Information security is critically important to Quip. Our mission is to treat all the information stored on our systems, regardless of customer, user, or use case, as equally important and extremely sensitive. The entire success of our company is based on the trust that we establish as guardians of our customers' data.
- Two-factor login is required for all employees (engineering and otherwise).
- Personalized SSH keys are required for each employee for production access.
- Access to production servers is limited to engineers who have a direct need to work with our production systems (i.e. on-call engineers and the “Production Root” team).
- All pushes of code and configuration are published to the engineering team and audited by the “Production Root” team.
- Firewall and networking configurations are reviewed quarterly and on an ongoing basis by the “Production Root” team.
- All network access to production servers is strictly limited to the minimum necessary ports (HTTP, HTTPS, SSH).
Laptop / Workstation Configuration Policy
- Quip source code, data, configuration information, or any other assets will only be stored on computers owned, provided to the employee, and managed by Quip.
- Exception: Accessing Quip content via a web browser, using generally accessible Quip tools or data views via a web browser, installing the Quip native client on personal computers or mobile devices is explicitly approved.
- Engineers with access to Quip source code storing it on their computers must utilize the full-disk encryption built into their operating system, e.g. FileVault on macOS.
- Employees should set their web browsers to automatically update to the most recent version and install OS security patches within two (2) weeks of their general release, to increase security and prevent attacks against their computers.
- Quip management will issue a general reminder of these policies once a quarter to all employees, along with an instructions to perform a self-check for compliance.
Terms, from Quip Business Customer Agreement: We will use, at a minimum, industry-standard technical and organizational security measures to transfer, store, and process customer data. These measures are designed to protect the integrity of customer data and guard against unauthorized or unlawful access to, use, and processing of customer data.
Tools: Internally, all tools used by engineers and support staff will automatically redact or hide all sensitive customer data by default.
All customer data must be encrypted in transit when it leaves Quip's servers.
Whenever possible, we build our engineering tools so that Quip employees are never exposed to customer data while working in production issues. As part of our company culture, we take great pains to never see or interact with customer data.
If it ever becomes necessary to interact with customer data to debug a production or customer issue, we will ask permission of the customer first before viewing any data.
- The only exception to this rule is an unresolved security problem or system outage that cannot be addressed without viewing customer data. These exceptions must be approved by the management before proceeding if at all possible, or within 24 hours post-facto if contact cannot be made in a reasonable timeframe, and the issue is still ongoing.
- Recording customer permission/management approval:
- All unredactions of customer data are automatically logged.
- If the unredaction originated from a customer request in Zendesk, and the Zendesk ticket contains the evidence of customer permission for unredaction, that is sufficient documentation.
- If the unredaction originated from a customer request outside of Zendesk (directly via email or IM or the like), or is a result of a security problem/system outage emergency unredaction, it must be logged as per internal logging rules. The unredacting employee must include evidence of customer approval (screenshot of IM or email), or by requesting management to approve the emergency unredaction in the ledger.
(Please note that these rules apply to private customer data. Public data, which are limited to documents and messages that have been clearly published by the customer to the public, and can be easily found via links on Twitter, Google, Facebook, or by other means of public dissemination, do not need to be redacted from view.)
In the case of a serious production or security issue, we follow our specified on-call escalation procedure. Our target response time is 15 minutes.
For any information security issues, in addition to escalating to the operations person on call, the issue will be immediately escalated to the CEO or Head of Engineering.
After any serious security or production issue, the “Production Root” team will conduct a post-mortem of the issue, which the on-call and engineering staff will review. Any results of the review will be shared with the customer in question if the problem related to customer data.
Review of Procedures
All security, customer data, and crisis response policies will be reviewed by Quip employees quarterly at the quarterly Production Refresher meeting.
The policy as a whole will be reviewed and updated by the Head of Engineering and the CEO each quarter.