Security Standards at Userpilot
GDPR
SOC 2 Type II
HIPAA
Userpilot is a product experience platform that is used by hundreds of teams to deliver in-app experiences to their users. As a vendor that processes millions of data points on a daily basis, we take our customers and their users’ data very seriously. Userpilot takes full responsibility for all data that’s processed through the platform. Our data is fully encrypted, managed, and stored by SOC-compliant vendors such as Amazon AWS and Google Cloud.
Security
All data that is handled and processed through the Userpilot platform is fully secured against unauthorized access. Only authorized Userpilot personnel are allowed to access such data and are required to authenticate themselves whenever such data is accessed. We have also taken extreme measures to prevent unauthorized access, theft or manipulation of data. Access reviews are done upon onboarding and offboarding as well as routinely once every quarter.
Internal security
- Data encryption
All of our projects undergo routine security assessments, including regular penetration tests conducted by certified auditors. If you would like to receive a copy of the reports, kindly contact [email protected]. Please be advised that parties requesting access to our penetration test reports are required to sign a Non-Disclosure Agreement (NDA) before the information can be shared. Additionally, authentication keys are securely hashed, and we employ AWS tools for the management of production secrets.
Product security
Account Access is controlled, SSO integration for enterprise customers can be set up.
Transparent and fine grained control over user access.
Multi Factor Authentication (MFA) can be provided for an additional layer of security. When logging into Userpilot, it can be enforced on account level for all team members.
Network and application security
- Failover and Disaster Recovery
- Our infrastructure and data are spread across Multi AWS availability zones and will continue to work should any one of those data centers fail.
- Virtual Private Cloud, all of our servers are within our own virtual private cloud (VPC) with network access control lists (ACLs).
- Permissions are controlled and Authentication is required and logged.
- Access to customer data is limited to authorized employees who require it for their job, ticketing regarding access to data is tracked and monitored.
- Incident Response, Userpilot implements a protocol for handling security events which includes escalation procedures according to a Risk Metric.
Additional Security features
- Userpilot provides annual Security & Awareness Training for general purposes as well as HIPAA security training.
- Confidentiality - All employee contracts include a separately signed confidentiality agreement
- All credit card payments made to Userpilot go through Stripe. Details about their security setup and PCI compliance can be found at Stripe’s security page.
Availability
The Userpilot platform architecture was built to ensure maximum accessibility and uptime. Our APIs are fully separate from our product server, and redundant failover servers are set in place. Our infrastructure is largely provisioned across AWS, with a small footprint in GCP (Google Cloud Platform), in order to power smaller components in our Userpilot application. Our Amazon infrastructure is contained within Userpilot managed VPCs (Virtual Private Clouds) and provides total isolation from other instances in the same datacenter. Moreover, all of our data is synced in real-time with multiple backups on a daily basis.
Backups
We perform daily backups of all application data in multiple locations. We ensure every instance is fully encrypted and secured.
GDPR compliance with Userpilot
As the GDPR provides the golden standard when it comes to Data Protection, Customers and Prospects can request our DPA which covers the mechanisms and measures implemented by Userpilot to reflect the Eight User Rights reflected within the EU’s GDPR framework. Please find below the flow regarding Data Deletion if you’d like to manually do it, feel free to reach out to the Userpilot team if you’d like this to be done via the team.
Use Userpilot’s HTTP API to delete a specified user’s or company’s data or a group of users, or a group of companies from Userpilot records.
- View the API docs for HTTP DELETE [https://docs.userpilot.com/article/189-delete-users-and-companies].
- Monitor deletion status and requests
- Track the progress of deletion requests to confirm when data is finally deleted, so you can update your users.
- View the API docs for background jobs tracking. [https://docs.userpilot.com/article/189-delete-users-and-companies]
- The rights of access, portability, and rectification Compile user data for access and portability requests
- Export user data to open format (CSV) to organize data about a given user, so you can easily share it if requested.
SOC2 Type II Certification
SOC 2 Type II certification is awarded by an independent auditing body to ensure the security of client data processing by 3rd party service providers. The certification is based on five “trust service principles”: security, availability, processing integrity, confidentiality, and privacy
Thanks to SOC2 Type II, you can now be confident that Userpilot:
- Has access control via end-to-end encryption and two-factor authentication. You can learn more about the technologies used to ensure data security in a report issued by a reputable, independent auditor.
- Uses network and application firewalls
- Has intrusion-detection mechanisms in place
- Uses performance monitoring tools
- Uses disaster recovery tools
- Has security incident handling procedures in place
- Uses quality assurance and process monitoring procedures
Current and potential customers of Userpilot can now be sure about its data protection mechanisms quality and can learn all the details from the SOC 2 report, available upon request from [email protected]
HIPAA Compliance with Userpilot
Userpilot ensures HIPAA compliance to demonstrate its commitment to providing the highest security standards for customers and potential prospects in the health industry. When clients opt to utilize the Userpilot tool for tracking or engaging with Protected Health Information (PHI), they can trust in our adherence to the Health Insurance Portability and Accountability Act (HIPAA). This legislation establishes the benchmark for safeguarding sensitive patient data. Companies handling PHI are mandated to implement and adhere to robust physical, network, and procedural security measures. Covered entities, encompassing those involved in healthcare treatment, payment, and operations, as well as business associates with access to patient information and support roles, must meet HIPAA compliance requirements.
It is important to note that Userpilot does not inherently work with PHI. However, for our customers who store and process PHI, we want to reassure them that our application strictly adheres to the HIPAA framework, providing a secure environment for handling sensitive health information.
Contact
To report any issues or request more information, please drop us an email at [email protected]