Information Security Policy
Effective Date: June 2022
Information Security Policy
Server and Endpoint Security
Business Continuity and Incident Response
Identity & Access Management
Operations and Monitoring
Governance, Risk and Compliance
Information Security Policy
Userlytics shall establish, implement, operate, monitor, review and continuously improve a documented Information Security Management System (“ISMS”) to manage risks relating to the information assets, either outsourced/owned or operated by the company, by appropriately protecting the confidentiality, integrity, and availability of the information assets thereby enhancing trust and confidence among its customers.
This document defines the information security policy of Userlytics.
As a modern, forward-looking business, Userlytics recognizes at senior levels the need to ensure that its business operates smoothly and without interruption for the benefit of its customers, shareholders, and other stakeholders.
In order to provide such a level of continuous operation, Userlytics has implemented an Information Security Management System (ISMS) in line with the ISO/IEC 27001:2013 Requirements for Information Security Management Systems standard. This standard defines the requirements for an ISMS based on internationally recognized best practices.
The operation of the ISMS has many benefits for the business, including:
- Protection of revenue streams and company profitability
- Ensuring the supply of goods and services to customers
- Compliance with legal and regulatory requirements
This policy applies to all systems, people, and processes that constitute the organization’s information systems, including board members, directors, employees, suppliers, and other third part
Information Security Requirements
A clear definition of the requirements for information security within Userlytics will be agreed upon and maintained within the internal business and customer services so that all ISMS activity is focused on the fulfillment of those requirements. Statutory, regulatory, and contractual requirements will also be documented, and implemented in the planning process. Specific requirements with regard to the security of new or changed systems or services will be recorded and implemented as part of the design stage of each project.
It is a fundamental principle of the Userlytics Information Security Management System that the controls implemented are driven by business needs. This will be regularly communicated to all staff through team meetings and briefing documents.
Framework for Setting Objectives
A regular cycle will be used for setting information security objectives that coincide with the budget planning cycle. This will ensure that adequate funding is obtained for the identified security improvement objectives. These objectives will be based upon a clear understanding of the business requirements, and informed by the management review process. During the management review process, the views of all relevant, interested parties will be obtained to ensure everyone is in agreement about the new security measures being implemented.
Information security objectives will be set and documented for an agreed period, together with details on how they will be achieved. These will be evaluated and monitored as part of the management review process to ensure they remain valid. If amendments are required, these will be managed through the change management process.
In accordance with ISO/IEC 27001, the reference controls detailed in Annex A of the standard will be adopted where appropriate by Userlytics. These will be reviewed regularly in the form of risk assessment outcomes and in line with information security risk treatment plans.
In addition, added enhanced controls from the following codes of practice will be adopted and implemented where appropriate:
- ISO/IEC 27002 – Code of practice for information security controls
The adoption of these codes of practice will provide additional assurance to customers and further promote our compliance with international data protection legislation.
Continual Improvement of the ISMS
Userlytics’ policy in regards to continual improvement is to:
- Continually improve the effectiveness of the ISMS
- Enhance current processes to bring them into line with current ISO/IEC 27001 good practice standards
- Increase the level of proactivity (and the stakeholder perception of proactivity) of information security
- Make information security processes and controls more measurable to provide a sound basis for informed decisions
- Review relevant metrics on an annual basis to assess whether it is appropriate to change them, based on collected historical data
- Obtain ideas for security improvements via regular meetings and other forms of communication with interested parties, including cloud service customers
- Review ideas for improvement at regular management meetings to prioritize and assess timescales and benefits
Ideas for improvements may be obtained from any source including employees, customers, suppliers, IT staff, risk assessments, and service reports. Once identified they will be recorded and evaluated as part of management reviews.
Userlytics takes pride in operating and continuously reviewing a documented Information Security Management System framework to protect the privacy and security of our clients, participants, and Userlytics team members. Over the years, we have taken special care to ensure we are following and exceeding the top internationally recognized security standards to prevent unauthorized access, damage or deletion of any private information.
We are committed to ensuring our security framework remains cutting edge and ahead of its industry peers. To do this, we continually evaluate our current approach to security (including in comparison to our industry peers), identifying opportunities for improvement.
The Userlytics Security Team
The Userlytics security team is dedicated to implementing and maintaining internationally recognized security standards to prevent unauthorized access, damage or deletion of any private information. The team is made up of our Chief Information Security Officer (CISO) and a surrounding group of staff members trained in data and security protection, involving the company executive team as well.
Our security team stays aware of current threats via both private and public security channels. With expertise in various areas of information security, membership in several international cybersecurity communities, and ownership of industry-leading certifications, our security team is constantly learning and updating their knowledge on new risks and processes in order to keep client and customer data safe.
In collaboration with our Legal department, Userlytics’ Data Protection Officer (DPO) oversees Userlytics’ data protection strategy and implementation to determine and ensure compliance with applicable data protection laws around the globe.
The company has an unequivocal commitment to information security, and executive management is fully involved in achieving the information security objectives.
We conduct periodic cybersecurity courses for all personnel, ad-hoc training specific to their roles, and ad-hoc courses of a specific topic when needed. Courses already taught are always available for employees to review at any time, and are mandatory for new employees to view.
We have specific communication channels for any issue related to information security to communicate quickly and directly to all users, and so that users can ask questions or report any related issue.
We have developed a comprehensive set of security policies covering a wide variety of topics. These policies are shared and made available to all employees and contractors with access to Userlytics’ information assets, and remain available to them at all times.
Userlytics conducts background checks on all new employees in accordance with local laws, following best legal guidance. New employees are subject to the terms and conditions of employment, which defines their information security responsibilities.
All new employees receive onboarding and security training, including accounts and permissions setup, formal secure software development training (if pertinent), security policies review, company policies review, and corporate values and ethics policies review.
All employees sign an NDA and review key security policies as part of onboarding, and are encouraged to review and contribute to policies via internal documentation.
Termination processes ensure that access to any and all systems, applications, services, data, as well as access to buildings is terminated on the employee’s or contractor’s last day within the organization.
A Physical Security Policy which ensures robust physical security is implemented across our environments, on premise and in the cloud. This policy covers areas such as secure working areas, securing our assets, restricting access to our buildings and offices to appropriate personnel, and emergency scenarios.
Userlytics’ application and data are hosted in the industry-leading cloud hosting provider Amazon Web Services (AWS). We use multiple availability zones to ensure that a failure in any single data center does not affect the availability of our products or customer data. For more information on the AWS physical security topic, see this link: https://aws.amazon.com/compliance/data-center/controls/?nc1=h_ls
Physical access to our data centers, where customer and tester data is hosted, is limited to authorized personnel only, with access verified via biometric measures. Physical security measures for our data centers include on-premise security guards, closed-circuit video monitoring, man traps, and additional intrusion protection measures.
Server and Endpoint Security
Both servers and endpoints are monitored by different pieces of software around the clock. We update our security systems daily, and protection against malware, malicious code execution, anti-phishing, etc. is active at all times. We run antivirus scans daily, and we scan both servers and endpoints for vulnerabilities once a week, or more if necessary.
We divide our systems into separate networks to better protect sensitive data. Systems prepared for testing and development are hosted in a separate network from systems supporting Userlytics’s production infrastructure. All servers are hardened and have a base configuration that is documented and applied to ensure consistency across the environment, following the best international practices and strongly based on the most recognized, powerful frameworks, and applying the experience and knowledge acquired over the years by the systems and security team of our company.
Network access to our server infrastructure from open, public networks (the Internet) is restricted. Only those protocols needed for the delivery of Userlytics’ service to its users are open, and there are mitigations for known vulnerabilities covering all possible types of attacks deployed at the network perimeter (WAF). Additionally, for host-based intrusion detection and prevention activities, Userlytics logs, monitors, and audits all system calls and has an alerting system in place for system calls that indicate a potential intrusion. Several software and configurations are in place to achieve this level of security, like IDS, Anti-rootkit, Anti-malware, SIEM, etc.
All workstations issued to our personnel, and BYOD devices are configured by us to comply with our standards for security. These standards require all workstations to be properly configured, updated, and be tracked and monitored by Userlytics provided endpoint management solutions. Our default configuration sets up workstations to encrypt data at rest, have strong passwords, lock when idle, patch the operating system as well as third party software on a daily basis, and are always available for remote management if needed. Workstations run up-to-date monitoring software (like Anti-Virus and EDR among others) to report potential malware, unauthorized software, vulnerable software, and to disable removable media storage.
Mobile devices that are used to engage in company business are required to be enrolled in the appropriate mobile management system to ensure they meet our security standards.
Information stored locally is forbidden at Userlytics. We are a heavily cloud-based company, and we keep our information safe in the cloud. We use highly reliable providers with a multitude of information security certifications and unblemished reputations.
Our product test and development environments are logically separated from our production environment. Only mock data is used in our development or test environments.
Ciphers in use meet or exceed the set defined as “AES-compatible” or “partially AES-compatible” according to the IETF/IRTF Cipher Catalog, or the set defined for use in the United States National Institute of Standards and Technology (NIST) publication FIPS 140-2, or any superseding documents according to the date of implementation. The use of the Advanced Encryption Standard (AES) is strongly used for symmetric encryption.
FIPS is enabled on all servers and endpoints.
Any customer data is encrypted in transit over public networks using TLS 1.2+ to protect it from unauthorized disclosure or modification. Our implementation of TLS enforces the use of strong ciphers and key-lengths where supported by the browser.
All servers and applications exposed to the internet using TLS have the certificates signed by a known, trusted provider.
Data at rest in the production network is encrypted using FIPS 140-2 compliant encryption standards, (industry standard AES-256 encryption algorithm) which applies to all types of data at rest within Userlytics’s systems—relational databases, file stores, database backups, etc. All encryption keys are managed by AWS KMS and SSE-S3.
When Technology assets have reached the end of their useful life or when an employee stops working for the company, they are sent to the Operations team for proper disposal. The Operations team will securely erase all storage mediums following current industry best practices.
All electronic drives must be degaussed or overwritten using the BSI method:
9-pass method recommended by the German Center of Security in Information Technologies (http://www.bsi.bund.de): 0xff, 0xfe, 0xfd, 0xfb, 0xf7, 0xef, 0xdf, 0xbf, 0x7f.
When a storage device in AWS has reached the end of its useful life, AWS decommissions media using techniques detailed in NIST 800-88. Media that stored customer data is not removed from AWS control until it has been securely decommissioned.
We have policies in place that define the classification of our data, the procedures for the transmission of information, the persons responsible and the responsibilities involved in the handling of information, as well as the maintenance of information. All this under the command of our DPO, who is responsible for the information.
Limited Participant PII
We only collect the participant PII that is necessary to manage demographics and connect our clients with the right test participants. We do not share a participant’s full details so as to protect their PII. Our system is also configured so as to allow our clients to “block” screen recording during specific tasks.
Unless we receive a deletion request, we keep data for 365 days from end of contract, and an additional 45 days in backup systems. If deletion is requested, then data is deleted, except for backup, that will require an additional 45 days.
Business Continuity and Incident Response
Every part of our service uses properly-provisioned, redundant servers (e.g., multiple load balancers, web servers, replica databases, etc.). In the case of failure, or as part of regular maintenance windows, servers are taken out of operation without impacting availability.
Business Continuity Plan
Our firm’s policy is to respond to a significant business disruption by safeguarding employees’ lives as well as company property, making a financial and operational assessment, quickly recovering and resuming operations, protecting all the firm’s books and records, and allowing our customers to transact business.
With the implementation of business continuity, Userlytics’ goal is to fulfill its strategic objectives and continue normal business operations with a goal of 99% capacity measured throughout the year, including holidays and weekends. Our actual availability, since the founding of Userlytics in 2009, has been higher than 99.99%.
Incident Response Plan
We have defined roles and responsibilities for participants of the Incident Response Plan, characterization of incidents, relationships to other policies and procedures, and reporting requirements.
The goal is to detect and react to security incidents, determine their scope and risk, respond appropriately to the incident, communicate the results and risk to all stakeholders, and reduce the likelihood of the incident from reoccurring with a lessons learning procedure.
Disaster Recovery Plan
We have a policy in place that has been created to establish priorities, to establish roles for each employee or department, and to define the steps to be taken to restore the service in case of total service disruption, and/or loss of data.
Our platform is duplicated in different regions to avoid service outages resulting from a problem in a specific area. This includes the databases and all the services necessary to keep the service fully operational.
The most important data for our service is backed up with three different copies per day, which are stored encrypted in three different locations.
The Disaster Recovery Plan is regularly tested.
Our RTO and RPO times are defined in our DRP as:
RPO: 24h, RTO: 48h.
Identity & Access Management
Account And Access Policy
The access privileges of all users, systems, and independently operating programs such as agents are restricted based on “Least Privilege.” This means that privileges must not be extended unless a legitimate business-oriented need for such privileges exists.
Personnel and subcontractors are required to have a unique user ID and a private password. Passwords must meet our Password Policy requirements.
MFA authentication is used throughout the infrastructure in order to protect against password compromise and as a matter of best practice.
We established a set of rules that allow the creation of strong passwords, in line with the security needs of the company and its customers. We also take into account the recommendations of those frameworks that are considered valid standards in the cybersecurity industry.
Passwords meet strong complexity requirements, new passwords must be defined for each user, group, service, or system in small periods of useful life, and the last 24 passwords should be secured in order to prevent their reusage.
System passwords stored in the operating systems themselves are hashed and strongly encrypted.
As part of our commitment to security, any change to operational or production systems must be approved, authorized, recorded and tested.
In addition, the Security team will evaluate all possible risks involving any new changes.
All software development/acquisition must comply with an application development methodology that incorporates security planning during each phase of development or maintenance and adheres to formalized secure coding methodology. This approach requires that development teams assess the risks of the application and data and incorporate controls to mitigate such risks. When performing software changes, the protection of affected information assets is evaluated, an analysis of the security features required by the changes is performed, and the impact software changes will have on existing security controls is assessed.
Our development life cycle involves testing the software based on OWASP Top 10, as well as other vulnerabilities.
We enforce the separation of tests from the production environment. Data from production is not used for testing purposes.
Operations and Monitoring
We monitor servers, workstations and mobile devices to retain and analyze a comprehensive view of the security state of our infrastructure. Administrative access, use of privileged commands, and system calls on all servers in our production and development network are logged and retained for at least three years. Analysis of logs is automated to detect potential issues and alert responsible personnel. All logs are stored in a separate network that is restricted to only the relevant security personnel.
Internal Audit and Procedure
We are continuously monitoring, auditing, and improving the design and operating effectiveness of our security controls. These activities are regularly performed by both third-party credentialed assessors and Userlytics’ internal risk and compliance team. Audit results are shared with senior management and all findings are tracked to resolution in a timely manner.
At least three internal audits should be conducted over one year, ensuring cumulative coverage of all personal data processing activities. Internal audits are planned based on risk assessment, as well as results of earlier audits.
Governance, Risk and Compliance
Userlytics has established roles and responsibilities for the effective management of the company’s information system and information security. The senior management is managing the chief officers directly, and the chief officers are responsible for the management of a specific area. Userlytics has chief officers for the following areas:
- Technology (CTO)
- Security (CISO)
- Operations (COO)
- Data (DPO)
- Finance (CFO)
The responsible chief officers are required to do an annual gap analysis of the security standards, laws, and regulations to ensure that the company is compliant with them. Any gap identified must be reported along with a mitigation recommendation to the CEO who will review and approve the mitigation plan.
The progress of the mitigation plan is tracked by the relevant chief officer and reported to the CEO team during the monthly executive management meetings.
The company annually conducts an internal and external compliance audit to ensure that the company is in line with the ISO 27001 standards requirements as well as any other law or regulation.
The company’s approach to risk management framework includes a qualitative asset/scenario-based risk assessment methodology that is following the NIST 800-30 special publication guidelines. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf
Userlytics conducts an annual internal risk assessment that is managed by the CTO.The risk report is provided to the senior management team, and a risk treatment plan is developed by the CTO and approved by the senior management.
The company’s risk appetite is low. The risk action and the approval of the action (reduce, accept, transfer, avoid) are clearly captured during the process and recorded into the risk assessment documentation.
Third Party Security Management Policy
To run efficiently, we rely on sub-service organizations. Where those sub-service organizations may impact the security of the production environment, we take appropriate steps to ensure our security measures are maintained by establishing agreements that require service organizations to adhere to privacy & confidentiality commitments we have made to users.
Userlytics monitors the effective operation of the organization’s safeguards by conducting reviews of all service organizations’ controls before use and at least annually.
Our security program has been developed and run in compliance with a number of industry standards. Complying with well-known industry standards is an integral part of our approach to security because we understand they provide independent assurance to our customers that Userlytics’ security program meets a baseline of security controls.
ISO 27001 certification is the internationally recognized best practice framework for an Information Security Management System (ISMS) and ensures that we have invested in the people, processes, and technology to protect our customer´s data and privacy. Both our hosting provider (Amazon Web Services, AWS) and Userlytics itself are ISO 27001 certified, and AWS is also SOC 1, 2 and 3 certified, adding an additional layer of security to the data shared through our platform.
Standard Contractual Clauses (SCC) Compliant
Userlytics is fully compliant with the SCCs, a set of clauses ensuring appropriate data protection safeguards for data transfers from the EU to third countries. Compliance with these safeguards ensures the implementation of the right tools and security controls for provision of continuous monitoring and incident response.
Userlytics represents that it is self-certified to the EU-U.S. and Swiss-U.S. Privacy Shield Framework and agrees, with respect to the relevant transfer or Data processing, that it shall comply with the Privacy Shield Principles when handling any such data. The Privacy Shield Framework may be (depending on the data, specific transfer, among others) the lawful transfer mechanism of Tester and Client Data from the European Economic Area or Switzerland to the United States, only to the extent such transfer is not covered by the SCCs annexed in the applicable transfer and/or Agreement (established between the Parties). Userlytics, at the request of the United States Department of Commerce (or any successor body) or a competent supervisory authority, enforcement or other public or regulatory authority, court or tribunal, may make available to them a summary or representative copy of the applicable transfer mechanisms and/or the relevant provisions established in the applicable Data Processing Agreement. For more information, please refer to our Privacy Shield Statement here.
Additional questions about our
privacy and security practices
Analytics tells you what,
Userlytics tells you WHY.