Userlytics’ Information Security Overview
Userlytics takes pride in operating and continuously reviewing a documented Information Security Management System framework to protect the privacy and security of our clients, test participants, and team members. Over the years, we have taken special care to ensure we are following and exceeding the top internationally recognized security standards to prevent unauthorized access, damage or deletion of any private information.
Below are some of the measures we have put in place to ensure ongoing data security:
Security & Privacy Certifications and Compliance
ISO 27001
ISO 27001 certification is the internationally recognized best practice framework for an Information Security Management System (ISMS) and ensures that we have invested in the people, processes, and technology to protect our customer´s data and privacy. Both our hosting provider (Amazon Web Services) and Userlytics itself are ISO 27001 certified, adding a second layer of security to any valuable data shared through our platform.
Privacy-Shield Compliant
Userlytics is fully privacy-shield compliant and ICO certified in the United Kingdom. Also fully GDPR compliant, we are committed to keep our customers’ data protected and to safeguard their rights.
Data Security
All confidential and proprietary data (including video files, customer and test participant data) is hosted through Amazon Web Services (AWS), a SOC 2 and ISO 27017 certified hosting provider with the following global security certifications: CSA, ISO 9001, ISO 27001, ISO 27017, ISO 27018, PCI DSS Level 1, SOC 1, SOC 2 and SOC 3 as well as: CJIS, DoD SRG, FedRAMP, FERPA, FIPS, FISMA, HIPAA, and NIST.
Data Encryption
All of our data is stored in encrypted form using 256-bit AES encryption; AWS Key Management Services manages the Encryption keys. Additionally, all communications to and from our services are encrypted using TLS 1.2 or greater.
Based on internationally recognized best practices (NIST and FIPS), we use the following encryption methods:
- Encrypt data in transit
- Encrypt data at rest
- Encrypt backup data
- Encrypt confidential information
- Encrypt endpoints
Password and Login Protection
Our strict password policy applies to our platform and all our systems. Some of its features are:
- Two-Factor Authentication
- Prevents users from reusing the last 12 passwords
- Mandatory password complexity
- Locking accounts after multiple failed attempts
- Logging users out of the system after periods of inactivity
- Single Sign-on
Development
At Userlytics, we take care of the products and services we provide to our customers. When developing software, we follow a series of standardized methodologies and phases to ensure the product is safe.
Suppliers
We periodically review the security processes and measures of our suppliers and collaborators.
Data Sanitization and Asset Disposal
When a storage device has reached the end of its useful life, media that stored customer data is always securely decommissioned. We decommission media using NIST and BSI techniques.
Limited Participant PII
We only collect the participant PII that is necessary to manage demographics and connect our clients with the right test participants. We do not share a participant’s full details so as to protect their PII.
Advanced Security Training for all Team Members
We conduct periodic cybersecurity courses for all personnel, specific to their roles. We also have a stringent hiring policy in place to guide the hiring of personnel, which entails pre-hire screenings and testing to ensure proper security awareness.
Governance
The Board of Userlytics is extensively involved in the development of the Userlytics’ security framework. Our prioritization of information security ensures the company’s ISMS controls are properly integrated into our processes.
Risk Management Assessment
Identifying security threats, the probability of their occurrence, and adapting processes, technologies, personnel and facilities to handle them is necessary to maintain the security of our client and participant information. We are equipped with processes and tools to adequately assess, prevent, and mitigate any possible risks to our clients’ security.
Disaster Recovery Plan
In line with our business continuity plan, Userlytics has a backup and recovery strategy that covers all relevant processes and assets of the organization to ensure adequate service to our clients.
Business Continuity Plan
It is a priority objective of the company to provide our customers with a Service Level Agreement (SLA) higher than 99%, allowing us to provide customers with service availability at all times, regardless of the circumstances.
Incident Response Plan
As part of our dedication to data security, we are constantly monitoring for potential security threats and incidents. Any potential threats are appropriately classified and communicated to stakeholders to comply with legislation and regulation, and more importantly, to assure our clients that their information is safe with us. To this end, we have personnel and processes assigned to review threats and inform our stakeholders, as well as the tools, technology and policies to adequately mitigate these threats.
The Userlytics Security Team
The Userlytics security team is dedicated to implementing and maintaining internationally recognized security standards to prevent unauthorized access, damage or deletion of any private information. The team is made up of our Chief Information Security Officer (CISO) and a surrounding group of staff members trained in data and security protection. With expertise in various areas of information security, membership in several international cybersecurity communities, and ownership of various industry-leading certifications, our security team is constantly learning and updating their knowledge on new risks and processes in order to keep you safe.
Our security team implements various measures to ensure ongoing information security, including:
- Daily security tools and logs monitoring
- Weekly security scans, reports, updates, and meetings
- Monthly security trainings
- Required cybersecurity courses
- Pentests (simulated cyber attacks) conducted on at least a yearly basis
Additional questions about our privacy and security practices may be forwarded to our security team: security@userlytics.com.