — secure database for data storage. All data is stored on European territory.
- IAM authorization — lets administrators authorize who can take action on specific resources
- Cloud Scheduler — allows scheduling of tasks
- BigQuery — database for data analysis on an anonymous basis
Recovery
RPO (Recovery Point Objective): 24 hours. Achieved through automated daily backups of the Cloud SQL database and blob storage.
Third-party platforms
- Intercom — marketing, communication, onboarding and support
- Sendgrid — reliable handling of email shipments
- Google Analytics — statistics related to use of the application
- Stripe — payment and billing
3. Access management
All access control is limited to what is necessary to guarantee the continuity of QFacts as a web application.
Environments
Via strictly separated environments for staging and production, we ensure that code transmission happens in a controlled manner and only after authorization. These separated environments also reduce the risk of unauthorized access to the production environment.
Databases
Access to databases with personal data is only granted on a “need to know” / “need to use” basis. All personnel with access are bound to confidentiality. Access lists are frequently checked and reviewed. Access is removed within 1 working day after an employee has left QFacts.
Identity and Access Management (IAM)
We use Google IAM for access control of Google Cloud Platform accounts:
- Product manager: can add users to Google Cloud Platform and GitHub.
- Lead back-end engineer: has access to infrastructure configuration and full access to the staging environment. Only accesses production when necessary for specific support items.
- Development team: has access to the staging database, no access to the production environment.
4. Technology
QFacts works exclusively with Panenco BV (hereafter “Panenco”) for technical and development services. Panenco is a professional service provider with ISO27001:2013 certification, guaranteeing the highest standards in operational and technical security.
The technology behind QFacts consists of:
- PostgreSQL database
- React front-end application
- Node.js back-end application (REST API driven), with API endpoints secured via stateless authorization (JWT)
Assessment frameworks and procedures:
- Cypress.io for automated end-to-end testing
- Sentry.io for recording error messages
- The development team builds and tests new functions; the product manager and QFacts product team approve before deployment to production.
5. Application protection
The security of the application is realized as follows:
Secure Connection
Secure connection from Google Cloud Platform (server of the API).
Encryption
Google Cloud uses several layers of encryption. Databases and file storage are encrypted using AES256 by default. All user passwords are hashed.
Transmission Control
Secure SSL connection is handled by Google Cloud Platform.
Confidentiality
All personal information is protected by a personal user account and a combination of email and password.
Pseudonymization
App data is not pseudonymised.
Evaluation
As part of ISO27001:2013 certification, all security principles are reviewed at least annually.
6. Physical protection
QFacts and Panenco have implemented physical security measures suitable for the level of risk resulting from the kind of information stored and activities performed at their offices.
Offices are located in buildings where access is restricted to authorized personnel. Visitors are accompanied in all non-public areas and are never left unsupervised. We never keep physical copies of personal data.
All employees of QFacts, and where applicable contractors, receive adequate education and training and frequent updates about the policy and procedures relevant for their function.
7. Contact
In the case of questions, please contact us by emailing info@qfacts.com. QFacts reserves the right to amend this policy document over time and commits to notifying its users in a suitable manner. Changes come into effect after publication.
QFacts BV
Decosterstraat 23
3545 Halen, Belgium
Registered in CBE under number 1007.864.939