Last updated: July 1, 2025
All capitalized terms used but not defined herein have the meaning set forth in the commercial services agreement and/or terms between User Interviews, Inc. (“UI”) and Customer (the “Agreement”).
UI has implemented and maintains an information security program designed to provide a secure technology environment and to protect the Services and Customer Data against accidental, unlawful or unauthorized access, use, destruction, loss, disclosure, or alteration. UI’s approach to security and data protection incorporates both technical controls and organizational processes designed to implement the information security principles of confidentiality, integrity, and availability. These technical and organizational measures include the following:
UI receives an annual SOC 2 Type II report attesting to the suitability of the design and operating effectiveness of its security controls. UI is also ISO/IEC 27001:2022 and ISO/IEC 27701:2019 certified, meaning that UI has undergone a third-party security and privacy audit and achieved internationally recognized standards for an effective information security and privacy management system (ISPMS). Please visit UI’s Trust Center to download UI’s latest SOC 2 Type II report and ISO 27001 & 27701 certificates.
UI maintains and follows documented information security and privacy policies and practices that are mandatory for all User Interviews employees, including supplemental personnel. At least annually, UI reviews its policies and amends them as appropriate to maintain the security and privacy of Customer Data and the Services in accordance with industry standards. Please visit UI’s Trust Center to download UI’s security policies.
UI is a fully remote organization and does not directly manage any data centers or other physical premises. UI’s data center provider, Amazon Web Services (AWS), employs physical and environmental controls that meet or exceed industry standards and adhere to SOC 2 Type II and ISO 27001 certification standards. For more information, please visit https://aws.amazon.com/compliance/data-center/.
UI employees are required to secure their physical workspaces and laptops in compliance with applicable company policies. In addition, UI implements protections on employee laptops, including antivirus/anti-malware software, firewalls, screen lock requirements, hard disk encryption and appropriate patch levels. Laptops intended for reuse are securely sanitized prior to reuse, and laptops not intended for reuse are securely destroyed in accordance with UI’s asset management procedures.
UI, together with its infrastructure providers, employs controls designed to secure systems and networks, including: centralized logging of all system activity, configured to generate alerts for unusual activity; risk-based review procedures for alerts generated from such centralized logging; tools to prevent deployment of common types of malware, including ransomware; segregation of development and staging environments from production environments; network configuration and hardening measures; technical vulnerability management controls; risk management procedures including annual risk assessments; and data loss prevention rules to detect and block sending data via email.
Vulnerability scans are run on internal systems at least monthly, and an independent third party performs a penetration test of all public-facing systems at least annually. Please visit UI’s Trust Center to download UI’s latest penetration test report.
All software developers are required to adhere to UI’s documented standards for secure software development and must complete a secure coding training annually. UI-developed software is version controlled and synced between contributors (developers). Access to the central repository is restricted based on an employee’s role. All code is written, tested, and saved in a local repository before being synced to the origin repository. All code changes are required to follow formal change control procedures, including senior engineer approval, a process for testing changes, security testing, system acceptance testing, and a process for remediating unsuccessful changes.
Customer Data is encrypted at rest on UI’s AWS-based infrastructure using AES 256, and endpoint devices utilize disk encryption using either AES 128 or AES 256. Customer Data is encrypted in transit using TLS 1.3 (or 1.2 if the end-user’s browser does not support 1.3).
UI determines the type and level of access granted to personnel based on the principle of least privilege. Single sign-on, two-factor authentication, and complex password requirements are in place to enforce secure authentication. All user access requests are documented and can be granted only by authorized administrators. Access rights are reviewed at least quarterly for high-risk systems, at least annually for all systems, and as part of any job role change. Access is promptly disabled when there is no longer a business requirement for it.
UI segregates Customer Data at the application layer and logs access to any assets containing Customer Data. Every web request is authenticated and authorized to access that data. UI ensures that when Customers input data, it is segregated from other customers’ data based on their authenticated request. UI prohibits the use of any removable media storage (e.g., flash drives, CDs, etc.) to process or store any Customer Data and blocks the ability to write to removable media storage on employee laptops.
During onboarding and annually thereafter, all UI employees are required to complete an information security and privacy awareness training and to review and certify their compliance with all UI policies. During offboarding, employees are reminded of any ongoing data protection and confidentiality obligations.
Background verification checks are conducted for all UI employees in accordance with applicable laws and regulations, as well as for any independent contractors with access to Customer Data or technical privileged or administrative access to UI production systems. All UI employees, including supplemental personnel, are subject to contractual obligations of confidentiality.
For all third parties who may access Customer Data, appropriate due diligence is performed prior to provisioning access or engaging in data processing activities. Such third parties are bound by written agreements that include appropriate confidentiality and non-disclosure obligations as well as commitments regarding the integrity, availability, privacy and/or security controls (as appropriate) that meet or exceed the standards and requirements set forth herein. UI remains responsible for all acts or omissions of its subcontractors.
UI uses an industry-recognized data center provider (AWS) with ISO 27001 and SOC 2 certifications to achieve high availability and resilience. UI maintains and follows documented business continuity and disaster recovery policies and procedures, which are reviewed and tested at least annually. Backups are taken and stored in accordance with data classification and retention requirements to enable restoration. UI’s Recovery Point Objective (RPO) is 2 hours and its Recovery Time Objective (RTO) is 12 hours.
UI classifies data and information systems in accordance with legal requirements, sensitivity, and business criticality in order to ensure that information is given the appropriate level of protection. Customer Data is afforded the highest level of protection by UI.
Customer Data is retained for as long as reasonably necessary to provide the Services or as required by law. Following termination of a customer agreement, UI will delete Customer Data in accordance with the agreement. Notwithstanding the foregoing, UI may retain Customer Data to the extent required by applicable law, provided that such data will be securely isolated and protected from any further processing, except to the extent required by applicable law.
UI welcomes the contribution of external security researchers to help ensure the security and privacy of its users. The policy is available at https://www.userinterviews.com/voluntary-disclosure-policy.
UI maintains and follows documented incident response policies and procedures, which are reviewed and tested at least annually. UI will promptly notify affected parties and regulatory agencies of relevant security incidents to the extent required by, and in accordance with, UI’s policies, contractual commitments, and/or legal or regulatory requirements.
