Information Security Policy

Information Security Policy

Effective Date: January 2023
 Approved By: Directors @ DoesQA


1. Purpose
At DoesQA, protecting the confidentiality, integrity, and availability of information is a core priority. This Information Security Policy outlines how we safeguard customer, contractor, and partner data across our SaaS operations.

2. Scope
This policy applies to all DoesQA systems, services, contractors, and business partners who may process or access information on our behalf.

3. Governance

  • Information security is overseen by the DoesQA leadership team.

  • Responsibilities are clearly assigned and communicated.

  • We align with internationally recognised standards, including ISO 27001 and the NIST Cybersecurity Framework.


4. Risk Management

  • Risks are formally assessed at least annually or after major changes.

  • Identified risks are prioritised and mitigated using technical, organisational, and contractual controls.


5. Contractor & Vendor Security

  • DoesQA operates exclusively through business-to-business contractor engagements.

  • All contractors and vendors undergo appropriate screening and contractual due diligence.

  • Access is provided on a least privilege basis.


6. Access Control

  • Access to systems and data is strictly need-to-know.

  • Strong authentication and multi-factor authentication are enforced.

  • Access rights are reviewed regularly and revoked promptly when no longer required.


7. Data Protection & Privacy

  • Data is encrypted in transit (TLS 1.2+) and at rest (AES-256 or equivalent).

  • We comply with applicable regulations, including GDPR and CCPA.

  • Customers may request secure data deletion in line with NIST SP 800-88 standards.

  • Backup data is deleted according to retention schedules.


8. Security Management System

  • We maintain an ISMS framework aligned to ISO 27001.

  • Policies and procedures are reviewed at least annually.

  • Security practices are continuously improved in response to evolving threats.


9. Incident Response & Business Continuity

  • A documented incident response plan is in place to detect, respond to, and report security incidents.

  • Customers are notified promptly if their data is affected.

  • Disaster recovery and backup procedures are regularly tested.


10. Compliance & Assurance

  • Compliance with this policy is mandatory for all contractors and vendors.

  • Security controls are reviewed periodically against best practice and regulatory requirements.

  • Customers may request additional security documentation or assurances as part of due diligence.


11. Policy Review
This policy is reviewed annually and updated as required to reflect changes in technology, regulations, and business practices.


 For questions about this policy, please contact: ciso@does.qa