Last updated: August 14, 2023
All capitalized terms used but not defined herein have the meaning set forth in the commercial services agreement and/or terms between User Interviews, Inc. (“UI”) and Customer (the “Agreement”).
UI has implemented and maintains an information security program designed to provide a secure technology environment and to protect the Services and Customer Data against accidental, unlawful or unauthorized access, use, destruction, loss, disclosure, or alteration. UI’s approach to security and data protection incorporates both technical controls and organizational processes designed to implement the information security principles of confidentiality, integrity, and availability. These technical and organizational measures include the following:
UI has received a SOC 2 Type II report attesting to the suitability of the design and operating effectiveness of its security controls. UI is also ISO/IEC 27001:2002 and ISO/IEC 27701:2019 certified, meaning that UI has undergone a third-party security and privacy audit and achieved internationally recognized standards for an effective information security and privacy management system (ISPMS). UI will provide its latest SOC 2 Type II report and its ISO 27001 & 27701 certificate to Customer upon written request and subject to confidentiality obligations.
UI maintains and follows documented information security policies and practices that are mandatory for all User Interviews employees, including supplemental personnel. UI periodically reviews its policies and amends them as appropriate to maintain the security of Customer Data and the Services in accordance with industry standards. UI will provide its security policies to Customer upon written request and subject to confidentiality obligations.
UI is a fully remote organization and does not directly manage any data centers or other physical premises. UI’s data center provider, Amazon Web Services (AWS), employs physical and environmental controls that meet or exceed industry standards and adhere to SOC 2 Type II and ISO 27001 certification standards. For more information, please visit https://aws.amazon.com/compliance/data-center/.
UI employees are required to secure their physical workspaces and devices in compliance with applicable company policies. In addition, UI implements protections on employee devices, including antivirus/anti-malware software, firewalls, screen lock requirements, hard disk encryption and appropriate patch levels. Devices intended for reuse are securely sanitized prior to reuse, and devices not intended for reuse are securely destroyed in accordance with UI’s asset management procedures.
UI, together with its infrastructure providers, employs controls designed to secure systems and networks, including: centralized logging of all system activity, configured to generate alerts for unusual activity; risk-based review procedures for alerts generated from such centralized logging; tools to prevent deployment of common types of malware, including ransomware; segregation of development and staging environments from production environments; network configuration and hardening measures; technical vulnerability management controls; risk management procedures including annual risk assessments; and data loss prevention rules to detect and block sending data via email.
Vulnerability scans are run on internal systems at least quarterly, and an independent third party performs a penetration test of all public-facing systems at least annually. UI will provide its latest penetration test report to Customer upon written request and subject to confidentiality obligations.
All software developers are required to adhere to UI’s documented standards for secure software development. UI-developed software is version controlled and synced between contributors (developers). Access to the central repository is restricted based on an employee’s role. All code is written, tested, and saved in a local repository before being synced to the origin repository. All code changes are required to follow formal change control procedures, including senior engineer approval, a process for testing changes, security testing, system acceptance testing, and a process for remediating unsuccessful changes.
Customer Data is encrypted at rest on UI’s AWS-based infrastructure using AES 256, and endpoint devices utilize disk encryption using either AES 128 or AES 256. Customer Data is encrypted in transit using TLS 1.3 (or 1.2 if the end-user’s browser does not support 1.3).
UI determines the type and level of access granted to personnel based on the principle of least privilege. Single sign-on, two-factor authentication, and complex password requirements are in place to enforce secure authentication. All user access requests are documented and can be granted only by authorized administrators. Access rights are reviewed at least quarterly and as part of any job role change, and access is promptly disabled when there is no longer a business requirement for it.
UI segregates Customer Data at the application layer and logs access to any assets containing Customer Data. Every web request is authenticated and authorized to access that data. UI ensures that when Customers input data, it is segregated from other customers’ data based on their authenticated request. UI prohibits the use of any removable media storage (e.g., flash drives, CDs, etc.) to process or store any Customer Data.
During onboarding and annually thereafter, all UI employees are required to complete an information security awareness training and to review and certify their compliance with all UI policies. During offboarding, employees are reminded of any ongoing information security responsibilities.
Background verification checks are conducted for all UI employees in accordance with applicable laws and regulations, as well as for any independent contractors with access to Customer Data or technical privileged or administrative access to UI production systems. All UI employees, including supplemental personnel, are subject to contractual obligations of confidentiality.
For all third parties who may access Customer Data, appropriate due diligence is performed prior to provisioning access or engaging in data processing activities. Such third parties are bound by written agreements that include appropriate confidentiality and non-disclosure obligations as well as commitments regarding the integrity, availability, privacy and/or security controls (as appropriate) that meet or exceed the standards and requirements set forth herein. UI remains responsible for all acts or omissions of its subcontractors.
UI uses an industry-recognized data center provider (AWS) with ISO 27001 and SOC 2 certifications to achieve high availability and resilience. UI maintains and follows documented business continuity and disaster recovery policies and procedures, which are reviewed and tested at least annually. Backups are taken and stored in accordance with data classification and retention requirements to enable restoration.
UI classifies data and information systems in accordance with legal requirements, sensitivity, and business criticality in order to ensure that information is given the appropriate level of protection. Customer Data is afforded the highest level of protection by UI.
Customer Data is retained for as long as reasonably necessary to provide the Services or as required by law. Following termination of a customer agreement, UI will delete Customer Data in accordance with the agreement. Notwithstanding the foregoing, UI may retain Customer Data to the extent required by applicable law, provided that such data will be securely isolated and protected from any further processing, except to the extent required by applicable law.
UI welcomes the contribution of external security researchers to help ensure the security and privacy of its users. The policy is available at https://www.userinterviews.com/voluntary-disclosure-policy.
UI maintains and follows documented incident response policies and procedures, which are reviewed and tested at least annually. UI will promptly notify affected parties and regulatory agencies of relevant security incidents to the extent required by, and in accordance with, UI’s policies, contractual commitments, and/or legal or regulatory requirements.