Usersnap logo

Make security matter

Security and protection of our customers’ data is important to us at Usersnap. Our team takes securing your data very seriously and we are constantly working on improving the protection of your valuable data.

Standard Self-Service platform security

If you are our customer on one of our Self-Service plans, please find a detailed overview on our security measurements in the following chapters.

For our Enterprise plan customers, we have an enhanced security information package.

Request Enterprise plan security documentation

Please, fill out this form and we will send you all relevant information on our Enterprise security measurements which is available especially for our Enterprise customers.

Information overview for our Enterprise security information

Infrastructure
- Our secure system architecture
- Our hosting data centers
- Latest versions and security patches
- Penetration and vulnerabilities scans
- Redundant services and failover
- Firewalls

Your data
- Data storages
- Compliance with GDPR
- Privacy policy
- Data segregation and data access
- Backups & disaster recovery
- Logs - authentication & login
- Passwords & sessions
- Federated Services & Single Sign On (SSO)
- Multi-factor authentication
- Monitoring
- Permissions and roles

Encryption
- Secure transport via HTTPS
- Encryption in transfer & at rest

Security in Software Development
- Code Reviewing

Additional Security Measures
- Policies
- Business Continuity Plan
- Corporate Security Policies
- Office Security
- Incident response
- Security training
- Background checks
- Confidentiality
- Payment processing & PCI compliance
- Insurance CyberSecurity and E&O

Security on our Usersnap - self-service feedback cloud-platform

Our secure system architecture

We built the Usersnap feedback platform on the most modern, reliable, fast and secure platform. We are using a multi-tier infrastructure with security gateways protected by firewalls. Services, like data storage and more, can only be accessed by an application that requires access specifically for that service and only by personnel with certain authorization levels. Access information is securely stored outside our codebase and our data.

Our hosting data centers

The Usersnap software and all its services are hosted and managed within the European AWS’ (Amazon Web Services) secure data centers. These centers all come with certain certifications:

- SOC 1 and SOC 2/SSAE16/ISAE 3402
- ISO 27001

We use Amazon's hosting in EU-central-1 (Frankfurt).

All services are only accessible from our Virtual Private Cloud (AWS VPC). We are using the available AWS services to protect data privacy and control access to our entire network. If you are interested in more specific details about these certifications, please have a look at the AWS compliance center

Latest versions and security patches

We are working continuously to have the latest version of software and security patches installed.

Penetration and vulnerability scans

Our system is regularly (at least annually) audited and tested via penetration tests to identify any vulnerabilities. We are also using security tools to check for vulnerabilities of our code and watch-guard for potential risks. Each upcoming risk is reported, classified, and promptly fixed and patched. The audited penetration tests are available for our Enterprise plan customers only.

We are working hard to prevent SQL injections, XSS vulnerabilities, and other common issues. 

Redundant services and failover

Our services are built for failover. In case a service fails there are always redundant services to take over the job. This allows us to provide a consistent and reliable service to our customers. Our services are distributed throughout AWS availability zones.

All databases are replicated synchronously to quickly recover from a database failure. As an extra precaution, we take regular snapshots of the database and securely move them to a separate data center. Then we are able to restore them elsewhere as needed, even in the event of a regional data center failure.

Firewalls

Our system, servers, and networks are secured by various firewalls which are regularly checked and updated. We only provide one access path with open ports 80 and 443 for HTTP(S) traffic. All other systems, servers, and networks are protected and limited to our internal network. Only authorized personnel with a profound background check have access to our server infrastructure. The access to our data centers is secured through VPN and 2-factor authentication.

Your Data

Data storages

All data storages are not accessible to the outside/internet and are protected within our Virtual Private Network. Access to data stores with customer data is limited to systems that require this access. All data is encrypted while in transport by using enhanced encryption mechanisms like SSL etc.

All our connections are encrypted via Transport Layer Security (TLS) with version v1.2. We have implemented encryption of all data in rest. 

All production environments are separated from testing environments.

Compliant with General Data Protection Regulation (GDPR)

We are compliant with the EU General Data Protection Regulation (GDPR) which should help to protect personal data and give individual users more rights and control of their personal data. We are a processor in terms of GDPR. We are storing some personal data (Personally Identifiable Information (PII)) in the form of name and email of users, browser information, operating system, screen sizes, URL, location / IP address (only in specific cases) and screenshots of browser content.

We are storing all data in the European Union (EU). If we have a sub-processor that is not processing in the EU, we ensure through an EU-SCC and a DPA that the sub-processor has an adequate security standard.  

For more information and our Data Privacy Agreement, please read our GDPR page.

PII-protection

You can protect sensitive data in all subscription plans by using our PII-protection feature to black-out confidential information from your website or web application before a screenshot is taken.

Privacy policy

We demonstrate our company’s commitment to privacy. Please read our privacy statement.

Data segregation and data access

All accounts and data of each customer are separated by unique IDs. These can only be accessed by the customers’ team members. Our customer success team will only access a customer's account after a clear request by the customer.

Backups & disaster recovery

All data is backed up daily, secured by encryption, and stored for 30 days.

Deleted data is not removed from backups to allow for the possibility to recover in case of deletion. All previous backup data is removed after 90 days. We are reviewing our backups at least annually and simulate a full backup recovery.

Logs

Our system is storing logs to reproduce any faults or track security breaches. No personal data is stored within our logs. Activity logs are kept for 90 days.

Authentication & Login

Passwords & sessions

We can not retrieve any password as they stored in an irreversible cryptographic hash. We encourage our customers to use strong passwords to increase their security and protection of their personal data. Every access to our application is secured by a session that is invalidated in case of unauthorized access or after a certain time of inactivity. 

Login and Google oAuth

Besides the standardized email and password access to our system, Usersnap offers our customers and users the possibility to access our system via Google oAuth.

Permissions and roles

Usersnap offers different roles with different permissions within our system. Team owners have all access and managing permissions, while team members can manage all items within a project. Users are allowed to submit feedback and send in messages.

Encryption

Secure transport via HTTPS

Our system enforces traffic via HTTPS (port 443). Requests to web resources and access to our REST API can only be obtained via SSL. 

Encryption at transport and at rest.

Our feedback platform uses industry-standard encryption algorithms for encrypting your data in transport, as well as at rest.

Security in Software Development

Code Reviewing

The Usersnap development team uses a modern software development approach to ensure the development of secure, reliable, fast and flexible software.

We are using a revision control system (git, svn). Any changes to our source code base go through a suite of automated tests and are reviewed & approved by authorized persons in a code review. When code changes pass the automated testing system and manual reviews, the changes are deployed to a staging server. In this staging server, Usersnap employees are able to test changes before an eventual push to production servers and our customer base.

We also add a specific security review for particularly sensitive changes and features. Usersnap engineers can pick critical updates and push them immediately to production servers.

In addition to a list where all access control changes are published, we have a suite of automated unit tests that checks whether access control rules are written correctly and enforced as expected. We also work with third-party security professionals to protect your data.

Additional Security Measures

Incident response

In case of a security or performance incident, you can get all updates on https://status.usersnap.com

Security training

Security is only effective if it is practiced regularly. That’s why our team and employees have to conduct security training outlined in our policies regularly after joining. 

Confidentiality

All employees and partners have signed a confidentiality agreement protecting your personal data in accordance with EU law regarding GDPR. Every Usersnap employee and partner has to sign a Data Access Policy that binds them to the terms of our data confidentiality policies.

Payment processing & PCI compliance

All credit card payments paid to Usersnap are processed by our payment partner Stripe. Find more information about their security protection and PCI certification on their Security page. We have no access to your credit card information.

Further Information

Requests regarding security

If you have questions regarding the security of Usersnap, please contact our security team via security@usersnap.com.

Terms of service

Please, be aware that our terms of service apply for all your subscriptions.

In case, you want to know more on our Enterprise security measurements that are available for our Enterprise customers, please request this information here.