QFieldCloud Security Specifications

For further legal and compliance information see legal & compliance

Last updated: February 3, 2024

Making the security of your data a top priority is integral to our commitment at QFieldCloud. We understand that trusting an external entity with your data is a significant decision.

Overview of Security Measures

The QFieldCloud service is protected by security measures on several levels. This includes hardening the infrastructure with a firewall and an intrusion detection system as well as regular backups, monitoring, encryption and following best practices for developing and deploying the system.

Encryption

All communication with QFieldCloud is encrypted via SSL / HTTPS.

Access Control

The service uses Role Based Access Control. Users need to authenticate with username and password or token. Authorization is managed based on organization, team and user configuration.

Incident Response and Monitoring

We are constantly monitoring our services and receive alerts whenever something unexpected happens. This gives us the possibility to react quickly and efficiently.

When incidents are detected we keep our users informed about the status via status.qfield.cloud and provide follow-up analysis on incidents.

Data Backup and Recovery

All data stored within QFieldCloud is regularly backed up in a different location. Some of the data is replicated in real time, other parts are backed up based on a regular schedule which guarantees that no data older than 12 hours is without a backup.

Payment

Payments are handled by Stripe, a certified PCI Service Provider Level 1.

We do not store any credit card information; we only store identifiers that reference Stripe data.

Compliance

QFieldCloud is compliant with relevant data protection laws and regulations; for more detail consult the legal & compliance page.

Data is processed in data centers within Switzerland, operated by Exoscale and flow.swiss. All data centers are ISO 27001 certified.

Software Development Security

Security is a fundamental subject throughout the development of QFieldCloud. Each code change is reviewed thoroughly before being integrated into a release. We also maintain a comprehensive suite of tests which is continuously run on the code base.

Third-Party Security

Stripe is used for payment processing. The connection to Stripe is encrypted and authenticated. All errors during payment failures are stored by Stripe for detailed logging. All sensitive information like tokens is removed before transmission.
Sentry is integrated for performance and error monitoring. User identifiers as well as error messages are attached to errors. The connection to Sentry is encrypted and authenticated. All sensitive information such as tokens and passwords is removed before any data is sent to Sentry.

Contact Information

If you need to get in touch with the team for critical security purposes, please reach out to security@qfield.org.

Updates and Revision History

We are committed to continue to improve and document security and will keep this information updated as security of QFieldCloud evolves over time.

3.2.2024 - Initial version