Safe, compliant, and transparent by design.
We keep customer funds in separate trust accounts. Your money never mixes with ours.
Payments flow through licensed partners. Qualy facilitates, but never holds or moves your funds directly.
We only work with regulated payment providers who are licensed in their jurisdictions.
As soon as funds clear, we disburse them to schools or agents. No unnecessary delays. Minimizing risk and impact in case of breach.
Every payment has a full audit trail. You can track when it's paid, cleared, and disbursed.
Card data is handled only by PCI DSS-compliant providers. Qualy never stores card info.
We never store card details on our systems. All sensitive data is handled by our partners.
We have systems in place to handle chargebacks and disputes efficiently, minimizing impact on schools and agents.
We run on secure Google Cloud infrastructure with best-in-class uptime and security.
All customer data is encrypted at rest using strong encryption standards.
We enforce HTTPS with HSTS and use end-to-end TLS 1.2+ for secure communications.
Our build systems follow SLSA 3 standards, protecting against tampering and supply chain attacks.
Nobody has manual access to production systems. Everything goes through audited pipelines.
Each client’s data is siloed. No data leaks between schools, agents, or users.
We use multiple layers of firewalls to protect our infrastructure.
Our infrastructure is monitored 24/7 for uptime, anomalies, and potential threats.
We use platform-level protections to defend against DDoS and other common attacks.
Our systems use ZSP, meaning no one has permanent access to production environments. Access is granted only when needed and logged.
We enforce a “reject” policy on DMARC to prevent spoofed emails from being delivered.
DNSSEC is enabled on our primary domains, ensuring DNS lookups are verified and tamper-resistant.
Outbound email reputation and delivery are continuously monitored to avoid issues with missing invoices or payment links.
We isolate transactional email from marketing or internal communication to reduce reputational risk.
We have measures in place to prevent brute force attacks on user accounts, including rate limiting and account lockouts. Our authentication system is powered by Google.
Our vigilant, adaptive firewall is primed to block any unsolicited traffic or malicious payloads, ensuring constant protection against potential vulnerabilities.
Our team members only see what they need to do their job. No broad access granted.
All team members handling sensitive systems undergo background verification.
All staff complete regular security and compliance training sessions.
2FA is required for all internal systems, and available for all users on the platform.
We follow the principle of least privilege, ensuring team members only have access to what they need.
While Qualy is not a financial license holder, our partners are fully licensed and compliant.
We adapt to each region's rules—like Brazilian BACEN rules or Australia's AML laws—through our partners and with our own controls.
All payments and system actions are logged and time-stamped for audit-readiness.
We perform CDD on all customers to ensure compliance with local regulations.
We follow GDPR principles, ensuring data privacy and user rights are respected.
We comply with Brazilian regulations, including the Lei Geral de Proteção de Dados (LGPD) and BACEN rules for payment handling.
We share security responsibilities with you, our suppliers, and our partners ensuring a comprehensive approach to security.
We use queues, backups, and replication to ensure the platform can recover quickly from issues.
If something fails, systems switch to backups without user disruption.
All payments and processes are queued and retried safely in case of failures.
We take regular backups of all critical data, ensuring we can restore quickly if needed.
We have scheduled release freeze windows to minimize risk during critical periods.
We use advanced error tracking and alerting to catch issues before they affect users.
We know whom to call, what to do, and how to communicate in case of incidents. Our incident response plan is ready and tested.
We never hide who our upstream partners are—we believe transparency builds trust.
We communicate openly about incidents, outages, and changes that affect customers.
Our status page shows real-time system health, incidents, and maintenance updates.
Our pricing is straightforward, with no hidden fees or surprises.
We don’t lock you in with contracts. You can leave anytime, no questions asked.
Qualy was designed for collecting payments for the international education industry. It helps colleges, schools, and education agents of all sizes.
