Security Standards at Userpilot


SOC 2 Type II

Hippa Compliant


Userpilot is a product experience platform that is used by hundreds of teams to deliver in-app experiences to their users. As a vendor that processes millions of data points on a daily basis, we take our customers and their users’ data very seriously. Userpilot takes full responsibility for all data that’s processed through the platform. Our data is fully encrypted, managed, and stored by SOC-compliant vendors such as Amazon AWS and Google Cloud.


All data that is handled and processed through the Userpilot platform is fully secured against unauthorized access. Only authorized Userpilot personnel are allowed to access such data and are required to authenticate themselves whenever such data is accessed. We have also taken extreme measures to prevent unauthorized access, theft or manipulation of data. Access reviews are done upon onboarding and offboarding as well as routinely once every quarter.
Internal security
All of our projects undergo routine security assessments, including regular penetration tests conducted by certified auditors. If you would like to receive a copy of the reports, kindly contact [email protected]. Please be advised that parties requesting access to our penetration test reports are required to sign a Non-Disclosure Agreement (NDA) before the information can be shared. Additionally, authentication keys are securely hashed, and we employ AWS tools for the management of production secrets.
Product security
Account Access is controlled, SSO integration for enterprise customers can be set up. Transparent and fine grained control over user access. Multi Factor Authentication (MFA) can be provided for an additional layer of security. When logging into Userpilot, it can be enforced on account level for all team members.
Network and application security
Additional Security features


The Userpilot platform architecture was built to ensure maximum accessibility and uptime. Our APIs are fully separate from our product server, and redundant failover servers are set in place. Our infrastructure is largely provisioned across AWS, with a small footprint in GCP (Google Cloud Platform), in order to power smaller components in our Userpilot application. Our Amazon infrastructure is contained within Userpilot managed VPCs (Virtual Private Clouds) and provides total isolation from other instances in the same datacenter. Moreover, all of our data is synced in real-time with multiple backups on a daily basis.


We perform daily backups of all application data in multiple locations. We ensure every instance is fully encrypted and secured.

GDPR compliance with Userpilot

As the GDPR provides the golden standard when it comes to Data Protection, Customers and Prospects can request our DPA which covers the mechanisms and measures implemented by Userpilot to reflect the Eight User Rights reflected within the EU’s GDPR framework. Please find below the flow regarding Data Deletion if you’d like to manually do it, feel free to reach out to the Userpilot team if you’d like this to be done via the team.
Use Userpilot’s HTTP API to delete a specified user’s or company’s data or a group of users, or a group of companies from Userpilot records.

SOC2 Type II Certification

SOC 2 Type II certification is awarded by an independent auditing body to ensure the security of client data processing by 3rd party service providers. The certification is based on five “trust service principles”: security, availability, processing integrity, confidentiality, and privacy Thanks to SOC2 Type II, you can now be confident that Userpilot:
Current and potential customers of Userpilot can now be sure about its data protection mechanisms quality and can learn all the details from the SOC 2 report, available upon request from [email protected]

HIPAA Compliance with Userpilot

Userpilot ensures HIPAA compliance to demonstrate its commitment to providing the highest security standards for customers and potential prospects in the health industry. When clients opt to utilize the Userpilot tool for tracking or engaging with Protected Health Information (PHI), they can trust in our adherence to the Health Insurance Portability and Accountability Act (HIPAA). This legislation establishes the benchmark for safeguarding sensitive patient data. Companies handling PHI are mandated to implement and adhere to robust physical, network, and procedural security measures. Covered entities, encompassing those involved in healthcare treatment, payment, and operations, as well as business associates with access to patient information and support roles, must meet HIPAA compliance requirements.
It is important to note that Userpilot does not inherently work with PHI. However, for our customers who store and process PHI, we want to reassure them that our application strictly adheres to the HIPAA framework, providing a secure environment for handling sensitive health information.


To report any issues or request more information, please drop us an email at [email protected]