Security
Security at QuoteWerks
QuoteWerks Web provides options to control how users access the system, where data is hosted, and how it is handled within the platform.
This page provides an overview of authentication, hosting, and security-related practices.
QuoteWerks balances transparency with responsible disclosure. We provide meaningful information about our security practices while limiting public disclosure of sensitive internal controls, infrastructure details, and operational procedures that could increase risk.
Authentication, hosting, and data practices for QuoteWerks Web
Access Control
Authentication Options
Configure how users log into QuoteWerks Web
QuoteWerks Web supports multiple authentication methods that can be configured based on your environment.
Available options include:
- Multi-factor authentication (MFA)
- Authenticator apps
- Text message verification
- Duo Security push-based authentication
- Single Sign-On with Microsoft Azure Active Directory
Authentication and access policies are configurable, allowing organizations to define and enforce requirements based on their internal standards.
These options help organizations centralize access control, enforce identity verification, and reduce the risk associated with unauthorized account access.
Hosting
Data Hosting and Infrastructure
Where QuoteWerks Web is hosted
QuoteWerks Web, QuoteValet, VendorRFQ, database hosting services, and ClarityWerks hosted offerings are provided through Microsoft Azure in the Central US region (unless otherwise communicated).
Microsoft Azure provides enterprise-grade physical data center security, hardware infrastructure, foundational network controls, redundancy, backup capabilities, and platform-level security controls.
QuoteWerks uses logical separation of customer environments to help ensure customer data remains partitioned from other customer instances.
Organizations may also choose to host their QuoteWerks database within their own environment depending on their requirements.
Data
Data Handling and Protection
How data is processed and secured
Customer data retention and handling practices are managed in support of the services provided, contractual obligations, operational requirements, and applicable legal or regulatory considerations.
- Customer data is processed, stored, and transmitted to operate and support the QuoteWerks service
- Customer data is not used for unrelated purposes
- Data in transit is encrypted using TLS 1.2 or higher
- Data at rest is encrypted using Azure-managed encryption services (AES-256 where applicable)
QuoteWerks is designed to process standard business information such as quotes, proposals, pricing, product details, customer contact information, and sales-related documents.
QuoteWerks is not designed to intentionally process highly regulated data such as protected health information (PHI), unless a customer independently configures its use of the platform in that manner. Customers are responsible for their own data governance policies, including determining what information is appropriate to enter into QuoteWerks.
Authorization
Access Control and Isolation
Managing user access within the platform
Access to QuoteWerks Web is managed through role-based access control and tenant-level isolation.
Access is configured based on the principle of least privilege, allowing organizations to control how users interact with data and system functionality.
Authentication and access control settings are configurable at the tenant level. QuoteWerks provides permission and access control capabilities that allow administrators to manage access based on job role, responsibility, and business need.
Practices
Security Practices and Approach
How security is maintained
QuoteWerks takes security, customer data protection, and data retention practices seriously. Security is not treated as a one-time checklist, but as part of our ongoing operational practices. These practices are continually reviewed and improved as our products, infrastructure, and customer requirements evolve.
QuoteWerks aligns with industry practices and frameworks such as the NIST Cybersecurity Framework to guide our approach to access control, data handling, operational safeguards, and risk management.
QuoteWerks currently does not leverage an external SOC 1 or SOC 2 attestation report for compliance purposes. At this time, the ongoing cost, administrative effort, and maintenance requirements associated with formal attestation are not proportionate to our current business model, customer requirements, and operational priorities.
This does not mean security is treated as optional or informal. QuoteWerks maintains internal security practices, operational safeguards, and review processes intended to protect customer data and support the reliable operation of our products and services.
We also believe responsible security communication requires balance. While customers need clear information about how their data is handled and protected, publishing detailed internal security controls, infrastructure design, retention procedures, monitoring practices, or system configurations can increase risk. For that reason, QuoteWerks limits public disclosure of sensitive security and infrastructure details.
When a customer has specific security review requirements, QuoteWerks may provide additional information through an appropriate controlled process, such as a security questionnaire, contractual review, or confidentiality agreement. Depending on the scope and complexity of the request, extensive security questionnaires may require a professional services engagement to ensure the information is reviewed and completed accurately.
Reliability
Backup and Recovery
Supporting data restoration and continuity
Backup and recovery processes are maintained as part of ongoing operational practices to support data restoration in the event of an incident.
QuoteWerks maintains multiple layers of database backup protection, including transaction log backups, daily backups, and weekly backup layers for applicable hosted systems.
These processes are aligned with the underlying cloud infrastructure and operational practices used to support the platform.
For core transactional data, QuoteWerks generally targets a recovery point objective (RPO) of approximately one hour. Recovery time objectives (RTO) vary based on the type of incident, affected services, dependencies, and required validation before service restoration.
Responsibility
Shared Responsibility Model
Understanding roles in security
Security within QuoteWerks Web follows a shared responsibility model.
- Microsoft Azure is responsible for infrastructure-level security, including physical data centers, networking, and platform services
- QuoteWerks is responsible for application-level security, access control, and operational practices
- Customers are responsible for configuring authentication, access policies, and data usage in alignment with their requirements
Responsibility
Customer Responsibilities
Using the platform in alignment with your requirements
Customers are responsible for ensuring that their use of QuoteWerks Web aligns with applicable regulatory and compliance requirements.
The platform provides configurable controls, but how those controls are applied is determined by each organization.
Customers should enable MFA or SSO where appropriate, regularly review user access, promptly remove access for users who no longer require it, and ensure that sensitive information is handled according to their own internal policies and regulatory obligations.
Internal
Internal Security Practices
Employee and operational safeguards
QuoteWerks maintains internal practices to support operational security.
All employees are required to complete Federal, State, and Local background checks prior to employment.
Aspire Technologies limits employee access to systems and customer data based on business need. Internal access is granted according to role and responsibility and is reviewed as part of normal operational practices.
Incident Response
How security events are handled
QuoteWerks maintains a structured incident response process that includes detection, escalation, containment, remediation, and post-incident review.
In the event of a confirmed security incident impacting customer data, affected customers will be notified in accordance with applicable legal, regulatory, and contractual obligations.
Reporting
Report a Security Issue
How to report potential vulnerabilities
If you discover a potential security issue, please report it to:
Include a summary of the issue and any relevant details to help reproduce it.
Please report vulnerabilities responsibly and avoid actions that could impact other users or system performance.