Quavo, Inc. completed a third-party PCI Assessment for Self Assessment Questionnaire D – Service Providers. For use with PCI DSS Version 3.2.1. Attestation of compliance can be found here.
Quavo, Inc. achieved its SOC 2 Type II report and a copy of the 2022 SOC 2 audit report is available here.
Quavo is listed on Visa’s registry of Global Service Providers online.
Role-Based Access Control: Limit user access with admin, read-write, and read-only roles.
Secure Development Lifecycle: Automated linting, unit and integration testing, and code reviews are performed against each code change.
Data Encryption: All data is encrypted in transit and at rest.
Infrastructure Code: All infrastructure is managed as code and goes through a code review.
Least Privilege: All IAM policies, credentials, permissions, and roles are scoped down to the minimum necessary permissions.
Network Segregation: Production, Sandbox, and Staging accounts all live within their own separate accounts and are constrained through VPC’s.
Hardened Hosts: Unused services/ports are removed via security groups, and instances are built off a CIS compliant (AMI) Amazon Machine Image. Running as a non-root user.
Intrusion Detection System: We run an IDS that alerts us on anomalous network connections suspiciousactivity, and more.
AWS Root User Disabled: All AWS root users are disabled; access is granted by power user or administrator access.
Privacy: Learn more about our privacy statement by visiting our privacy page.
Penetration Tests: Quavo engages with third-party firms to conduct application-level and infrastructure-level penetration tests at least annually.
Vendor Evaluation: Quavo evaluates and monitors the security of our sub processors and requires them to maintain a security posture at least as strong as our own.
SSO: Employee services are authenticated with SSO with enforced password complexity and MFA requirements.
Security Training: All employees go through security training as part of their onboarding and must be renewed annually. Topics covered include, but not limited to, Data Security, Phishing, Physical Security, and Password Protection.
Standardized Onboarding/Offboarding: Employees received minimum permissions by default and are only granted additional access on an as-needed basis. When employees change roles or are offboarded, their permissions are reviewed or removed immediately.
Access Review: Quavo performs access review on a regular basis to ensure the principle of least privilege is followed.
VPN: Accessing internal services must be completed over a secure VPN.
