Information Security Policy

1.Scope

This policy applies to every person acting on behalf of Better Quality Assurance S.R.L. ("BetterQA," "the company"), in every country we operate in, including permanent employees, sub-contracted engineers, and any third party with access to BetterQA systems, client environments, or client data. It governs the protection of information assets we hold or process, whether on managed laptops, in BetterQA proprietary tools (BugBoard, Flows, BetterFlow, JRNY, Hireo), in third-party SaaS, or in client systems we are engaged to test.

BetterQA is certified to ISO/IEC 27001 (Information Security Management Systems), ISO 9001 (Quality Management), ISO 14001 (Environmental Management), and ISO 13485 (Medical Devices Quality Management). Certificates are listed at betterqa.co/certifications and copies are available on request. This policy is the company-wide expression of those ISO 27001 controls, and is additionally aligned to the NIST Cybersecurity Framework, the EU General Data Protection Regulation (Article 32 on security of processing), and the operational resilience expectations in DORA and FCA SYSC 13 where they apply to our regulated financial services clients.

2.Our Position

BetterQA's independent QA model means client data, credentials, test environments, and findings routinely sit on engineer laptops and in BetterQA tooling. A compromise of an engineer endpoint, a leaked credential, or an exposed BetterQA tool is, by definition, a compromise of a client. We manage that risk through a proportionate baseline applied uniformly across the company, with stricter controls layered on for engagements that require them by contract or by regulation.

3.Specific Obligations

Access control. Single sign-on via Google Workspace is the primary identity for BetterQA accounts. Multi-factor authentication is enforced for every account holder, including all critical systems and all remote access. Access to BetterQA tools and client systems is granted on a least-privilege basis.

• Access to BetterQA tools (BugBoard, Flows, BetterFlow, JRNY, Hireo, internal Security Toolkit) is reviewed against current role at least quarterly; orphaned access is removed and an annual recertification is performed by the Managing Director. Privileged and administrator access is approved by senior management and logged
• Access to a client system or environment is granted only after the engagement is signed, the engineer is named on the engagement, and the client (or their representative) has authorised the access. Access is revoked at engagement close
• Shared accounts are not permitted. Where a client provides a single shared credential, BetterQA records that as a contract-level exception in the engagement file and rotates the password at engagement close
• Passwords are a minimum of 12 characters and include a mix of uppercase, lowercase, numbers, and special characters. Initial and reset passwords must be changed on first use. Passwords for accounts with access to production or client environments are rotated at least every 90 days. Stored passwords are salted and hashed; plaintext passwords are not retained. Password managers are recommended for personal credential storage and required where shared credentials must exist
• Contractor accounts are issued with predefined expiry dates aligned to the contract term; extension requires formal approval

Endpoint security. Every BetterQA laptop is enrolled in a centrally managed device management platform (Miradore), which provides inventory, configuration baseline, remote lock, and wipe. The following controls are applied:

• Full disk encryption is enforced on every BetterQA laptop and on any portable device used to access client data
• Screen lock auto-engages after 5 minutes of inactivity; manual lock is required when leaving the workstation
• Operating systems and applications are kept on supported versions, with security patches applied within a reasonable timescale and subject to appropriate testing; vendor-classified critical patches are prioritised
• Endpoint anti-malware is installed and kept current on every laptop. Local administrator rights are not granted by default; elevation is provided on request for specific tasks and removed afterwards
• Removable media ports (USB and similar) are disabled by default. Exceptions require managerial approval and the media must be encrypted
• A clear desk policy is enforced: paper documents and removable media are stored in locked drawers when not in use
• Personal devices are not used to access client production systems or hold client data

Application and code security. Source code for BetterQA tools and client deliverables is stored in version-controlled repositories (GitHub) with branch protection and mandatory pull-request review.

• Secrets (API keys, tokens, client credentials) are managed in a dedicated store or password manager and are not committed to source control
• Development, test, and production environments are logically separated; access is role-restricted
• A formal change management process governs changes to production systems, with prior approval from relevant stakeholders and documented release records
• Application security testing (SAST, SCA and DAST) is performed on BetterQA source code and running systems using our proprietary AI Security Toolkit, the same tooling we deliver to security-testing clients. Container workloads run on Kubernetes with platform-level isolation and monitoring. Public-facing WordPress assets are protected by Defender Pro, WPEngine platform controls, and Cloudflare
• Internal infrastructure and public-facing systems are pen-tested at least monthly using our proprietary AI Security Toolkit. Dependency vulnerabilities are reviewed on an ongoing basis
• External assurance operates at two layers. BetterQA itself holds an annual ISO 27001 surveillance audit by an independent certification body. The platforms our tools run on are independently audited in their own right: Supabase is SOC 2 Type 2 and ISO 27001 certified, and Railway is SOC 2 Type 2 with a published third-party penetration test report. A standing annual external pen test of BetterQA application code on top of those platforms is not retained as a default, but can be commissioned per engagement where contractually required
• Systems are hardened against industry baselines (CIS benchmarks and platform-recommended configurations where applicable)

Data protection and classification. Information is classified as Confidential, Internal, or Public. Staff are trained on handling rules for each classification, with the strictest controls applied to Confidential data.

• Confidential data is encrypted at rest and in transit using AES-256 (or equivalent industry-standard algorithm). Transport encryption uses TLS 1.2 or higher
• Client production data is not copied to BetterQA laptops or BetterQA tooling unless the client has expressly authorised it in the engagement contract or Data Processing Agreement. Synthetic or sanitised data is preferred
• Retention follows the engagement contract or the Privacy Policy, whichever is stricter. At engagement close, all client production data held by BetterQA is deleted or returned per the contract, with a written confirmation on request
• Obsolete electronic media is securely erased using certified tools or physically destroyed. Confidential paper waste is shredded on-site or via a certified service
• Client data is stored within the European Economic Area on GDPR-compliant infrastructure (Google Workspace, supplemented by platform-managed encryption from Supabase, Railway, and Google Cloud where applicable)

Network security. BetterQA operates as a fully remote services firm and does not run a corporate LAN. Identity is the trust boundary: Google Workspace single sign-on with multi-factor authentication enforced on every account replaces the traditional network perimeter.

• Inbound traffic to BetterQA-owned products (BugBoard, Flows, BetterFlow, JRNY, Hireo) passes through Cloudflare ahead of cloud-provider firewalls. Network segregation, WAF, and DDoS protection are provided at the Cloudflare edge; service-level isolation is enforced by Supabase, Railway, and Google Cloud at the platform layer
• The BetterQA website (betterqa.co) is hosted on WPEngine, with platform-level firewall and WAF, supplemented by Defender Pro for WordPress and Cloudflare at the edge
• Remote access to BetterQA tools and client environments requires multi-factor authentication via Google Workspace. Access to sensitive client environments uses encrypted channels (a managed VPN such as Firezone WireGuard, a client-supplied jump-host, or client-issued credentials) with per-engineer authentication and revocation at engagement close
• Data in transit is encrypted using TLS 1.2 or higher across all services. AES-256 is used for confidential data at rest
• System clocks are synchronised via NTP to ensure accurate timestamps for event logging

Logging and monitoring. Critical activity on BetterQA systems is logged and monitored.

• Logins, configuration changes, and access events are captured. Logs are stored with access restricted to authorised personnel and protected against tampering
• Unauthorised access attempts and suspicious activity trigger alerts through Google Workspace and platform-level monitoring. Anomalies are investigated promptly
• Email is filtered for malware and phishing at the gateway via Google Workspace

Human resources security. All staff and sub-contractors complete pre-employment verification before being granted access to BetterQA systems or client data.

• Standard pre-employment verification covers government-issued ID, right-to-work in the jurisdiction of engagement, education and prior employment via reference checks (typically two references contacted), and confirmation of no current conflicts of interest. Background-check evidence is retained in encrypted HR storage for the duration of employment plus the statutory retention period
• For engagements that require it (defence, healthcare, regulated financial services), additional checks are arranged on a per-contract basis: criminal-record certificate (Romanian "Cazier judiciar" or local equivalent), credit check, sanctions/PEP screening, and NCAGE / security-clearance status where the client mandates it
• The same vetting principles apply to sub-contractors and third parties who will access BetterQA systems or client data
• Every engineer and sub-contractor signs an NDA, IP assignment, code of conduct, acceptable-use, and information-security policy acknowledgement before access is enabled. General information security responsibilities are written into employment and contractor agreements
• Security awareness training operates on three layers: an induction module on day one reviewed and electronically acknowledged before client-system access is granted; an annual refresher tracked in HR; and topical reminders issued whenever a policy is revised. Training covers phishing, credential hygiene, secure handling of client data, AI-specific risks (prompt injection, data leakage), and the incident reporting routes in this policy
• A formal disciplinary process applies to breaches of this policy, with actions ranging from retraining to contract termination depending on severity
• Onboarding and offboarding are managed against a written checklist owned jointly by HR and IT. On exit, the SSO account is disabled, MFA tokens are revoked, client-system access is terminated and confirmed with the client where required, hardware is retrieved or wiped remotely via the device management platform, VPN and jump-host credentials are revoked, and the mailbox is transferred to the manager for retention. Final access removal is confirmed in writing within 24 hours and audited monthly. Departing staff are reminded in writing of continuing confidentiality and IP obligations

Physical and environmental security. BetterQA premises are protected by controlled PIN-based entry and CCTV monitoring. Critical IT equipment is protected by uninterruptible power supplies to maintain operation during short power interruptions. BetterQA does not operate its own data centres; production workloads run on managed cloud providers whose physical security controls are governed by the Supplier and Third-Party Management Policy.

Supplier and third-party security. BetterQA depends on a small set of third parties for infrastructure (Google Workspace, Supabase, Railway, Google Cloud, WPEngine, Cloudflare), AI providers, productivity tooling, and sub-contracted engineers. These are governed by the Supplier and Third-Party Management Policy, which sets out tiered due diligence, ISO 27001 / SOC 2 evidence requirements, audit rights, and exit plans. Third-party contracts include security, data protection, and privacy clauses.

4.Incident Management

A security incident is any confirmed or suspected event that compromises, or risks compromising, the confidentiality, integrity, or availability of BetterQA or client information. Examples include lost or stolen laptops, leaked credentials, malware on an endpoint, unauthorised access to a client system, accidental exposure of client data, and identified vulnerabilities in BetterQA tooling.

BetterQA follows a six-stage response, aligned to ISO/IEC 27035 and NIST SP 800-61:

1. Detect. Any BetterQA engineer who observes or suspects an incident must report it within 1 hour to [email protected] and to their engagement lead. Clients reporting an incident through their normal BetterQA contact are routed to the same channel
2. Triage. The Managing Director (or a named deputy) classifies severity within 2 hours of receiving the report. Severity sets the response clock and the notification path
3. Contain. Credentials are revoked, sessions are terminated, affected machines are isolated via the device management platform, and any exposed secrets are rotated. Containment actions are recorded in the incident register
4. Notify. Affected clients are informed without undue delay, and in any case within the contractual notification window. Where personal data is involved, the relevant supervisory authority is notified within 72 hours of becoming aware, per GDPR Article 33. Where a regulated client is affected, BetterQA supports their own regulatory notification obligations on request
5. Investigate and remediate. Root cause is established, the technical and procedural fix is applied, and the fix is verified. Where third parties are involved, the relevant supplier is engaged via the Supplier and Third-Party Management Policy
6. Post-mortem. A written report is produced within 14 calendar days of closure. The report goes to affected clients, the BetterQA incident register, and, where the root cause was a control gap, drives a change to this policy or to the relevant operational procedure

5.Business Continuity and Backups

BetterQA maintains a Business Continuity Policy and an IT Disaster Recovery Policy that together set out how critical functions are sustained during disruption.

• BetterQA-owned tooling (BugBoard, Flows, BetterFlow, JRNY, Hireo) runs on managed cloud platforms (Supabase, Railway, Google Cloud) whose built-in backup, snapshot, and version-history mechanisms provide continuous data protection
• Operational data (Slack, Google Drive, Jira, GitHub) benefits from platform-provided retention and recovery. Google Drive retains deleted files for at least 30 days; Jira and GitHub maintain version history and support point-in-time recovery
• Backups are encrypted at rest and in transit by the underlying platforms (AES-256)
• Client deliverables (test cases, automation suites, reports) are stored in version-controlled repositories and shared drives with versioning enabled; restoration from a prior revision is available on request
• Recovery time and recovery point objectives are agreed per engagement where the client requires them contractually. A formal end-to-end continuity and disaster recovery testing programme is being introduced and will be exercised on at least an annual cycle once established
• Continuity arrangements are reviewed annually by the Managing Director and after any material change to BetterQA's tooling or supplier portfolio

6.Reporting Channel

If you have observed or suspect a security incident, a control gap, or a breach of this policy, report it.

• Security incidents: [email protected] (anonymous reporting permitted)
• Policy concerns or misconduct: [email protected] or the Whistleblowing Policy
• For confirmed personal data breaches, GDPR Article 33 notification timelines apply (72 hours to the supervisory authority, controllers notified without undue delay)

7.Consequences

Breach of this policy by a BetterQA employee or contractor is treated as misconduct. Consequences may include:

• Disciplinary action up to and including termination of employment or contract
• Recovery of losses caused by the breach, including third-party costs and regulatory penalties
• Disclosure to clients whose engagements were affected, per the relevant Data Processing Agreement or MSA
• Reporting to law enforcement and regulators where the breach involves criminal conduct, sanctions exposure, or notifiable personal data incidents
• Loss of ISO 27001 / ISO 9001 certification status where control failures are systemic

8.Review Cadence

This policy is reviewed at least annually by the Managing Director, or sooner if there is a material change in the BetterQA control environment, a major incident, the introduction of new client regulatory obligations, or a relevant change in applicable law or standard (ISO 27001 revision, DORA implementation milestones, EU AI Act security obligations, FCA SYSC updates).

9.Owner