Security Standards at Userpilot



Privacy Shield

SOC 2 Type II

Userpilot is a product experience platform that is used by hundreds of teams to deliver in-app experiences to their users. As a vendor that processes millions of data points on a daily basis, we take our customers and their users’ data very seriously. Userpilot takes full responsibility for all data that's processed through the platform. Our data is fully encrypted, managed, and stored by SOC-compliant vendors such as Amazon AWS and Google Cloud.


All data that is handled and processed through the Userpilot platform is fully secured against unauthorized access. Only authorized Userpilot personnel are allowed to access such data and are required to authenticate themselves whenever such data is accessed.

We have also taken extreme measures to prevent unauthorized access, theft or manipulation of data.

  • Internal security
    • Data encryption
      • All our projects are run routinely through security tests and regular penetration tests using security vendors.
      • Auth keys are hashed, and we use AWS tools to manage production secrets
    • Product security design
      • All our projects are run routinely through security tests and regular penetration tests using security vendors.
  • Product security
    • Account access, SSO for enterprise
      • Transparent and fine grained control over user access
        • Multi Factor Authentication (MFA)
          • MFA provides an additional layer of security. When logging into Userpilot, you’ll also enter a code from your mobile phone or .
          • Can be enforced on account level for all team members.
      • Network and application security
        • Failover and DR
          • Our infrastructure and data are spread across Multi AWS availability zones and will continue to work should any one of those data centers fail.
        • Virtual Private Cloud
          • All of our servers are within our own virtual private cloud (VPC) with network access control lists (ACLs).
        • Permissions and Authentication
          • Access to customer data is limited to authorized employees who require it for their job.
        • Incident Response
          • Userpilot implements a protocol for handling security events which includes escalation procedures.
      • Additional Security features
        • Training
          • All employees complete Security and Awareness training.
        • Confidentiality
          • All employee contracts include a confidentiality agreement.
        • PCI Obligations
          • All payments made to Userpilot go through Stripe. Details about their security setup and PCI compliance can be found at Stripe’s security page.


      The Userpilot platform architecture was built to ensure maximum accessibility and uptime. Our APIs are fully separate from our product server, and redundant failover servers are set in place.

      Our infrastructure is largely provisioned across AWS, with a small footprint in GCP (Google Cloud Platform), in order to power smaller components in our Userpilot application. Our Amazon infrastructure is contained within Userpilot managed VPCs (Virtual Private Clouds) and provides total isolation from other instances in the same datacenter.

      Moreover, all of our data is synced in real-time with multiple backups on a daily basis.


      We perform daily backups of all application data in multiple locations. We ensure every instance is fully encrypted and secured.


      Commitment to data privacy through initiatives:

      • Data Transfer Practice

          We offer Standard Contractual Clauses for compliant user data transfer and storage outside of the EU.

      • Privacy By Design

          Userpilot takes a comprehensive approach to security and privacy, and does not sell our customers' user data.

      • Updated Privacy Policy

          We updated our Privacy Policy to honor our commitment to privacy.

      GDPR compliance with Userpilot

      • The right of erasure.

          Use Userpilot’s HTTP API to delete a specified user’s or company's data or a group of users, or a group of companies from Userpilot records.

          View the API docs for HTTP DELETE [https://docs.userpilot.com/article/189-delete-users-and-companies].

      • Monitor deletion status and requests

          Track the progress of deletion requests to confirm when data is finally deleted, so you can update your users.

          View the API docs for background jobs tracking. [https://docs.userpilot.com/article/189-delete-users-and-companies]

      • The rights of access, portability, and rectification

          Compile user data for access and portability requests

          Export user data to open format (CSV) to organize data about a given user, so you can easily share it if requested.

      SOC2 Type II Certification

      SOC 2 Type II certification is awarded by an independent auditing body to ensure the security of client data processing by 3rd party service providers. The certification is based on 5 “trust service principles”: security, availability, processing integrity, confidentiality, and privacy

      Thanks to SOC2 Type II, you can now be confident that Userpilot:

      • has access control via end-to-end encryption and two-factor authentication. You can learn more about the technologies used to ensure data security in a report issued by a reputable, independent auditor.
      • uses network and application firewalls
      • has intrusion-detection mechanisms in place
      • uses performance monitoring tools
      • uses disaster recovery tools
      • has security incident handling procedures in place
      • uses quality assurance and process monitoring procedures

      Current and potential customers of Userpilot can now be sure about its data protection mechanisms quality and can learn all the details from the SOC 2 report, available upon request from [email protected]


      To report any issues or request more information, please drop us an email at [email protected]