Information Security Policy

Userlytics shall establish, implement, operate, monitor, review and continuously improve a documented Information Security Management System (“ISMS”) to manage risks relating to the information assets, either outsourced/owned or operated by the company, by appropriately protecting the confidentiality, integrity, and availability of the information assets thereby enhancing trust and confidence among its customers. 

This document defines the information security policy of Userlytics.  

As a modern, forward-looking business, Userlytics recognizes at senior levels the need to ensure that its business operates smoothly and without interruption for the benefit of its customers, shareholders, and other stakeholders. 

In order to provide such a level of continuous operation, Userlytics has implemented an Information Security Management System (ISMS) in line with the ISO/IEC 27001 Requirements for Information Security Management Systems standard. This standard defines the requirements for an ISMS based on internationally recognized best practices. 

The operation of the ISMS has many benefits for the business, including: 

• Protection of revenue streams and company profitability 
• Ensuring the supply of goods and services to customers 
• Compliance with legal and regulatory requirements 

This policy applies to all systems, people, and processes that constitute the organization’s information systems, including board members, directors, employees, suppliers, and other third part

Information Security Requirements

A clear definition of the requirements for information security within Userlytics will be agreed upon and maintained within the internal business and customer services so that all ISMS activity is focused on the fulfillment of those requirements. Statutory, regulatory, and contractual requirements will also be documented, and implemented in the planning process. Specific requirements with regard to the security of new or changed systems or services will be recorded and implemented as part of the design stage of each project. 

It is a fundamental principle of the Userlytics Information Security Management System that the controls implemented are driven by business needs. This will be regularly communicated to all staff through team meetings and briefing documents.  

Framework for Setting Objectives 

A regular cycle will be used for setting information security objectives  that coincide with the budget planning cycle. This will ensure that adequate funding is obtained for the identified security improvement objectives. These objectives will be based upon a clear understanding of the business requirements, and informed by the management review process. During the management review process,  the views of all relevant, interested parties will be obtained to ensure everyone is in agreement about the new security measures being implemented. 

Information security objectives will be set and documented for an agreed period, together with details on how they will be achieved. These will be evaluated and monitored as part of the management review process to ensure they remain valid. If amendments are required, these will be managed through the change management process. 

In accordance with ISO/IEC 27001, the reference controls detailed in Annex A of the standard will be adopted where appropriate by Userlytics. These will be reviewed regularly in the form of  risk assessment outcomes and in line with information security risk treatment plans.  
In addition, added enhanced controls from the following codes of practice will be adopted and implemented where appropriate: 

• ISO/IEC 27002 – Code of practice for information security controls 

The adoption of these codes of practice will provide additional assurance to customers and further promote our compliance with international data protection legislation. 

Continual Improvement of the ISMS

Userlytics’ policy in regards to continual improvement is to: 

• Continually improve the effectiveness of the ISMS 
• Enhance current processes to bring them into line with current ISO/IEC 27001 good practice standards 
• Increase the level of proactivity (and the stakeholder perception of proactivity) of information security  
• Make information security processes and controls more measurable to provide a sound basis for informed decisions 
• Review relevant metrics on an annual basis to assess whether it is appropriate to change them, based on collected historical data 
• Obtain ideas for security improvements via regular meetings and other forms of communication with interested parties, including cloud service customers 
• Review ideas for improvement at regular management meetings to prioritize and assess timescales and benefits 

Ideas for improvements may be obtained from any source including employees, customers, suppliers, IT staff, risk assessments, and service reports. Once identified they will be recorded and evaluated as part of management reviews. 

Organizational Security

Userlytics takes pride in operating and continuously reviewing a documented Information Security Management System framework to protect the privacy and security of our clients, participants, and Userlytics team members. Over the years, we have taken special care to ensure we are following and exceeding the top internationally recognized security standards to prevent unauthorized access, damage or deletion of any private information.

We are committed to ensuring our security framework remains cutting edge and ahead of its industry peers. To do this, we continually evaluate our current approach to security (including in comparison to our industry peers), identifying opportunities for improvement.

The Userlytics Security Team

The Userlytics security team is dedicated to implementing and maintaining internationally recognized security standards to prevent unauthorized access, damage or deletion of any private information. The team is made up of our Chief Information Security Officer (CISO) and a surrounding group of staff members trained in data and security protection, involving the company executive team as well.

Our security team stays aware of current threats via both private and public security channels. With expertise in various areas of information security, membership in several international cybersecurity communities, and ownership of industry-leading certifications, our security team is constantly learning and updating their knowledge on new risks and processes in order to keep client and customer data safe.

In collaboration with our Legal department, Userlytics’ Data Protection Officer (DPO) oversees Userlytics’ data protection strategy and implementation to determine and ensure compliance with applicable data protection laws around the globe.

Admin Board

The company has an unequivocal commitment to information security, and executive management is fully involved in achieving the information security objectives.

Training

We conduct periodic cybersecurity courses for all personnel, ad-hoc training specific to their roles, and ad-hoc courses of a specific topic when needed. Courses already taught are always available for employees to review at any time, and are mandatory for new employees to view.

We have specific communication channels for any issue related to information security to communicate quickly and directly to all users, and so that users can ask questions or report any related issue.

We have developed a comprehensive set of security policies covering a wide variety of topics. These policies are shared and made available to all employees and contractors with access to Userlytics’ information assets, and remain available to them at all times.

Human Resources

Userlytics conducts background checks on all new employees in accordance with local laws, following best legal guidance. New employees are subject to the terms and conditions of employment, which defines their information security responsibilities.

All new employees receive onboarding and security training, including accounts and permissions setup, formal secure software development training (if pertinent), security policies review, company policies review, and corporate values and ethics policies review. 

All employees sign an NDA and review key security policies as part of onboarding, and are encouraged to review and contribute to policies via internal documentation.

Termination processes ensure that access to any and all systems, applications, services, data,  as well as access to buildings is terminated on the employee’s or contractor’s last day within the organization.

Physical Security

A Physical Security Policy which ensures robust physical security is implemented across our environments, on premise and in the cloud. This policy covers areas such as secure working areas, securing our assets, restricting access to our buildings and offices to appropriate personnel, and emergency scenarios. 

Userlytics’ application and data are hosted in the industry-leading cloud hosting provider Amazon Web Services (AWS). We use multiple availability zones to ensure that a failure in any single data center does not affect the availability of our products or customer data. For more information on the AWS physical security topic, see this link: https://aws.amazon.com/compliance/data-center/controls/?nc1=h_ls

Physical access to our data centers, where customer and tester data is hosted, is limited to authorized personnel only, with access verified via biometric measures. Physical security measures for our data centers include on-premise security guards, closed-circuit video monitoring, man traps, and additional intrusion protection measures.

Server and Endpoint Security

Both servers and endpoints are monitored by different pieces of software around the clock. We update our security systems daily, and protection against malware, malicious code execution, anti-phishing, etc. is active at all times. We run antivirus scans daily, and we scan both servers and endpoints for vulnerabilities once a week, or more if necessary. 

Data Security

Information stored locally is forbidden at Userlytics. We are a heavily cloud-based company, and we keep our information safe in the cloud. We use highly reliable providers with a multitude of information security certifications and unblemished reputations.

Our product test and development environments are logically separated from our production environment. Only mock data is used in our development or test environments.

Encryption

Ciphers in use meet or exceed the set defined as “AES-compatible” or “partially AES-compatible” according to the IETF/IRTF Cipher Catalog, or the set defined for use in the United States National Institute of Standards and Technology (NIST) publication FIPS 140-2, or any superseding documents according to the date of implementation. The use of the Advanced Encryption Standard (AES) is strongly used for symmetric encryption.

FIPS is enabled on all servers and endpoints.

In Transit

Any customer data is encrypted in transit over public networks using TLS 1.2+ to protect it from unauthorized disclosure or modification. Our implementation of TLS enforces the use of strong ciphers and key-lengths where supported by the browser.
All servers and applications exposed to the internet using TLS have the certificates signed by a known, trusted provider.

At Rest

Data at rest in the production network is encrypted using FIPS 140-2 compliant encryption standards, (industry standard AES-256 encryption algorithm) which applies to all types of data at rest within Userlytics’s systems—relational databases, file stores, database backups, etc. All encryption keys are managed by AWS KMS and SSE-S3.

Asset Disposal

When Technology assets have reached the end of their useful life or when an employee stops working for the company, they are sent to the Operations team for proper disposal.  The Operations team will securely erase all storage mediums following current industry best practices.

All electronic drives must be degaussed or overwritten using the BSI method: 
9-pass method recommended by the German Center of Security in Information Technologies (http://www.bsi.bund.de): 0xff, 0xfe, 0xfd, 0xfb, 0xf7, 0xef, 0xdf, 0xbf, 0x7f. 

When a storage device in AWS has reached the end of its useful life, AWS decommissions media using techniques detailed in NIST 800-88. Media that stored customer data is not removed from AWS control until it has been securely decommissioned.

Data Classification

We have policies in place that define the classification of our data, the procedures for the transmission of information, the persons responsible and the responsibilities involved in the handling of information, as well as the maintenance of information. All this under the command of our DPO, who is responsible for the information.

Data Collection

Limited Participant PII
We only collect the participant PII that is necessary to manage demographics and connect our clients with the right test participants. We do not share a participant’s full details so as to protect their PII. Our system is also configured so as to allow our clients to “block” screen recording during specific tasks.

Data Retention

Unless we receive a deletion request, we keep data for 365 days from end of contract, and an additional 45 days in backup systems. If deletion is requested, then data is deleted, except for backup, that will require an additional 45 days. 

Business Continuity and Incident Response

High Availability

Every part of our service uses properly-provisioned, redundant servers (e.g., multiple load balancers, web servers, replica databases, etc.). In the case of failure, or as part of regular maintenance windows, servers are taken out of operation without impacting availability.

Business Continuity Plan

Our firm’s policy is to respond to a significant business disruption by safeguarding employees’ lives as well as company property, making a financial and operational assessment, quickly recovering and resuming operations, protecting all the firm’s books and records, and allowing our customers to transact business.

With the implementation of business continuity, Userlytics’ goal is to fulfill its strategic objectives and continue normal business operations with a goal of 99% capacity measured throughout the year, including holidays and weekends. Our actual availability, since the founding of Userlytics in 2009, has been higher than 99.99%.

Incident Response Plan

We have defined roles and responsibilities for participants of the Incident Response Plan, characterization of incidents, relationships to other policies and procedures, and reporting requirements.

The goal is to detect and react to security incidents, determine their scope and risk, respond appropriately to the incident, communicate the results and risk to all stakeholders, and reduce the likelihood of the incident from reoccurring with a lessons learning procedure.  

Disaster Recovery Plan

We have a policy in place that has been created to establish priorities, to establish roles for each employee or department, and to define the steps to be taken to restore the service in case of total service disruption, and/or loss of data.

Our platform is duplicated in different regions to avoid service outages resulting from a problem in a specific area. This includes the databases and all the services necessary to keep the service fully operational.

The most important data for our service is backed up with three different copies per day, which are stored encrypted in three different locations.

The Disaster Recovery Plan is regularly tested.
Our RTO and RPO times are defined in our DRP as: 
RPO: 24h, RTO: 48h.

Identity & Access Management

Application Security

Change Policy

As part of our commitment to security, any change to operational or production systems must be approved, authorized, recorded and tested.
In addition, the Security team will evaluate all possible risks involving any new changes.

Secure SDLC

All software development/acquisition must comply with an application development methodology that incorporates security planning during each phase of development or maintenance and adheres to formalized secure coding methodology. This approach requires that development teams assess the risks of the application and data and incorporate controls to mitigate such risks. When performing software changes, the protection of affected information assets is evaluated, an analysis of the security features required by the changes is performed, and the impact software changes will have on existing security controls is assessed. 
Our development life cycle involves testing the software based on OWASP Top 10, as well as other vulnerabilities.
We enforce the separation of tests from the production environment. Data from production is not used for testing purposes.

Operations and Monitoring

Governance, Risk and Compliance

Governance Risk

Userlytics has established roles and responsibilities for the effective management of the company’s information system and information security. The senior management is managing the chief officers directly, and the chief officers are responsible for the management of a specific area. Userlytics has chief officers for the following areas: 

• Technology (CTO)
• Security (CISO)  
• Operations (COO) 
• Data (DPO)
• Finance (CFO) 

The responsible chief officers are required to do an annual gap analysis of the security standards, laws, and regulations to ensure that the company is compliant with them. Any gap identified must be reported along with a mitigation recommendation to the CEO who will review and approve the mitigation plan. 

The progress of the mitigation plan is tracked by the relevant chief officer and reported to the CEO team during the monthly executive management meetings. 

The company annually conducts an internal and external compliance audit to ensure that the company is in line with the ISO 27001 standards requirements as well as any other law or regulation. 

Risk Management

The company’s approach to risk management framework includes a qualitative asset/scenario-based risk assessment methodology that is following the NIST 800-30 special publication guidelines.  https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf

Userlytics conducts an annual internal risk assessment that is managed by the CTO.The risk report is provided to the senior management team, and a risk treatment plan is developed by the CTO and approved by the senior management.

The company’s risk appetite is low. The risk action and the approval of the action (reduce, accept, transfer, avoid) are clearly captured during the process and recorded into the risk assessment documentation.  

Third Party Security Management Policy

To run efficiently, we rely on sub-service organizations. Where those sub-service organizations may impact the security of the production environment, we take appropriate steps to ensure our security measures are maintained by establishing agreements that require service organizations to adhere to privacy & confidentiality commitments we have made to users. 

Userlytics monitors the effective operation of the organization’s safeguards by conducting reviews of all service organizations’ controls before use and at least annually. 

Compliance

Our security program has been developed and run in compliance with a number of industry standards. Complying with well-known industry standards is an integral part of our approach to security because we understand they provide independent assurance to our customers that Userlytics’ security program meets a baseline of security controls.

ISO 27001

ISO 27001 certification is the internationally recognized best practice framework for an Information Security Management System (ISMS) and ensures that we have invested in the people, processes, and technology to protect our customer´s data and privacy. Both our hosting provider (Amazon Web Services, AWS) and Userlytics itself are ISO 27001 certified, and AWS is also SOC 1, 2 and 3 certified, adding an additional layer of security to the data shared through our platform. 

Standard Contractual Clauses (SCC) Compliant

Userlytics is fully compliant with the SCCs, a set of clauses ensuring appropriate data protection safeguards for data transfers from the EU to third countries. Compliance with these safeguards ensures the implementation of the right tools and security controls for provision of continuous monitoring and incident response.

Data Privacy Framework

Userlytics represents that it is self-certified to the EU-U.S. and Swiss-U.S. Data Privacy Framework and agrees, with respect to the relevant transfer or Data processing, that it shall comply with the Data Privacy Framework Principles when handling any such data. The Data Privacy  Framework may be (depending on the data, specific transfer, among others) the lawful transfer mechanism of Tester and Client Data from the European Economic Area or Switzerland to the United States, only to the extent such transfer is not covered by the SCCs annexed in the applicable transfer and/or Agreement (established between the Parties). Userlytics, at the request of the United States Department of Commerce (or any successor body) or a competent supervisory authority, enforcement or other public or regulatory authority, court or tribunal, may make available to them a summary or representative copy of the applicable transfer mechanisms and/or the relevant provisions established in the applicable Data Processing Agreement. For more information, please refer to our Data Privacy Framework Statement here.

Additional questions about our
privacy and security practices

Analytics tells you what,
Userlytics tells you WHY.