Qualia Security Whitepaper
This whitepaper and its contents apply to Qualia’s SaaS products and were last verified in 2023.
Introduction: The Growing Importance of Security in Real Estate
Cyberattacks are now considered the fastest-growing criminal activity in the United States - and real estate transactions are especially attractive targets. In recent years, cyberattacks have been gaining in size, sophistication, and cost. Cybersecurity Ventures estimates that the damage for all cybercrime will hit $10.5 trillion annually by 2025. While cybercriminals do not differentiate who they attack, they do look for big opportunities with possible vulnerabilities, like a home purchase.
Title and escrow companies, real estate agents, mortgage lenders, buyers, and sellers are all particularly vulnerable to cyberattacks. According to the 2022 FBI Internet Crime Report, cybercrime was reported once every 39 seconds and total cybercrime losses reached almost $397M in 2022. Cybercriminals recognize the potential to intercept high-value, one-time transactions with social engineering scams that trick unwitting homebuyers into wiring funds into fraudulent accounts.
What’s more, cybercriminals are getting increasingly creative as the number of people conducting their day-to-day business online continues to grow. Today’s real estate professionals are more technologically advanced than ever. Homebuyer expectations for digital touchpoints have created market demand for real estate technology solutions to empower real estate agents, title agents, and mortgage professionals. With the growing variety of software platforms, mobile applications, and technology available, the ability to work more efficiently grows every year. But with technology advancement also comes the possibility of cyber attacks and breaches in security and privacy.
The number of disjointed systems used to transact real estate is one of the biggest threats to the industry. A typical real estate transaction often includes up to 12 or more parties exchanging information. Each party typically uses its own software system to communicate and update information on a particular transaction. These disconnected communication channels open up opportunities for cybercriminals to capture the highly-sensitive information being exchanged.
While there is inherent risk in doing business in today’s digital landscape, there is a lot that can be done to mitigate that risk. Fortunately, the real estate industry is already focused on preventing security issues from arising in the first place through education and improved technology standards. Now, title and escrow companies must look to adopt technology with the highest security standards as a must-have baseline for building and maintaining a company culture of security.
At Qualia, we are dedicated to helping our users identify, understand, and navigate threats to data security. Our platform offers a number of features to help safeguard data, and our business maintains a comprehensive security plan designed to protect our customers’ interests. This document is designed to educate our customers on our security practices, as well as provide insight into how they can implement their own security protocols to protect their business and their clients from the ever-present threat of cybercriminals.
Qualia’s Security Approach
We believe security and trust start with transparency. We provide official documentation of our security and privacy procedures and are proud to outline the full-stack approach we have taken to provide our users and their clients with industry-leading protections.
Qualia is a leader in the real estate industry in data privacy and security protections, with a focus on protecting client data and nonpublic personal information (NPI). Over 1 million title agents & attorneys, lenders, and real estate agents operate on Qualia. We are constantly updating the platform to meet the ever evolving security landscape and our users’ needs.
Our software is built on best-in-class technology to safeguard against physical and virtual threats. With Qualia’s cloud-based infrastructure, your organization will benefit from regular security assessments, continuous patching, and additional security features built directly into the platform. These features, covered in detail below, ensure the continued availability of your data.
Along with extensive resources committed to product and technology infrastructure security, Qualia fosters a security-first culture among its team and our entire user community. All internal Qualia teams undergo ongoing security training, and our product development lifecycle prioritizes security at each step.
Qualia's Application Security and Information Security teams work to ensure data security standards and protect against and respond to security threats. We believe in going above and beyond minimum technology security standards to keep setting the bar higher. We believe a culture of security among the people on our team and in our community is of utmost importance. We demonstrate this commitment to security through the stringent standards and third-party certifications detailed in the sections that follow.
Moreover, our legal team has designed data privacy and security measures that meet and exceed industry standards. Qualia supports limited data retention periods and the collection and use of information that is accurate, up to date, and fit for the purposes for which it is used.
Read on to learn more about our security practices.
Certifications and Compliance
Our pursuit of compliance with stringent third party security assessments underlines our commitment to ensuring the security of our platform for our users and affirms our steadfast adherence to evolving compliance standards. Qualia is built upon an infrastructure that is ISO 27001 certified and SOC 2® Type II assessed. Our internal security policies are built around the ISO 27001 information security framework, and we routinely audit our security and compliance posture through automation and manual assessments.
Qualia is structured to enable our customers to more easily comply with ALTA Best Practices Pillar 3 by helping remove some of the large overhead required to securely manage their customers’ data with the highest level of security and privacy.
ALTA Best Practices Pillar 3: Qualia’s ALTA Best Practices Pillar 3 compliance ensures that user data is protected and secure within the software. As a part of that compliance, Qualia does not provide access to data to any third parties, aside from any approved, built-in integrations necessary to complete a transaction. Title companies using Qualia are able to be confident they adhere to the procedures put in place by ALTA to protect NPI.
ISO 27001: An ISO 27001 certification demonstrates Qualia’s conformity with the documented standards for the implementation, management, and maintenance of information security within a company.
SOC 2 Type II: A SOC 2 Type II report shows detailed information and assurances about the security, availability, and processing integrity of the systems that Qualia uses to process users’ data. SOC 2 also addresses Qualia’s protection of the confidentiality and privacy of the information processed within the system. This assessment can play an important role in oversight of the organization, vendor management programs, internal corporate governance and risk management processes, and regulatory oversight.
Security Features within Qualia
Qualia offers strong administrative features, including access and permission settings that give our users robust controls over access and use of their Qualia deployment. Users can manage access to their Qualia deployments using these features.
User Management. Administrators can add and remove users to their Qualia system at any point. Users can then be set to active, inactive, or removed altogether to prevent access.
Role-Based Access Controls (RBAC). Along with user management abilities, administrators can also control permissions around the application using Role-Based Access Controls (RBAC). Access is broken down by section of the application, with more specific settings for each section. Limit access to accounting, reporting, sensitive information (e.g., Social Security Number), contact information, title, and more.
Two-Factor Authentication (2FA). Also called Multi-Factor Authentication (MFA), this feature requires a user to submit two or more forms of authentication to gain access to a system. For example, upon logging into Qualia, users that have enabled 2FA will receive a message to their trusted cell phone—either via SMS or a specialized authenticator app—with a code that they must enter to gain access to Qualia. This ensures that even with a password compromise, a criminal could not access the system. Administrators can set up Two-Factor Authentication for all users in the system or Qualia can provide regular reporting on users with 2FA turned off. With a 2FA requirement setting enabled, any user logged out of Qualia will be required to enter an authentication code sent to his/her mobile phone prior to logging in.
Allowed IPs List. This feature allows an admin to specify the IP addresses that are allowed to access the system. This ensures that an unknown device cannot access the system to retrieve sensitive information. When off, all IP addresses are granted access to the system (for use with remote access employees). When on, only the listed IP addresses will be able to log in.
Single Sign-On (SSO). Available in Qualia Core, integration with your SSO solution (such as Microsoft Azure AD, Okta, or OneLogin) via Security Assertion Markup Language (SAML) provides both ease of use and granular control over the authentication experience.
Activity Logs. A detailed Security Activity Log allows administrators to review important events, such as login activity, the creation/deletion of users, or the modification of user permissions. Additionally, each order contains an Order Activity Log, which records detailed information relating to all changes made to the order.
Secure Portal. Qualia offers secure portal functionality, requiring that recipients of attachments sent out of Qualia create an account and log into a secure portal prior to accessing sent attachments. Those attachments are only available to the specified recipients through the login portal.
Automatic Clearing and Positive Pay. To help track and prevent fraud, administrators can utilize the automatic clearing and Positive Pay features (as offered by their bank). When in use, automatic clearing will notify users of any transactions not listed on their bank statements. Positive Pay will alert the bank of any items that do not match approved outgoing transactions.
Qualia Security Practices
Logging, Monitoring, and Response. Every individual service component in Qualia logs activity and security events to a centralized logging service which is actively monitored by our engineering staff. Security logs are kept for at least one year. Identified incidents are treated with the utmost priority and are worked on 24/7 until resolution.
Data Availability and Disaster Recovery. Qualia employs strong platform-level isolation, which enables increased service availability. All customer data is actively backed up into secure containers in case of system failures beyond our control. Qualia’s business continuity and disaster recovery plan is tested annually.
Service Operations & Qualia Employee Protocols. Qualia staff do not access or interact with customer data or applications as part of normal operations. There may be cases where Qualia is requested to interact with customer data or applications at the request of the customer for support purposes or where required by law. Access to this data is logged and only named individuals in specific roles are allowed access.
All new Qualia employees go through a thorough background check and security awareness training as part of the onboarding process. Additionally, engineers receive specialized secure development training designed specifically for the frameworks in use. Separate testing and production systems are maintained. Per policy, customer data is only stored within the production service.
Data Center And Physical Security
Qualia utilizes ISO 27001 certified and SOC 2 assessed data centers managed by Amazon Web Services (AWS). AWS is a $80 billion business that focuses heavily on data protection and security and is relied upon by most blue-chip companies such as Netflix, Dow Jones, Pfizer, and Zillow. Because Qualia is cloud-based software, customers don’t need to invest in cloud hosting services—their systems are backed up through Qualia on AWS. Amazon has many years of experience in designing, constructing, and operating large-scale data centers. This experience has been applied to the AWS platform and infrastructure.
AWS data centers are housed in nondescript facilities, and critical facilities have extensive setback and military-grade perimeter control berms as well as other natural boundary protection. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state-of-the-art intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication no fewer than three times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.
AWS data centers also include several additional environmental safeguards, such as:
- Fire detection and suppression
- Universal power supply
- Climate and temperature controls
- Operational management of systems
In addition to protecting data in secure warehouses, Qualia takes the below measures to protect user data.
Data Center And Physical Security
Customer Isolation. In Qualia Core and Assure, each individual Qualia customer is provisioned into their own virtualized instance of the service which provides our customers with a greater degree of logical separation of services and data isolation. This approach provides Qualia customers with a higher degree of security, privacy, and availability.
Data Encryption. All data transmitted to the Qualia service is encrypted over a secure channel using Transport Layer Security (TLS). Only strong TLS protocol versions, cipher suites, and key exchange algorithms have been enabled and further transport layer security controls, such as Perfect Forward Secrecy, have been implemented. Stored data is likewise encrypted at rest using strong cryptographic algorithms.
Spoofing and Sniffing Protections. Managed firewalls prevent IP, MAC, and ARP spoofing on the network and between virtual hosts. Packet sniffing is prevented by infrastructure, including the hypervisor, which will not deliver traffic to an interface to which it is not addressed.
Port Scanning. Port scanning is prohibited, and every reported instance is investigated by our infrastructure provider. When port scans are detected, they are stopped, and access is blocked.
Hardened Hosts. Qualia infrastructure is proactively locked down, disabling unnecessary ports, services, and users to reduce our attack surface. Hosts are promptly patched and upgraded when security updates are available. Each host runs anti-virus software, for which signatures are updated daily.
Configuration Scanning and History. The Qualia infrastructure is continuously scanned for configuration changes outside of its secure baseline. Any change outside of its standard is immediately alerted and mitigated as appropriate. A full configuration history and inventory of Qualia’s infrastructure is maintained for posterity and forensics.
Secure Design & Frameworks. As new features are developed, they are reviewed for potential security issues, which are then remediated prior to release to production. Security frameworks have been built to mitigate the most common types of software vulnerabilities to enable secure-by-default development practices. Security staff and development teams continuously keep abreast of new threats as they arise.
Security Testing. Qualia undergoes penetration tests, vulnerability assessments, and source code reviews to assess the security of our application, architecture, and implementation. Internal and third-party security assessments cover all areas of our platform, including testing for OWASP Top 10 web application vulnerabilities and customer isolation. Qualia works closely with external security experts to review the security of the platform and applications and to apply best practices.
Vulnerability Disclosure. Qualia highly values the work of independent security researchers. We support a responsible disclosure policy and will partner with researchers to address security concerns identified in our service in a timely manner. Reports of potential security issues can be sent to firstname.lastname@example.org.
Qualia Delivers Beyond Baseline Security Standards
For businesses looking for the highest levels of security, Qualia delivers. However, beyond data security and privacy protocols, Qualia also offers a new way to transact real estate—a way that offers greater security while also creating greater efficiencies and improved homebuying experiences.
Qualia provides the complete infrastructure to streamline the home closing experience for real estate businesses and their clients. Our suite of products brings together homebuyers, sellers, lenders, title & escrow agents, vendors, and real estate agents onto one secure platform.
To learn more about Qualia’s secure platform and our security features and protocols, please visit qualia.com/trust.