QAD Trust Center
Security
Please see our Security Overview to understand how we deploy people, process and technology to ensure business continuity and the confidentiality, integrity and availability of data.
.svg?t=1679520898305)
Privacy
Please see our Privacy Overview to understand how we protect individual privacy rights when delivering cloud and professional services. Additional details can be found in QAD’s Privacy Policy.
Compliance
Please see the below overview of certificates, reports and attestations that demonstrate our adherence to global industry compliance standards.
ISO 20000
ISO 20000 is a service management system (SMS) standard. It specifies requirements for the service provider to plan, establish, implement, operate, monitor, review, maintain and improve an SMS. The requirements include the design, transition, delivery and improvement of services to fulfill agreed service requirements.
Scope: The IT Service Management System of the QAD Service Delivery Center supporting the provision of Cloud ERP Services to QAD clients worldwide.
Auditor: British Standards Institution (BSI)
ISO 27001
ISO/IEC 27001 is the world’s best-known standard for information security management systems (ISMS) and their requirements.
Scope: The Information Security Management System that covers the support and operation of Cloud ERP Services to QAD clients worldwide.
Auditor: British Standards Institution (BSI)
CSA STAR
CSA STAR
(Cloud Security Alliance - Security, Trust, Assurance, and Risk) is the industry’s most powerful program for assurance in the cloud, encompassing key principles of transparency, rigorous auditing and harmonization of standards. CSA STAR is a technology-neutral certification that leverages the requirements of ISO 27001, “Information security management,” together with the Cloud Controls Matrix (CCM).
QAD is listed on the CSA STAR Registry as Level One and Level Two Star Certified.
Scope: The Management of an Information Security System, providing the support and operation of cloud ERP Services to QAD clients worldwide.
Auditor: British Standards Institution (BSI)
SSAE18 SOC 1 Type 2
A SOC 1 (System and Organization Controls) audit is a QAD attestation to fulfillment of its internal controls relevant to its cloud customers’ financial statements and covers controls around processing and securing customer information, spanning both business and IT processes. Type 2 is an attestation of controls over a 12-month period.
Report access is available to most customers and partners with a support login ID, or upon request.
Scope: The QAD cloud services system for providing cloud application services and the suitability of the design and operating effectiveness of controls included to achieve the related control objectives.
SOC 1 Type 2 Bridge Letter
Auditor: Schellman
SSAE18 SOC 2 Type 2
A SOC 2 examination is a report on controls at QAD relevant to security, availability and confidentiality. The SOC 2 report is intended to meet the needs of a broad range of users that need detailed information and assurance about QAD controls relevant to security, availability, and confidentiality of the information processed by the QAD Cloud Services systems.
Report access is available to most customers and partners with a support login ID, or upon request.
Scope: The QAD Cloud Services system for providing cloud application services and the suitability of the design and operating effectiveness of controls included to achieve the related control objectives.
SOC 2 Type 2 Bridge Letter
Auditor: Schellman
FDA 21 CFR Part 11
FDA 21 CFR Part 11 is part of the Code of Federal Regulations that establishes the United States Food and Drug Administration (FDA) regulations on electronic records and electronic signatures (ERES). Part 11 applies to records in electronic form that are created, modified, maintained, archived, retrieved, or transmitted under any records requirements set forth in FDA regulations.
Scope: FDA CFR Part 11 compliance. The products and services within the scope of this document include the QAD Cloud ERP and EQMS solutions, limited to core, GxP and critical functionality.
Auditor: USDM
Veracode Verified
The Veracode Verified Program focuses on securing development processes and improving application security posture through the application of AppSec principles. The linked QAD Applications have achieved “Verified” status.
TISAX
TISAX (Trusted Information Security Assessment Exchange) is an assessment and exchange mechanism for information security in the automotive industry. It is used to assess all organizations involved in the production of vehicles and allows the subsequent sharing of results on a designated, non-public platform.
Scope: QAD Europe GmbH (Germany).
Auditor: Sulzer
Data Privacy Framework Program
The EU-U.S. Data Privacy Framework Program principles (DPF), including the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Principles were designed by the U.S. Department of Commerce, the European Commission and the Swiss and UK administrations to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union, the UK or Switzerland to the United States. The framework provides for an externally enforceable commitment to comply with the principles outlined in the European General Data Protection Regulation (GDPR). QAD has submitted to the authority of the competent data protection authorities. QAD’s listing is found here
Scope: QAD Inc. (United States, European Union, United Kingdom, Switzerland)
Auditor: Self Assessment
Third Party Security Links
Below find links to trust centers of few QAD subservices to refer to their compliance programs. Please note that a support account may be required for access:
AWS Compliance Program
Flexential Compliance Certifications and Attestations
IBM Cloud Compliance Program
Alibaba Security and Privacy Compliance
NTT Data Compliance and Certifications