Public Security Declaration

Information Security Policy Statement

 

The future is human – and the future business is customer-centric. We take a customer-centric approach to everything we do, including our security policies, and we therefore understand how important data privacy and protection is to our customers.

We trust the people we work with: our customers, employees and partners. With our security policies, we want to provide a clear set of guidelines and rules to make it easy for us to protect sensitive data in the interest of individuals and the companies that trust their data with us.

Our application is built on a modern, scalable cloud infrastructure designed to ensure the safety of your data, and we have chosen proven third-party cloud providers with excellent track records and data centers in the EU.

We ensure the safety and privacy of your data is backed into our everyday processes throughout our organisation. We do regular data backups and test recovery, run penetration tests, encrypt all data at rest and in transit, conduct static code analysis and vulnerability scanning, perform server hardening, audit trails, and many other cloud security techniques.

Scroll down for information about specific security practices, read our privacy policy, support and availability agreement, and data processing agreement which also contains a list of third-party data sub-processors.

Public Security Declaration

Information Security Policy Statement

 

The future is human – and the future business is customer-centric. We take a customer-centric approach to everything we do, including our security policies, and we therefore understand how important data privacy and protection is to our customers.

We trust the people we work with: our customers, employees and partners. With our security policies, we want to provide a clear set of guidelines and rules to make it easy for us to protect sensitive data in the interest of individuals and the companies that trust their data with us.

Our application is built on a modern, scalable cloud infrastructure designed to ensure the safety of your data, and we have chosen proven third-party cloud providers with excellent track records and data centers in the EU.

We ensure the safety and privacy of your data is backed into our everyday processes throughout our organisation. We do regular data backups and test recovery, run penetration tests, encrypt all data at rest and in transit, conduct static code analysis and vulnerability scanning, perform server hardening, audit trails, and many other cloud security techniques.

Scroll down for information about specific security practices, read our privacy policy, support and availability agreement, and data processing agreement which also contains a list of third-party data sub-processors.

Product Security

 

Permissions

Global access roles allow UserTribe admins to set role-based permission levels for each user account, and project-level access controls allow permission levels to be set for specific projects.

Secure Passwords

UserTribe enforces a password complexity standard, and credentials are stored using BCrypt with unique salts.

Account Verification for Users

Users are required to validate their accounts via a link provided in an automated e-mail.

Permanent Deletion

Users can delete projects and study data from the UserTribe platform if they have the appropriate access rights. The platform has all the features necessary for users to delete data and be compliant with GDPR.

When customers are conducting their own studies using the self-service platform, the customer is a data controller and must delete personal data from the platform according to the customer’s own data privacy policy.

When UserTribe is conducting a study on behalf of a customer, UserTribe acts as a data controller, and personal data is protected and deleted according to our privacy policy.

Data

Your data will never leave the EU.

High Availability

We ensure high availability with automated and manual testing, production monitoring, logging and alerts, fast continuous deployments, and industry-standard cloud infrastructure.

Product Security

 

Permissions

Global access roles allow UserTribe admins to set role-based permission levels for each user account, and project-level access controls allow permission levels to be set for specific projects.

Secure Passwords

UserTribe enforces a password complexity standard, and credentials are stored using BCrypt with unique salts.

Account Verification for Users

Users are required to validate their accounts via a link provided in an automated e-mail.

Permanent Deletion

Users can delete projects and study data from the UserTribe platform if they have the appropriate access rights. The platform has all the features necessary for users to delete data and be compliant with GDPR.

When customers are conducting their own studies using the self-service platform, the customer is a data controller and must delete personal data from the platform according to the customer’s own data privacy policy.

When UserTribe is conducting a study on behalf of a customer, UserTribe acts as a data controller, and personal data is protected and deleted according to our privacy policy.

Data

Your data will never leave the EU.

High Availability

We ensure high availability with automated and manual testing, production monitoring, logging and alerts, fast continuous deployments, and industry-standard cloud infrastructure.

Infrastructure Security

 

Hosting and Storage

UserTribe services and data are hosted in Amazon Web Services (AWS) facilities in the EU.

Encryption

Data is encrypted while moving between us and the browser with Transport Level Security (TLS).

  • At Rest: Your data only resides in the production environment encrypted with AES-256.
  • In Transit: Network communication uses TLS, and it is encrypted and authenticated.

Vulnerability Scanning

UserTribe uses third party security tools to scan for vulnerabilities. Our engineers respond to issues raised. We have no vulnerabilities on the OWASP Top 10.

Penetration Testing

We perform independent third-party manual penetration testing at least once per year, and depending on the risk assessment also when we have bigger systems changes. Contact us for a copy of the latest report.

Backup Policy

Our backup processes ensure data and information consistency with the highest standards.

We use AWS backup solution for datastores that contain customer data. Data is automatically backed up every 15 minutes, and we keep daily backups for 14 days. On an application level, we store logs of activity on a centralised log solution based on AWS Elasticsearch, Kibana and Logstash. Logs are stored for up to 15 days.

Monitoring & Incident Response

Production alerts are captured and automatically escalated. Outside of office hours, our engineering team has a best effort and escalation policy.

Security and confidentiality incidents submitted to support@usertribe.com or our in-app support chat will be resolved in accordance with established incident policy.

Logging & Audit Trail

We log every user action performed in the system with a full audit trail.

Continuous Delivery

We have a state-of-the-art agile software development lifecycle methodology and change management procedures. Our deployment method requires no downtime for the application.

Infrastructure Security

 

Hosting and Storage

UserTribe services and data are hosted in Amazon Web Services (AWS) facilities in the EU.

Encryption

Data is encrypted while moving between us and the browser with Transport Level Security (TLS).

  • At Rest: Your data only resides in the production environment encrypted with AES-256.
  • In Transit: Network communication uses TLS, and it is encrypted and authenticated.

Vulnerability Scanning

UserTribe uses third party security tools to scan for vulnerabilities. Our engineers respond to issues raised. We have no vulnerabilities on the OWASP Top 10.

Penetration Testing

We perform independent third-party manual penetration testing at least once per year, and depending on the risk assessment also when we have bigger systems changes. Contact us for a copy of the latest report.

Backup Policy

Our backup processes ensure data and information consistency with the highest standards.

We use AWS backup solution for datastores that contain customer data. Data is automatically backed up every 15 minutes, and we keep daily backups for 14 days. On an application level, we store logs of activity on a centralised log solution based on AWS Elasticsearch, Kibana and Logstash. Logs are stored for up to 15 days.

Monitoring & Incident Response

Production alerts are captured and automatically escalated. Outside of office hours, our engineering team has a best effort and escalation policy.

Security and confidentiality incidents submitted to support@usertribe.com or our in-app support chat will be resolved in accordance with established incident policy.

Logging & Audit Trail

We log every user action performed in the system with a full audit trail.

Continuous Delivery

We have a state-of-the-art agile software development lifecycle methodology and change management procedures. Our deployment method requires no downtime for the application.

Compliance

 

ISO 27001

UserTribe is compliant with the Information Security Management System ISO/IEC 27001 standard.

VSA

We have completed the Vendor Security Alliance (VSA) Core self-assessment questionnaire, contact us for a copy.

OWASP

The most recent penetration test reported no vulnerabilities on the OWASP Top 10.

Qualys’ SSL Labs score

“A+“ on their SSL Server test.

GDPR ready

GDPR is backed into our business processes, security policies and employee training. GDPR check is part of our risk assessment and internal audit. See our privacy policy.

Compliance

 

ISO 27001

UserTribe is compliant with the Information Security Management System ISO/IEC 27001 standard.

VSA

We have completed the Vendor Security Alliance (VSA) Core self-assessment questionnaire, contact us for a copy.

OWASP

The most recent penetration test reported no vulnerabilities on the OWASP Top 10.

Qualys’ SSL Labs score

“A+“ on their SSL Server test.

GDPR ready

GDPR is backed into our business processes, security policies and employee training. GDPR check is part of our risk assessment and internal audit. See our privacy policy.

Personnel

 

Role-Based Access

Employee’s level of access is determined by the role and follows the least privilege principle.

Secure Access

UserTribe uses SSO, an enforced password policy, and VPN to ensure employees have secure access to the system.

Multi-Factor Authentication

We enforce this for all privileged access and on all critical systems.

Employee Asset Control

Our employees’ devices are monitored in real-time and have antivirus, disk encryption, and security patches via an active directory.

Employee Training

All employees complete annual Security and Awareness training and Secure Development Practices.

page2image41403136

Confidentiality

All employee and contractor agreements include a confidentiality clause.

Policies

Our internal security policies cover a range of topics and are shared with all employees and contractors.

Personnel

 

Role-Based Access

Employee’s level of access is determined by the role and follows the least privilege principle.

Secure Access

UserTribe uses SSO, an enforced password policy, and VPN to ensure employees have secure access to the system.

Multi-Factor Authentication

We enforce this for all privileged access and on all critical systems.

Employee Asset Control

Our employees’ devices are monitored in real-time and have antivirus, disk encryption, and security patches via an active directory.

Employee Training

All employees complete annual Security and Awareness training and Secure Development Practices.

page2image41403136

Confidentiality

All employee and contractor agreements include a confidentiality clause.

Policies

Our internal security policies cover a range of topics and are shared with all employees and contractors.

Vendors

 

Vendor Selection

All of our vendors offer industry-leading products and go through a security evaluation to ensure their practices fit our security and compliance standards.

Vendors

 

Vendor Selection

All of our vendors offer industry-leading products and go through a security evaluation to ensure their practices fit our security and compliance standards.

Copyright © 2020 UserTribe
Built with love in Copenhagen
All rights reserved.

 

Langebrogade 4
1411 Copenhagen
Denmark

 

77 Exeter Street 2604
02116 Boston, MA
USA

 

41 Luke Street
EC2A 4DP Shoreditch London
United Kingdom

 

Phone: +45 7734 8685
CVR no. 33510608