Book a Call
Support

QualityAI™ Solution Architecture.
Here’s a top-level look at the architecture of the solution. Of particular note is something that should be standard, but is all-too-often not: an encrypted, multi-tenant database to maintain the highest level of separation in all data.

Access and Permissions

The Principle of Least Permission (PoLP) was very important to our architect and developers, as well as our Chief Strategy Officer. It isn’t the easy or inexpensive way to design an application, but we felt it was crucial to go the extra mile for this granular level of security when working with global organizations.

Users have access strictly limited to what is assigned by job duties and role​

Administrators only have access to the data necessary to operate the application​

All access to the app can be traced at any time using system access logs and AWS CloudTrail event logging, with all changes to users, documents, images, videos, audits, mitigations, and corrective actions​

Authentication and Authorization

Overlooked (by typical application developers) standards such as these, when not given the same level of thought can lead to a difficult time during the roll-out of the solution. The design here ensures that Corporate IT will be able to easily integrate the solution within the organization, and effortlessly manage it.

Authentication Process
Users have access strictly limited to what is assigned by job duties and role

Directory Services
Organizations that would like to utilize their own enterprise directory services are supported via integration with many SAML v2.0-compliant Identity Providers1

Authorization Levels

  1. Organization Administrator
  2. Site Administrator
  3. Audit Author
  4. Auditor
  5. Manager

Account Security and Encryption Standards

Great care was taken even for items with top-level security and encryption – industry standards which should never lead to a compromise. The only thing better than a highly-secure, highly-encrypted password, is a password that is never stored or even received in any way by our application using Secure Remote Password (SRP).

  • Secure Remote Password (SRP) is the gold standard for passwords
  • Passwords never stored or even received by QualityAI
  • Passwords never sent over the network
  • Authenticate both client and server to prevent man-in-the-middle attacks
  • User passwords subject to current standards – minimum rules, force changes, lockout upon configurable number of invalid attempts
  • Passwords always encrypted
  • CSRF tokens are used to prevent request forgery, and throttling is implemented to prevent DDoS attacks
  • TLS v1.2 encrypts traffic between the QualityAI application and users
  • All ciphers are reviewed regularly, and weak ciphers are disabled
  • The Advanced Encryption Standard (AES-256) automatically encrypts all document and other attachments

System Administrator Rights and Access Control

The same level of thought put into application users was also designed into all administrative users and functions.

Specified permissions and limited access to production systems based on defined job functions and roles for specific administrators​

Three authentication methods required for production server access:​

  • Certificate​
  • Unique User Password, and ​
  • Multi-Factor Authentication​

Additional System Adminitrator Security Measures

  • Each discrete login session is tracked at the AWS platform level
  • AWS CloudTrail and system log underpinnings provide all history and commands issued
  • Specific security training during QualityAI application implementation

See All Audit Manager Here

Book a Call

©2025 QualityAI

(727) 476-8666

Book a Call
Support