Last updated: May 25, 2022
All capitalized terms used but not defined herein have the meaning set forth in the commercial services agreement and/or terms between User Interviews, Inc. (“UI”) and Customer (the “Agreement”).
UI has implemented and maintains an information security program designed to provide a secure technology environment and to protect the Services and Customer Data against accidental, unlawful or unauthorized access, use, destruction, loss, disclosure, or alteration. UI’s approach to security and data protection incorporates both technical controls and organizational processes designed to implement the information security principles of confidentiality, integrity, and availability. These technical and organizational measures include the following:
UI has received a SOC 2 Type I report attesting to the suitability of the design and operating effectiveness of its security controls. UI will provide its SOC 2 Type I report to Customer upon written request and subject to confidentiality obligations.
UI maintains and follows documented information security policies and practices that are mandatory for all User Interviews employees, including supplemental personnel. UI periodically reviews its policies and amends them as appropriate to maintain the security of Customer Data and the Services in accordance with industry standards.
UI is a fully remote organization and does not directly manage any data centers or other physical premises. UI’s data center provider, Amazon Web Services (AWS), employs physical and environmental controls that meet or exceed industry standards and adhere to SOC 2 Type II and ISO 27001 certification standards. For more information, please visit https://aws.amazon.com/compliance/data-center/.
UI employees are required to secure their physical workspaces and devices in compliance with applicable company policies. In addition, UI implements protections on employee devices, including: antivirus/anti-malware software, firewalls, screen lock requirements, hard disk encryption and appropriate patch levels. Devices intended for reuse are securely sanitized prior to reuse, and devices not intended for reuse are securely destroyed in accordance with UI’s asset management procedures.
UI, together with its infrastructure providers, employs controls designed to secure systems and networks, including: centralized logging of all system activity, configured to generate alerts for unusual activity; risk-based review procedures for alerts generated from such centralized logging; tools to prevent deployment of common types of malware, including ransomware; segregation of development and staging environments from production environments; network configuration and hardening measures; technical vulnerability management controls; and risk management procedures including annual risk assessments.
Vulnerability scans are run on internal systems at least quarterly, and an independent third party performs a penetration test of all public-facing systems at least annually.
All software developers are required to adhere to UI’s documented standards for secure software development. UI-developed software is version controlled and synced between contributors (developers). Access to the central repository is restricted based on an employee’s role. All code is written, tested, and saved in a local repository before being synced to the origin repository. All code changes are required to follow formal change control procedures, including senior engineer approval, a process for testing changes, security testing, system acceptance testing, and a process for remediating unsuccessful changes.
Customer Data is encrypted at rest on UI’s AWS-based infrastructure using AES 256, and endpoint devices utilize disk encryption using either AES 128 or AES 256. Customer Data is encrypted in transit using TLS 1.3 (or 1.2 if the end-user’s browser does not support 1.3).
UI determines the type and level of access granted to personnel based on the principle of least privilege. Single sign-on, two-factor authentication, and complex password requirements are in place to enforce secure authentication. All user access requests are documented and can be granted only by authorized administrators. Access rights are reviewed at least quarterly and as part of any job role change, and access is promptly disabled when there is no longer a business requirement for it.
UI segregates Customer Data at the application layer and logs access to any assets containing Customer Data. Every web request is authenticated and authorized to access that data. UI ensures that when Customers input data, it is segregated from other customers’ data based on their authenticated request. UI prohibits the use of any removable media storage (e.g., flash drives, CDs, etc.) to process or store any Customer Data.
During onboarding and annually thereafter, all UI employees are required to complete an information security awareness training and to review and certify their compliance with all UI policies. During offboarding, employees are reminded of any ongoing information security responsibilities.
Background verification checks are conducted for all UI employees in accordance with applicable laws and regulations, as well as for any independent contractors with access to Customer Data or technical privileged or administrative access to UI production systems. All UI employees, including supplemental personnel, are subject to contractual obligations of confidentiality.
For all third parties who may access Customer Data, appropriate due diligence is performed prior to provisioning access or engaging in data processing activities. Such third parties are bound by written agreements that include appropriate confidentiality and non-disclosure obligations as well as commitments regarding the integrity, availability, privacy and/or security controls (as appropriate) that meet or exceed the standards and requirements set forth herein. UI remains responsible for all acts or omissions of its subcontractors.
UI uses an industry-recognized data center provider (AWS) with ISO 27001 and SOC 2 certifications to achieve high availability and resilience. UI maintains and follows documented business continuity and disaster recovery policies and procedures, which are reviewed and tested at least annually. Backups are taken and stored in accordance with data classification and retention requirements to enable restoration.
UI classifies data and information systems in accordance with legal requirements, sensitivity, and business criticality in order to ensure that information is given the appropriate level of protection. Customer Data is afforded the highest level of protection by UI.
Customer Data is retained for as long as reasonably necessary to provide the Services or as required by law. Following termination of a customer agreement, UI will delete Customer Data in accordance with the agreement. Notwithstanding the foregoing, UI may retain Customer Data to the extent required by applicable law, provided that such data will be securely isolated and protected from any further processing, except to the extent required by applicable law.
UI maintains and follows documented incident response policies and procedures, which are reviewed and tested at least annually. UI will promptly notify affected parties and regulatory agencies of relevant security incidents to the extent required by, and in accordance with, UI’s policies, contractual commitments, and/or legal or regulatory requirements.