If you are our customer on one of our Self-Service plans, please find a detailed overview on our security measurements in the following chapters.
For our Enterprise plan customers, we have an enhanced security information package.
Please, fill out this form and we will send you all relevant information on our Enterprise security measurements which is available especially for our Enterprise customers.
Infrastructure
- Our secure system architecture
- Our hosting data centers
- Latest versions and security patches
- Penetration and vulnerabilities scans
- Redundant services and failover
- Firewalls
Your data
- Data storages
- Compliance with GDPR
- Privacy policy
- Data segregation and data access
- Backups & disaster recovery
- Logs - authentication & login
- Passwords & sessions
- Federated Services & Single Sign On (SSO)
- Multi-factor authentication
- Monitoring
- Permissions and roles
Encryption
- Secure transport via HTTPS
- Encryption in transfer & at rest
Security in Software Development
- Code Reviewing
Additional Security Measures
- Policies
- Business Continuity Plan
- Corporate Security Policies
- Office Security
- Incident response
- Security training
- Background checks
- Confidentiality
- Payment processing & PCI compliance
- Insurance CyberSecurity and E&O
Our secure system architecture
We built the Usersnap feedback platform on the most modern, reliable, fast and secure platform. We are using a multi-tier infrastructure with security gateways protected by firewalls. Services, like data storage and more, can only be accessed by an application that requires access specifically for that service and only by personnel with certain authorization levels. Access information is securely stored outside our codebase and our data.
Our hosting data centers
The Usersnap software and all its services are hosted and managed within the European AWS’ (Amazon Web Services) secure data centers. These centers all come with certain certifications:
- SOC 1 and SOC 2/SSAE16/ISAE 3402
- ISO 27001
We use Amazon's hosting in EU-central-1 (Frankfurt).
All services are only accessible from our Virtual Private Cloud (AWS VPC). We are using the available AWS services to protect data privacy and control access to our entire network. If you are interested in more specific details about these certifications, please have a look at the AWS compliance center.
Latest versions and security patches
We are working continuously to have the latest version of software and security patches installed.
Penetration and vulnerability scans
Our system is regularly (at least annually) audited and tested via penetration tests to identify any vulnerabilities. We are also using security tools to check for vulnerabilities of our code and watch-guard for potential risks. Each upcoming risk is reported, classified, and promptly fixed and patched. The audited penetration tests are available for our Enterprise plan customers only.
We are working hard to prevent SQL injections, XSS vulnerabilities, and other common issues.
Redundant services and failover
Our services are built for failover. In case a service fails there are always redundant services to take over the job. This allows us to provide a consistent and reliable service to our customers. Our services are distributed throughout AWS availability zones.
All databases are replicated synchronously to quickly recover from a database failure. As an extra precaution, we take regular snapshots of the database and securely move them to a separate data center. Then we are able to restore them elsewhere as needed, even in the event of a regional data center failure.
Firewalls
Our system, servers, and networks are secured by various firewalls which are regularly checked and updated. We only provide one access path with open ports 80 and 443 for HTTP(S) traffic. All other systems, servers, and networks are protected and limited to our internal network. Only authorized personnel with a profound background check have access to our server infrastructure. The access to our data centers is secured through VPN and 2-factor authentication.
Data storages
All data storages are not accessible to the outside/internet and are protected within our Virtual Private Network. Access to data stores with customer data is limited to systems that require this access. All data is encrypted while in transport by using enhanced encryption mechanisms like SSL etc.
All our connections are encrypted via Transport Layer Security (TLS) with version v1.2. We have implemented encryption of all data in rest.
All production environments are separated from testing environments.
Compliant with General Data Protection Regulation (GDPR)
We are compliant with the EU General Data Protection Regulation (GDPR) which should help to protect personal data and give individual users more rights and control of their personal data. We are a processor in terms of GDPR. We are storing some personal data (Personally Identifiable Information (PII)) in the form of name and email of users, browser information, operating system, screen sizes, URL, location / IP address (only in specific cases) and screenshots of browser content.
We are storing all data in the European Union (EU). If we have a sub-processor that is not processing in the EU, we ensure through an EU-SCC and a DPA that the sub-processor has an adequate security standard.
For more information and our Data Privacy Agreement, please read our GDPR page.
PII-protection
You can protect sensitive data in all subscription plans by using our PII-protection feature to black-out confidential information from your website or web application before a screenshot is taken.
Privacy policy
We demonstrate our company’s commitment to privacy. Please read our privacy statement.
Data segregation and data access
All accounts and data of each customer are separated by unique IDs. These can only be accessed by the customers’ team members. Our customer success team will only access a customer's account after a clear request by the customer.
Backups & disaster recovery
All data is backed up daily, secured by encryption, and stored for 30 days.
Deleted data is not removed from backups to allow for the possibility to recover in case of deletion. All previous backup data is removed after 90 days. We are reviewing our backups at least annually and simulate a full backup recovery.
Logs
Our system is storing logs to reproduce any faults or track security breaches. No personal data is stored within our logs. Activity logs are kept for 90 days.
Passwords & sessions
We can not retrieve any password as they stored in an irreversible cryptographic hash. We encourage our customers to use strong passwords to increase their security and protection of their personal data. Every access to our application is secured by a session that is invalidated in case of unauthorized access or after a certain time of inactivity.
Login and Google oAuth
Besides the standardized email and password access to our system, Usersnap offers our customers and users the possibility to access our system via Google oAuth.
Permissions and roles
Usersnap offers different roles with different permissions within our system. Team owners have all access and managing permissions, while team members can manage all items within a project. Users are allowed to submit feedback and send in messages.
Secure transport via HTTPS
Our system enforces traffic via HTTPS (port 443). Requests to web resources and access to our REST API can only be obtained via SSL.
Encryption at transport and at rest.
Our feedback platform uses industry-standard encryption algorithms for encrypting your data in transport, as well as at rest.
Code Reviewing
The Usersnap development team uses a modern software development approach to ensure the development of secure, reliable, fast and flexible software.
We are using a revision control system (git, svn). Any changes to our source code base go through a suite of automated tests and are reviewed & approved by authorized persons in a code review. When code changes pass the automated testing system and manual reviews, the changes are deployed to a staging server. In this staging server, Usersnap employees are able to test changes before an eventual push to production servers and our customer base.
We also add a specific security review for particularly sensitive changes and features. Usersnap engineers can pick critical updates and push them immediately to production servers.
In addition to a list where all access control changes are published, we have a suite of automated unit tests that checks whether access control rules are written correctly and enforced as expected. We also work with third-party security professionals to protect your data.
Incident response
In case of a security or performance incident, you can get all updates on https://status.usersnap.com
Security training
Security is only effective if it is practiced regularly. That’s why our team and employees have to conduct security training outlined in our policies regularly after joining.
Confidentiality
All employees and partners have signed a confidentiality agreement protecting your personal data in accordance with EU law regarding GDPR. Every Usersnap employee and partner has to sign a Data Access Policy that binds them to the terms of our data confidentiality policies.
Payment processing & PCI compliance
All credit card payments paid to Usersnap are processed by our payment partner Stripe. Find more information about their security protection and PCI certification on their Security page. We have no access to your credit card information.
Requests regarding security
If you have questions regarding the security of Usersnap, please contact our security team via [email protected].
Terms of service
Please, be aware that our terms of service apply for all your subscriptions.
In case, you want to know more on our Enterprise security measurements that are available for our Enterprise customers, please request this information here.