Paribus Application Security

QGate’s development standards for Paribus follow industry­-standard secure coding guidelines and the application is segmented by function to maintain security.

System Architecture and Design

Components and Modules

Paribus is constructed on principles of modular programming and comprising modules or “layers” for functions including, but not limited to: Data; Data Access and Governance; Client Access; Administration; Monitoring and Alerting, and; Processing.

Paribus’ base level data storage (encrypted to AES 256­bit), for both subscriber details and Paribus operation, is managed within instances of MS SQL Server as the secure container with no system component having direct access to that data other than through our Managed Data Access and Governance components. Data is only transmitted over public networks using certified SSL/TLS protocols.

Microsoft Azure Service Bus is utilised for secure process­-to-­process communications and action queuing and completion notification including, but not limited to, integration with other service providers such as our billing processes and systems.

“Client” application components and requirements

Any associated target application components required to be added or installed aside of the Paribus “client” application (e.g. the end user line of business systems such as CRM) are constructed within each target application’s development framework.

Certain functions of Paribus shall require subscribers download and install “on premise” asset(s) and these may install with the capability to connect to Paribus cloud for the purposes of assessing version and release levels and delivering and enforcing updates where necessary for ongoing subscriber use.

Microsoft Dynamics CRM

Microsoft CRM Online or Internet Facing Deployment (IFD) for On Premise or privately hosted instances are required for the Paribus Interactive service.

System Development Lifecycle

Paribus is developed under controlled development practices with the intent of ensuring that service provided to our subscribers is of the highest standard ­ that it is as free from error and as functionally rich as possible.

Before any code is released into production, whether for minor or major version increment, it is reviewed and assessed through a series of regression and vulnerability tests which are automated and built on a library of known potential vulnerabilities as well as previous test results.

Application “Penetration testing” is carried out by third parties and the results of that are presented to and assessed by QGate management and, where necessary, any necessary remedial and/or mitigation action prioritised.

Upgrades and Patch management

Planned maintenance will, whenever possible, be carried between the hours of 12:00 and 06:00 GMT on second Thursday of each month. Notification, via email to nominated customer email accounts will be provided with two week’s advance warning.