Quadient digital trust center

Quadient manages compliance to multiple certifications (e.g., ISO 27001, ISO 9001, HITRUST, PCI DSS), frameworks (e.g., SOC 2, NIST Cybersecurity Framework) and legal requirements (e.g., GDPR, HIPAA, CCPA).

Actual compliance levels are reviewed multiple times per year by both internal audit teams and independent external auditors.

For details about which certifications/assessments are applicable to each Quadient Digital product/solution, please check section “Certifications / assessments per Quadient Digital solution”.

Quadient global Information Security Management System (ISMS) responsibilities lie with the Security Board, where executive management and Subject Matter Experts (SME) are present. The Security Board is held quarterly and focuses on ISMS topics affecting the Quadient group.

The Quadient global CSR & Compliance team has regular quarterly meetings, where executive management and Subject Matter Experts (SME) are present. Privacy and ESG topics are included in these meetings.

At the Quadient Digital solution level, there are quarterly Compliance meetings, where Quadient Digital executive management and SMEs are present. These meetings focus on Security, Privacy, Risk Management and other compliance topics affecting Quadient Digital solutions, either SaaS or on-premise.

These three main platforms are supported by additional monthly, bi-weekly and weekly technical product and operational meetings, where Compliance topics are reviewed and discussed.

Quadient manages a comprehensive set of policies, integrated within a structured Integrated Management System (IMS). The IMS consists of Security, Privacy, Quality and ESG topics.

All policies are approved by the Quadient executive management and have dedicated owners, which are responsible for their regular review and update. Policies are supported by lower tier documents (e.g., standards or processes) which also have their assigned owners and are reviewed at least annually, or after a material change of a system.

Quadient policies (including relevant standards etc.) are possible to be shared when non-disclosure agreement (NDA) is signed between both parties. Please reach out to your Account Manager if you wish to receive them.

Exception is Quadient Digital Information Security Policy, which can be downloaded here.

The Quadient organizational structure contains specific roles to support the ISMS. The Security Board that includes members of the senior and executive management oversees the ISMS on the corporate level and is led by the Director of Information Security.

Information Security Manager is responsible for whole Compliance system of Quadient Digital Solutions globally.

Global roles are supported at the local level by local Security and Compliance Managers, Regional Data Protection Officers, Cyber Security Analysts, Application Security Analysts, Penetration Testers and other roles.

Quadient SMEs working in the area of security are experienced professionals who hold multiple security and privacy relevant personal certifications including, but not limited to: CISSP, CISM, CISA, CDPSE, CRISC or CCSK.

Quadient uses Microsoft Azure (Azure) and Amazon Web Services (AWS) as infrastructure (IaaS) for its software solutions. Both Azure and AWS maintain a comprehensive set of certifications and assessments.

• Azure - https://www.microsoft.com/en-us/trust-center/product-overview

• AWS - https://aws.amazon.com/security/

Data center locations are the following:

Customer Data is staying in the same region where possible for both primary and secondary location, except for emergency failover of the third-party providers.

Data submitted to Quadient by customers and processed within Quadient Digital solutions is processed and stored in a multi-tenant environment, where logical segmentation (among other controls) is used to prevent co-mingling of customer data.

Quadient does not require routine access to Customer Data. In very exceptional circumstances (e.g., to resolve specific issues at a customer's request) access can be arranged, but it must be mutually agreed in advance in the relevant contractual agreements between Quadient and the customer.

For such exceptional cases Quadient has a dedicated procedure and a dedicated file exchange mechanism with specific retention policies.

Quadient regularly updates list of subprocessors used within its solutions. This list is available to Quadient Digital solutions customers as both a PDF and a web-based visualization:

• Quadient Subprocessors (PDF)

• Quadient Subprocessors (web-based visualization)

Customers are informed about changes at least one calendar month before a change takes effect. These changes may include the addition of a new sub-processor or a change in processing by an existing sub-processor.

Quadient proactively notifies only customers affected by such changes, or customers for whom there is a legal or contractual commitment to do so. 

All Quadient internal users receive multiple security awareness trainings throughout the year, including onboarding training to be completed within the first two weeks of employment and before being granted access to confidential information or Customer Data. Refresher training is delivered regularly, along with ad hoc training on key topics.

Training content is regularly updated and tailored by role. Topics include security, privacy and data protection, secure development and deployment, incident management, social engineering, and local legal requirements.

Training attendance and completion are monitored by the responsible teams.  

For Quadient internal users, Acceptable Use Policies are available for major asset types (e.g., end-user devices, email). They also cover acceptable use of social media and instant messaging tools. Unacceptable use is clearly defined, and disciplinary action may be taken if violations are identified.

For customers and their authorized end users, acceptable use requirements are defined in the applicable contractual terms and conditions for the relevant solutions.

For internal users, logical access is granted in line with the principles of least privilege and need-to-know. Access rights are managed using a role-based access control (RBAC) approach, and regular access reviews are performed. Access is revoked or modified within 24 hours of a user leaving Quadient or changing roles.

Systems maintain an access rights matrix to identify potentially conflicting roles. Any identified conflicts are remediated by the relevant Asset Owners (as defined in Asset Management below) for the specific systems. Single sign-on (SSO) and multi-factor authentication (MFA) are used where required. Multiple consecutive failed login attempts result in account lockout, which can be restored by designated administrator roles. A Virtual Private Network (VPN) is used for access to Quadient Digital infrastructure.

For customers, customer administrator roles are responsible for configuring and managing access for their users, including SSO and MFA where applicable.

Quadient solutions use modern, event-driven architectures designed for performance and stability. Each hosted virtual data center is designed for failover and scalability and includes replication mechanisms. Requests are handled by multiple virtual machines via load balancers, and in some cases serverless architectures are used to support large-scale workloads.

Quadient assets have an assigned Asset Owner and are recorded in a documented asset inventory that is regularly updated.

Rules for asset handling are defined in Acceptable Use and Hardening Policies. Asset Owners are responsible for ensuring assets comply with these rules and that risks related to the assets are managed appropriately.

Quadient uses Azure and AWS to store backups in geographically redundant locations to meet customer needs. Backup arrangements are implemented with AWS and Azure as described in the Disaster Recovery section below.

Backups are stored in geo-redundant locations and, where possible, remain within the same geographic region as the primary cloud instance contracted by the customer (EU, UK, United States, Canada, or Australia) to support compliance with applicable legislation. Backups are protected using the same security measures as primary data (e.g., encryption), as further described in the Data Centers section below.

Quadient does not currently operate an external bug bounty program. We continuously evaluate this and may launch one in the future. To confirm the current status, please contact bugbounty (at) quadient.com.

An internal bug bounty program is available to Quadient employees, contractors, and selected third parties.

Business Continuity (BC) Plans are developed based on Business Impact Analysis (BIA) results by the responsible Asset Owners and are tested at least annually. Where appropriate, different test types and approaches are used.

Actions resulting from BC tests are tracked with a clearly assigned owner, action plan, and due date. A dedicated team supports BC plan development and testing to help keep plans current and to ensure an organized response when needed.

Change management is closely linked with risk management, as changes introduce risk that must be assessed and approved by the appropriate authority.

Standardized methods and processes are used to support consistent change execution. Central repositories and automated tools are used where appropriate, and clear notification, escalation, and approval channels are defined and communicated within teams.

Quadient maintains an active cyber insurance policy with global geographic coverage.

The policy is reviewed and renewed on an annual basis. A copy of the insurance certificate or policy details can be provided upon request.

Quadient solutions use geo-redundant hosting (data is stored in two separate geographic locations within the same AWS or Azure region). In the event of a disaster, backup capacity is contracted to restore service within 12 hours.

Quadient solutions have a Recovery Time Objective (RTO) of 12 hours and a Recovery Point Objective (RPO) of 4 hours. DR plans are tested at least twice per year to validate achievement of these targets. Backup and recovery arrangements are maintained with AWS and Azure, and recovery testing is performed regularly to confirm backups can be restored when needed.

Actions resulting from DR tests are tracked with a clearly assigned owner, action plan, and due date. A dedicated team supports DR plan development and testing to help keep plans current and effective.

All data held by Quadient is encrypted. The Quadient standard is AES-256 for data at rest and TLS 1.2 over HTTPS for data in transit.

Encryption keys for Quadient solutions are managed as follows:

We take the security of our systems seriously and regularly monitor SecurityScorecard and BitSight for insights and areas for improvement.

Quadient is a large organization with thousands of assets, so improvements are prioritized based on risk and asset criticality. We allocate resources accordingly to ensure higher-risk issues affecting critical systems are addressed first.

The external ratings referenced may include assets across multiple Quadient solutions and subsidiaries. As a result, findings may not apply to the specific solution used by a given customer. Core systems supporting customer solutions are segregated and protected to reduce the likelihood of impact, and we work to prevent issues in low-criticality or legacy systems from affecting customer environments.

We remain committed to maintaining strong security across our infrastructure and to protecting customer data. Our teams continually assess and mitigate risks in line with these objectives.

Quadient assets are subject to multiple standard hardening measures, including:

• Anti-malware tooling with automatically updated definitions

• Operating system patching

• Mobile Device Management (MDM)

• Storage encryption

• Automatic screen locking

All Quadient employees and contractors are subject to contractual security obligations. A non-disclosure agreement is signed and remains in effect after termination of employment or contract.

Background checks are performed in line with local legislation and can be agreed with customers for regulated projects where required (e.g., criminal record checks, credit checks).

Employees and contractors agree to follow Quadient security and privacy policies and the Code of Ethics. A Disciplinary Action Policy is in place and may be applied where non-compliance is identified.

Quadient’s Security Incident Response Team (SIRT) is responsible for managing security and privacy incidents. Reporting channels and escalation paths are defined. Root causes are identified for incidents, along with impact assessment and lessons learned.

Actions resulting from incident investigations are tracked with clearly assigned owners, an action plan, and due dates.

Customers are informed of incidents that directly affect them or their Customer Data, meaning information or material (including personal data and customer content) that the customer or its end users disclose, submit, or upload to Quadient Digital solutions while using the service.

Throughout the year, Quadient conducts multiple audits with different scopes, standards, frameworks, and legal requirements. These audits are performed by internal teams of skilled professionals and are confirmed at least annually by independent external auditors.

Audit findings are tracked, with clearly assigned owners, action plans, and due dates.

Quadient stores security and audit logs to support traceability of important actions, in line with industry standards. Logs typically include the user ID, action type, and timestamp.

Logs are retained for at least one year and are generally deleted within twelve months unless specific reasons require longer retention. Logs are monitored by internal teams and, in some cases, dedicated external teams. Suspicious events are investigated.

All production systems and network devices are continuously monitored at the application level. “Application is running” monitoring is measured in 5-minute intervals to support high availability.

For infrastructure monitoring, performance indicators are tracked across virtual machines, databases, and storage to provide visibility into system health and utilization (capacity planning).

Customer status pages are available to inform customers of planned or unplanned downtime at the following link:

Quadient Cloud: https://university.quadient.com/group/site/quadient-cloud-status

Quadient AP: https://quadientap.statuspage.io/ 

Quadient AR: http://yp-status-page.s3-website-us-east-1.amazonaws.com/ 

Quadient uses multiple technical controls within its network, including (non-exhaustive list):

• Web filtering

• Firewall rules management

• Auto-terminated sessions

• Network segmentation (zoning)

• Virtual Private Networks (VPN)

• Intrusion Detection Systems (IDS)

• Security Information and Event Management (SIEM)

• Threat detection

• Distributed antivirus with centralized management

• Automated policy management and violation detection

• Zero Trust Architecture (ZTA)

Networking cables within offices are protected against interception, interference, or damage. Wireless networks are protected using WPA2 with username/password authentication.

Network events are monitored by internal teams and, where applicable, external Security Operations Center (SOC) teams. Incidents are escalated and investigated according to internal procedures.

Unique passwords are assigned to internal users and must not be shared. Password construction guidelines follow current industry practices. Passwords are salted and encrypted. The use of password manager tools is recommended internally.

For customers, password management within Quadient solutions is configurable. Customer administrators are responsible for configuring password policies in line with their own standards.

Quadient R&D offices are protected by CCTV, physical keys, ID cards, and other controls. Zoning concepts are used to restrict access to more sensitive areas (e.g., server rooms, HR offices). Only a limited number of users have access to these areas. A clean desk policy is implemented. Offices are locked, and alarm systems monitor security after business hours.

Physical and environmental security of datacenters is the responsibility of the hosting providers (Microsoft Azure and Amazon Web Services). Quadient’s cloud platform uses Azure and AWS infrastructure, which includes physical and environmental security controls and certifications. More information is available here:

• Azure Trust Center: https://www.microsoft.com/en-us/trust-center/product-overview

• AWS Datacenter Controls: https://aws.amazon.com/compliance/data-center/controls/

Quadient maintains a quality assurance (QA) program. Each new release of Quadient applications is tested across multiple scenarios. Testing includes automated and manual regression testing, security testing, functional testing, and high availability testing.

Risk management at Quadient is based on ISO 27005 and uses an asset-based risk approach. Asset Owners are responsible for ensuring that risks affecting assets under their responsibility remain within Quadient’s defined acceptable levels, or for implementing risk treatment plans to mitigate them.

Risk assessments are performed at least annually. Results and proposed risk treatment plans are approved by executive management.

Quadient incorporates security into its software development lifecycle using the OWASP SAMM framework (see: https://owasp.org/www-project-samm/). Security by Design, Security by Default, Privacy by Design, and Privacy by Default principles are followed. Compliance is regularly checked by internal QA/QE teams and confirmed by independent external parties.

All code is version controlled and subject to peer review prior to deployment. Quadient uses separate development, test, and production environments. Production customer data is not used in development or test environments.

Quadient publishes security bulletins and/or status reports for Quadient solutions on a monthly basis. These include security fixes for open-source libraries and the results of security scans performed on Quadient Cloud services.

Security bulletins are available to customers for all digital solutions via a password-protected portal (Quadient University), where they can be viewed and downloaded. Customers are not proactively notified when new security bulletins are published.

Because Quadient Digital solutions operate as a cloud-based SaaS model, certain security responsibilities are shared between Quadient and customer administrators. Some areas are Quadient’s responsibility, some are the customer’s responsibility, and some are shared.

Q = Quadient

C = Customer

Quadient Digital solutions provide environments in which customers can build business workflows. These systems can enable customers to import, store, process, and distribute information, which may include personal data that is sensitive or protected by law. Quadient components provide security features and multiple levels of data protection, as described in this document.

However, when customers develop their own logic within their licensed area of the Quadient Digital environment, customers share responsibility for securing their solutions. Quadient recommends that customers design their solutions using the strongest security controls available within the platform. Customers may contact Quadient Support for guidance on applying security features appropriately.

Quadient is not liable for damage or loss caused by insecure practices or development performed on the customer’s side.

To maintain confidentiality and prevent disclosure of personally identifiable information (PII) or protected health information (PHI), such data should only be included with enhanced security measures as set out in the applicable data processing addendum and contractual agreement. Quadient recommends that customers follow industry best practices, such as delivering outputs securely within authenticated accounts or sending a link to a secure customer-managed portal where users must log in.

Customers may contact their Account Manager for clarification on responsibilities and to be directed to the appropriate Quadient support experts.

Quadient understands supply chain risks and regularly reviews its suppliers. New suppliers must undergo a due diligence process evaluated by multiple internal departments. Existing suppliers are evaluated periodically, at least annually. Depending on supplier criticality, reviews may range from self-assessments to independent third-party audits.

Quadient performs vulnerability assessments and penetration tests based on an approved schedule and frequency aligned to asset criticality. Assessments are performed by dedicated internal and external teams using industry-leading tools (e.g., Qualys, Goose), and include Static Application Security Testing (SAST) where applicable.

Identified vulnerabilities are remediated according to internal processes, with prioritization based on severity.

Brandon Batt, member of Quadient Executive Management is Quadient Data Protection Officer (DPO).

DPO is supported on local/regional level by Regional Data Protection Officers (RDPO).

Data Protection Officer for Quadient Digital Solution is Teodora Dorobanțu t.dorobantu@quadient.com

Data breach is a situation, where sensitive, protected or confidential data, which may include customer’s personal data, is copied, transmitted, viewed, stolen, altered or used by an individual unauthorized to do so, either intentionally or unintentionally.

Subject to the terms of data processing addendums where applicable, Customers are informed about data breaches without undue delay after Quadient having become aware of such data breach.

Quadient will use commercially reasonable efforts to provide its customers with sufficient information to allow them at their cost, to meet any obligations to report or inform regulatory authorities, data subjects and other entities of such data breach to the extent required by applicable legislation.

Quadient solutions are processing data which are provided by the customer. Such data can go from public data, dummy data up to Credit Card Data, Personal Identifiable Information (PII) and Personal Health Information (PHI).

While processing and storing personally identifiable information (PII), Quadient solutions provide the following rights:

• Right to access: customers have full access to their data.

• Right to correct: we will correct Customer Data within 30 days upon a request to Quadient support.

• Right to be forgotten: we will remove Customer Data within 30 days upon a request to Quadient support.

• Right of data portability: customers can download all their data (e.g. JSON, CSV) at any time with no assistance required from Quadient.

Quadient keeps customer data for the term of the subscription and deletes it thereafter safely, subject to the terms of the agreements between Quadient and the customer. Data is only retained based on legal justifications for the respective purpose. For more information, please see the "Data Erasure" section.

Information on customer access to Digital solutions or logs and any other related transactional data (“Technical Data”) and/or data processed by the customer within Digital solutions (“Customer Data”) is regularly deleted from Quadient Digital solutions after a specific amount of time. 

You can contact us by using these options:

• Using the access request form here https://www.quadient.com/en/preferences/personal-data-management

• Emailing Us at: PrivacyTeam@Quadient.com

• Calling Us at +1-800-636-7678

The general Quadient Privacy Statement is publicly available here https://www.quadient.com/en/quadient-website-privacy-statement.

The Privacy Notice for California Residents can be found here https://www.quadient.com/en/california-consumer-privacy-act.

We’ve completed a facelift of the Quadient Digital Trust Center to make important security information easier to find and use.

What’s new:

• All public reports and records have been moved to the "Certifications" section for better visibility and logical grouping.

• Document titles are now clickable and marked with an asterisk “*” so it’s clear which items contain direct links to downloadable files.

• The previous section related to information sharing has been removed, and the remaining policy content has been consolidated and moved into the ‘Policies’ section under General Security and Compliance.

These changes streamline navigation and help visitors quickly access the documents they need.

We have recently observed an increase in cases where malicious actors send fraudulent messages impersonating Quadient. These emails may contain harmful links, deceptive requests, or attempts to obtain confidential information.

Please remain vigilant:

• Do not trust emails from unknown or unverified senders.

• Carefully check the sender’s address, links, and attachments before interacting with them.

• Do not click suspicious URLs or share any sensitive data.

If you notice any suspicious communication or believe you may have received a fraudulent email, report it immediately to the security@quadient.com .

We are pleased to announce that our recent GDPR and CCPA compliance assessment has been successfully completed with no non‑conformities identified.

The review included inquiry and inspection procedures covering governance, documented policies and procedures, and privacy‑related controls. 

This positive outcome reflects our continued commitment to maintaining strong data protection and privacy practices across Quadient.

We’re pleased to announce that Quadient has successfully completed a HIPAA Security compliance recertification assessment for our Business Automation Services (CXM, IDA, AR, AP, iForms, Hub, PSO). The assessment was performed by 360 Advanced and reviewed our safeguards aligned to the HIPAA Omnibus Final Security Rule (January 2013) governing protected health information (PHI).

This assessment examined the controls, policies, procedures, and supporting IT processes that protect the confidentiality, integrity, and availability of systems and data used to deliver Quadient’s Business Automation Services on behalf of covered entities. The work included documentation reviews, interviews with key personnel, process walk-throughs, and control testing where applicable. 

Completing this assessment reinforces our commitment to helping customers support their HIPAA compliance needs and to maintaining strong safeguards for sensitive health information within our software and facilities.

We’re pleased to share that Quadient has successfully completed its SOC 2 recertification for the Business Automation Services system. The examination was performed by 360 Advanced and evaluated all five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

This recertification reinforces our ongoing commitment to protecting customer data and operating our services in line with recognized assurance standards. The scope covered our Business Automation Services portfolio (CXM, IDA, AP, AR, iForms, HUB, and PSO). AWS and Microsoft Azure are used as subservice organizations for hosting, data storage, and infrastructure services.

We are excited to announce that we have successfully achieved Payment Card Industry Data Security Standard (PCI DSS) certification for AR. This certification is a significant milestone in our commitment to ensuring the highest level of security for payment card data.

Achieving PCI DSS certification demonstrates our dedication to protecting sensitive payment information and complying with industry standards. This accomplishment not only enhances our security posture but also builds trust with our clients and stakeholders.

We are pleased to announce that we have successfully updated the CSA STAR Level 1 assessment for all our products. This achievement marks a significant milestone in our commitment to cloud security and demonstrates our adherence to the highest standards in the industry.

The CSA STAR (Security, Trust & Assurance Registry) Level 1 assessment involves a rigorous evaluation of our cloud security practices against the Cloud Controls Matrix (CCM). By completing this assessment, we have showcased our dedication to transparency, accountability, and continuous improvement in cloud security.

We would like to inform you that we are currently undergoing a comprehensive Payment Card Industry Data Security Standard (PCIDSS) audit for AR. This audit is a critical step in ensuring that our payment card security measures are robust and compliant with industry standards.

The audit process involves a thorough evaluation of our systems, policies, and procedures related to payment card data security. Our goal is to identify any areas for improvement and implement necessary changes to enhance our security posture.

We anticipate receiving the results of the audit in the third quarter of 2025. These results will provide valuable insights into our current security practices and guide us in making any required adjustments to maintain compliance and protect sensitive payment card information.

I am thrilled to announce that we have successfully achieved ISO 27701:2019 certification for AR. This accomplishment is a testament to our commitment to privacy information management and the protection of personally identifiable information (PII).

ISO 27701:2019 is an extension to ISO 27001 and ISO 27002, and it provides guidelines for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS). By achieving this certification, we have demonstrated our dedication to enhancing our information security management practices and meeting regulatory requirements.

We are pleased to inform you that Quadient has been awarded ISO 9001:2015 certification for our Accounts Receivable solution. This distinguished certification underscores our steadfast dedication to providing exceptional quality and excellence in our services.

The ISO 9001:2015 standard is an internationally recognized framework for quality management systems. Attaining this certification reinforces our dedication to meeting customer expectations and continuously enhancing our processes.

We are delighted to inform you that Quadient has successfully achieved ISO 27001:2022 certification for our Accounts Receivable solution. This esteemed certification highlights our unwavering commitment to upholding the highest standards of information security and protecting our customers' data.

The ISO 27001:2022 standard is an internationally recognized framework for managing and safeguarding sensitive information. By achieving this certification, we have reinforced our dedication to ensuring the confidentiality, integrity, and availability of information within our Accounts Receivable solution.

We are pleased to inform you that Quadient has successfully completed a comprehensive privacy assessment conducted by Ernst & Young (EY). This assessment covered our compliance with key privacy regulations, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the Health Insurance Portability and Accountability Act (HIPAA).

The completion of this assessment underscores our commitment to maintaining the highest standards of data privacy and protection. By conducting assessments by EY, a globally respected professional services firm, we have ensured that our practices and policies meet stringent regulatory requirements.

We are delighted to inform you that Quadient has achieved Global ISO 27001:2013 certification for our Information Security Management System, now accredited by DNV. This prestigious certification underscores our unwavering commitment to maintaining the highest standards of information security and safeguarding our customers' data.

We are excited to announce that Quadient has successfully achieved ISO 14001 certification for our Environmental Management System, now certified by DNV. This certification reflects our ongoing commitment to environmental responsibility and sustainable business practices.

We are pleased to announce that Quadient has successfully maintained its ISO 9001 certification for our Quality Management System, however we have changed our certification body to DNV. We are proud of this achievement and the dedication of our team in maintaining these high standards. Let us continue to uphold the principles of the ISO 9001 standard and strive for excellence in all that we do.

We are excited to announce that all Quadient Digital products (Inspire, Impress, Quadient AP by Beanworks, Quadient AR by YayPay, HUB, and iForm) have successfully completed an external SOC2 Type II assessment. This thorough evaluation, conducted by EY, confirms our dedication to providing secure and dependable software solutions to our customers.

The assessment covers all five trust services criteria: security, availability, confidentiality, privacy, and processing integrity. This comprehensive approach ensures that our SaaS solutions adhere to the highest standards of security and compliance, effectively reducing risks associated with data breaches and cyber threats. 

This was done in cooperation with an external independent party (Ernst & Young).

SOC2 assessment report can be provided only when mutual Non-Disclosure Agreement (NDA) is signed by both Quadient and requesting party. Please reach out to your Account Manager if  you would like to receive it.

Quadient Digital Solutions of CXM, IDA and HUB succesfully passed HITRUST V9.1 interim assessment. No corrective action plans were identified. 

This was done in cooperation with an external independent party (BDO).

HITRUST interim letter can be found in section "Reports and Records".

We are pleased to announce that Quadient Technologies Czech s.r.o. has successfully undergone a surveillance audit for ISO 27001:2013, reaffirming our commitment to Quality and Environment management systems. This is the last time we have been auditted against 2013 revision of the ISO standard, as from next year on we will be auditted against 2022 revision, including all the changes it brought to the table.

Certification body is SGS.

Certificate can be found in section "Reports and Records".

We are pleased to announce that Quadient Technologies Czech s.r.o. has successfully undergone a surveillance audit for ISO 9001:2015 and ISO 14001: 2015, reaffirming our commitment to Quality and Environment management systems. 

Certification body is SGS.

Certificate can be found in section "Reports and Records".

We are pleased to announce that the Quadient AR product has successfully passed a full recertification against the Payment Card Industry (PCI) DSS v4.0 standard, confirming the security of customer data and processes. This year's certification process included migration to the new version 4 of the standard, a comprehensive technical and process audit, review of previous findings, internal and external pentests. PCI DSS is a global information security standard for organizations that process credit card transactions from the major card brands. The standard was created to strengthen controls over cardholder data in order to reduce credit card fraud.

The certification and pentests were conducted by Compliance Control Ltd, our trusted partner for many years. Their experience and team ensure that we meet the highest standards of information security.

This re-certification reaffirms our commitment to protecting our customers' data and maintaining exemplary business practices. The certification is valid until May 30, 2025 and can be viewed here.

We are pleased to announce that Quadient AR has successfully undergone a full re-certification for ISO 27701:2019, reaffirming our commitment to data privacy and security. The re-certification process involved a comprehensive re-audit, a review of previous findings, and an in-depth analysis of the controls we have in place to protect Personally Identifiable Information (PII).

ISO 27701:2019, known as the Privacy Information Management System (PIMS), provides a framework for managing data privacy, helping to mitigate financial and regulatory risks associated with data breaches.

Bureau Veritas, a leader in testing, inspection, and certification since 1828, conducted the certification. Their expertise ensures our compliance with the highest standards in data privacy and security.

This re-certification reaffirms our commitment to protecting our customers' data and maintaining exemplary business practices. Our certification is confirmed through April 20, 2025 and the certificate is available here.

We are pleased to announce that Quadient AR has successfully achieved certification for ISO 27017:2015 and ISO 27018:2019, further demonstrating our commitment to cloud security and data privacy. This certification process covered business analysis, development, testing and operation processes in software development, and was conducted by Bureau Veritas. Their expertise validates our adherence to the highest levels security and privacy standards.

ISO 27017:2015 provides guidelines for information security controls applicable to the provision and use of cloud services, ensuring that cloud-based environments are secure. ISO 27018:2019 focuses on the protection of personal data in the cloud, providing a framework to ensure that Personally Identifiable Information (PII) is managed with the highest standards of privacy and security.

Achieving these certifications underscores our dedication to maintaining robust security practices and protecting our customers' data in cloud environments. 

Both certifications are valid through 10 April, 2027 and are available to customers on request. 

We are proud to announce that our Quadient CXM, IDA, and AP SaaS solutions have successfully passed an independent external re-assessment focused on GDPR, CCPA, and HIPAA compliance. This thorough assessment was conducted by BDO and confirms our continued commitment to the highest levels of data protection and regulatory compliance.

The re-assessment ensures that our solutions meet the requirements of the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the Health Insurance Portability and Accountability Act (HIPAA). These regulations are critical for safeguarding personal data and maintaining customer trust.

The auditors letters are available here: CXM, IDA, AP. Detailed assessment reports are available for review upon request. To obtain a copy, please reach out to your Account Manager to sign a mutual non-disclosure agreement (NDA).

Quadient is pleased to announce the update to its listing for Cloud Security Alliance (CSA) Star Level 1 Consensus Assessments Initiative Questionnaire v4.0.2 (CAIQ). By regularly updating our CAIQ listing, we demonstrate our ongoing commitment to maintaining secure cloud environments for our customers.

The latest version covers Quadient CXM, IDA, HUB, AP and AR solutions from Quadient ICA solution portfolio.

It can be downloaded here https://cloudsecurityalliance.org/star/registry/quadient/services/quadient-cloud.

Quadient ICA remains at the forefront of cloud security, continually enhancing our offerings to meet evolving industry standards and customer expectations. We are proud to provide our customers with cloud solutions that prioritize security, reliability, and compliance.

We are delighted to announce the successful re-certification of the design, development and implementation of software solutions for ISO 27017:2015 and ISO 27018:2014. This achievement covers our Quadient CXM and IDA products.

ISO 27017:2015 and ISO 27018:2014 focus on focuses on cloud security controls, and the protection of personally identifiable information (PII) in cloud services, respectively. These certifications are important for our organization to validate the effectiveness of the controls in place to ensure the security and privacy of our customers data.

The certification was conducted by SGS, one of the world's leading testing, inspection and certification companies. Their expertise and thorough evaluation process ensure our adherence to the highest standards of security and privacy.

This re-certification underscores our commitment to safeguarding customer data and maintaining excellence in security practices. The certifications are valid through 14 January, 2026.

We are delighted to announce that Quadient AR by YayPay has successfully passed a HIPAA-focused independent external re-assessment conducted by 360 Advanced, reassuring our commitment to data security and compliance.

This rigorous assessment ensures that Quadient AR meets the requirements set forth by the Health Insurance Portability and Accountability Act (HIPAA), which safeguards protected health information (PHI) and ensures its confidentiality, integrity, and availability.

The assessment report is available upon request. Due to the sensitive nature of the information contained within the report, a non-disclosure agreement (NDA) must be signed between both parties before it can be shared. If you would like to review the assessment report, please reach out to your Account Manager.

We are thrilled to announce that Quadient Inspire, Quadient Impress and Quadient AP by Beanworks, all within Quadient's ICAs suite of SaaS solutions, have successfully passed an external SOC2 Type II re-assessment. This comprehensive evaluation, conducted by BDO, validates our commitment to providing secure and reliable software solutions to our customers.

Furthermore, we are excited to announce that Quadient ICA HUB was included within the assessment for the first time. 

In addition to all five trust services criteria of security, availability, confidentiality, privacy and processing integrity, this assessment also included controls based on the Center for Internet Security (CIS) and the National Institute of Standards and Technology (NIST) 800-53 framework. This comprehensive approach ensures that our SaaS solutions meet the highest standards of security and compliance, mitigating risks associated with data breaches and cyber threats.

Additionally, Quadient AR by YayPay, has completed a SOC2 Type II assessment conducted by 360 Advanced. While this assessment focused solely on SOC2 controls, it further reinforces our dedication to maintaining the highest standards of security and compliance across all our products and services.

The auditors letter is available here.

Quadient ICA HUB SaaS solution successfully passed GDPR, CCPA and HIPAA focused independent external assessment (performed by BDO).

Assessment report can be shared when non-disclosure agreement (NDA) is signed between both parties. Please reach out to your Account Manager if you wish to receive it.

In cooperation with Compliance Control, Quadient AR by YayPay succesfully re-certified PCI DSS 3.2.1 for selected scope.

We have succesfully re-certified selected scope for ISO 9001:2015 and ISO 14001:2015.

Certification body is SGS.

Quadient group confirmed its strong focus on ESG activities, by repeating its platinum rating.

French branch of Ernst & Young company pefromed an audit of CSR activities within Czech Republic, and Quadient R&D centers located there.

Report can be shared when non-disclosure agreement (NDA) is signed between both parties. Please reach out to your Account Manager if you wish to receive it.

Quadient CXM and IDA SaaS solutions successfully passed GDPR, CCPA and HIPAA focused independent external re-assessment (performed by BDO). For the first time also Quadient AP by Beanworks was also included, and succesfully passed as well.

Assessment report can be shared when non-disclosure agreement (NDA) is signed between both parties. Please reach out to your Account Manager if you wish to receive it.

Blog article from CXM CSO - https://www.quadient.com/en/blog/message-our-chief-solution-officer-cxm-amid-covid-19-crisis

To confirm our security posture for APAC region specific legal requirements, we pefrormed an independent external assessment (performed by BDO) focused on requirements of CPS231 and CPS234.

Quadient CXM and IDA SaaS solutions, which were in scope, passed the assessment succesfully.

Assessment report can be shared when non-disclosure agreement (NDA) is signed between both parties. Please reach out to your Account Manager if you wish to receive it.

Quadient Inspire and Impress SaaS solutions succesfully passed external SOC2 Type II re-assessment (performed by BDO).

Quadient AP by Beanworks was also succesfully assessed, for the first time.

YayPay SOC2 Type II assessment was done by 360 Advanced.

Quadient AR by YayPay has succesfully passed HIPAA focused independent external re-assessment (performed by 360 advanced).

Assessment report can be shared when non-disclosure agreement (NDA) is signed between both parties. Please reach out to your Account Manager if you wish to receive it.

We have succesfully certified selected scope for ISO 27701:2019.

Certification body is Bureau Veritas.

In cooperation with Compliance Control, Quadient AR by YayPay succesfully re-certified PCI DSS 3.2.1 for selected scope.

In the context of the Ukraine conflict, Quadient has implemented a series of additional controls and measures to mitigate the risk of cyber attacks, whose threat level has recently increased.

• Strengthened authentication process on information systems

  • Multi factor authentication (MFA) is in place where it is required most, of course balancing risk vs productivity

• Increased security supervision, with the support from a specialist 3rd party

  • 24x7 monitoring of all of our key IT assets (e.g. devices, server / hosting, network access points etc.)

• Back-up of critical data and applications offline , which is standard practice at Quadient

• Prioritized list of the organization's critical digital services,

  • Classified as mission critical vs business critical vs standard, with heightened requirements around mission and business critical systems

• Reminder and re-enforcement of our cyberattack crisis management process across all departments involved

In case of questions, please contact security-group@quadient.com.

In cooperation with an external independent party (BDO) we have combined our previous standalone HITRUST certifications of Inspire (v9.1) and Impress (v9.3) SaaS into one (v9.1).

We have succesfully certified selected scope for ISO 27001:2013.

Certification body is Bureau Veritas.

To confirm our dedication to both privacy and security compliance, we have engaged with independent external party(BDO), to perform an external assessment of our CXM and IDA SaaS solutions, compared to requirements of GDPR, CCPA and HIPAA.

Both solutions have successfully passed the assessent.

Assessment report can be shared when non-disclosure agreement (NDA) is signed between both parties. Please reach out to your Account Manager if you wish to receive it.

We have succesfully certified selected scope for ISO 9001:2015.

Certification body is Bureau Veritas.

YayPay has succesfully passed independent HIPAA assessment performed by 360 Advanced.

Assessment report can be shared when non-disclosure agreement (NDA) is signed between both parties. Please reach out to your Account Manager if you wish to receive it.

Quadient Inspire and Impress SaaS solutions succesfully passed external SOC2 Type II re-assessment (performed by BDO).

YayPay SOC2 Type II assessment was done by 360 Advanced.

In cooperation with Compliance Control, Quadient AR by YayPay succesfully passed certifiaction of PCI DSS 3.2.1 for selected scope.

As an addition to already existing HITRUST certification for Inspire SaaS, we have engaged with independent external party(KirkpatrickPrice), to perform an external assessment of our IDA SaaS solution, compared to requirements of HITRUST v9.3.

We have successfully passed.

We have succesfully certified selected scope for ISO 27001:2013.

Certification body is SGS.

Independent external party(KirkpatrickPrice) helped us to succesfully pass HITRUST v9.1 interim (or re-certification if you wish) for our CXM SaaS solution.

Quadient Inspire and Impress SaaS solutions succesfully passed external SOC2 Type II assessment (performed by KirkpatrickPrice).

YayPay SOC2 Type II assessment was done by 360 Advanced.

During these exceptional times, Quadient is adapting to the Coronavirus (COVID-19) situation with great diligence, and I want to personally assure our customers and partners that we are doing all that is in our power to provide a safe work environment for our employees and ensure business continuity.

Quadient has always been committed to its employees, and their health, as that of their families, remain our top priority. As an organization with a global presence, and in order to participate in the collective effort to protect the communities where we operate, we are taking the measures necessary to minimize the impact of the situation on our activities, but also on the communities around us.

Thanks to the preparation work and the support of our worldwide team, we have confidence in our business continuity plans and our ability to continue to support our customers and partners through the COVID-19 pandemic. As such, we have made provisions to reduce the risk of exposure for all parties.

Employees who are able to work remotely have been instructed to work from home as of Monday, March 16, 2020. For employees who must work on site, we are taking measures to ensure they are provided with a safe environment by applying strict health and safety protocols.

For the same health and safety reasons, we have also requested the cancellation of business travels and public events attendance to all our staff members. In-person meetings that are not absolutely critical are being replaced by virtual meetings or will be postponed to a later date.

Our teams are accustomed to remote work, leveraging digital collaboration tools on a regular basis in the normal course of business. Professional services personnel and support staff are on duty and maintaining regular schedules around the globe, and are able to support you through online support portals as well as our call centers, and ensure customers with support contracts maintain uptime.

In particular, hardware customer support representatives remain available via phone and email. Support is also available via chatbot through our websites in the United States, UK, Ireland and France. Field technicians continue to provide on-site support to our customers with as little disruption as possible.

Thank you for your continued trust in Quadient. We are committed to being there for our employees, customers and partners, and will continue to keep you informed as the situation evolves.

Sincerely,

Geoffrey Godet, CEO, Quadient

We have succesfully certified selected scope for ISO 9001:2015 and ISO 14001:2015.

Certification body is SGS.

We have succesfully certified selected scope for ISO 27017:2015 and ISO 27018:2014.

Certification body is SGS.

As a new testament to our dedication to security, we have engaged with independent external party(KirkpatrickPrice), to perform an external assessment of our CXM SaaS solution, compared to requirements of HITRUST v9.1.

We have successfully passed