AQMetrics Security Trust Centre

Our Commitment to Security and Trust

At AQMetrics, protecting client data and ensuring the resilience of our platform are fundamental to our operations. Our Information Security Management System (ISMS) and Cyber Resilience Strategy are embedded across the organisation to safeguard the confidentiality, integrity, and availability of information.

We believe effective security combines robust technical controls with strong governance, well-defined processes, and a culture of security awareness across our teams.

Security Highlights

• ISO/IEC 27001:2022 Certified
• GDPR Compliant
• DORA-aligned operational resilience framework
• Encryption of data in transit and at rest
• Regular independent penetration testing
• Continuous vulnerability monitoring

Compliance and Certifications

ISO/IEC 27001:2022 Certification

AQMetrics is certified to ISO/IEC 27001:2022, the international standard for information security management. This certification confirms that we have established, implemented, maintained, and continually improved a comprehensive Information Security Management System.

Scope of Certification The certification covers the management of information security in relation to:

• Platform hosting
• Software development and engineering
• Infrastructure and operational management
• Customer support services

Statement of Applicability Our security framework includes controls across 37 key security domains, covering organisational, technical, and physical security measures.

Information Security Program

Our information security program is supported by clearly defined policies, procedures, and controls designed to protect all organisational assets and customer data. We employ a defense-in-depth strategy, ensuring that security is layered across our infrastructure, applications, and operational processes. These policies are regularly reviewed to adapt to the evolving threat landscape and regulatory requirements.

Data Handling and Privacy

We implement strict controls to ensure client data is securely managed throughout its lifecycle. Key policies include:

• Client Data Handling Policy: Governing the secure collection, access, processing, and disposal of customer data.
• Data Processing Addendum (DPA): Outlining AQMetrics’ role as a processor or sub-processor of personal data under GDPR.
• Encryption Policy: Defining standards for encryption algorithms, key management, and secure communications across AQMetrics systems.
• Data Retention Policy: Specifying retention periods and secure destruction procedures for data.
• Acceptable Usage Policy: Defining responsible use of company IT systems and information assets.

Access Control and Identity Management

Access to systems and data is tightly controlled through structured identity and access management processes. Key controls include:

• Access Control Policy: Covering identity management and permissions across the employee lifecycle (joiners, movers, and leavers).
• Password Policy: Enforcing strong authentication standards and the use of approved corporate password management tools.

System and Application Security

Security is integrated throughout the development and operation of the AQMetrics platform. Our controls include:

• Secure Software Development Policy: Ensuring secure coding standards and development practices.
• Vulnerability Management Policy: Governing vulnerability monitoring, patching, and remediation.
• Penetration Testing: Regular independent penetration testing of the AQMetrics cloud service.
• Asset Management Policy: Covering the lifecycle management of all physical, virtual, and information assets.
• Asset Disposal: Secure asset disposal procedures for storage media and technology equipment.

Risk Management and Operational Resilience

AQMetrics operates a proactive risk management framework designed to identify, assess, and mitigate operational and cybersecurity risks. Our resilience framework includes:

• Risk Management Policy: Supported by a dedicated risk management platform.
• Incident Response Plan: Defining procedures for identifying, managing, and communicating security incidents.
• Ransomware Response Procedures: For handling crypto-locker or ransomware threats.
• Business Continuity Plan (BCP): Ensuring critical services remain operational during disruptions, validated through regular tabletop exercises.
• Third-Party Risk Management Policy: Governing the selection and oversight of vendors and cloud service providers, aligned with the EU Digital Operational Resilience Act (DORA).

Physical and Operational Security

AQMetrics maintains strong physical and operational security controls across all working environments. These include:

• Physical Security Policy: Covering facility access control, intrusion detection, and hardware protection.
• Remote Working Security Policy: Ensuring secure practices for distributed and hybrid work environments.
• Clean Desk Policy: Requiring sensitive information to be securely stored or disposed of when workstations are unattended.

Our Commitment

AQMetrics is fully committed to protecting customer information through strong security practices and continuous improvement.

Our ISO 27001-certified Information Security Management System, strict adherence to GDPR, and alignment with DORA’s digital resilience requirements ensure that we maintain the highest standards of data protection, operational resilience, and regulatory compliance.

Further Information

Further details about our security controls, certifications, and regulatory compliance documentation are available upon request.

For security-related enquiries or to report a vulnerability, please contact: security@dev2.qikweb.com