Userlytics’ Information Security Overview

Userlytics takes pride in operating and continuously reviewing a documented Information Security Management System framework to protect the privacy and security of our clients, test participants, and team members. Over the years, we have taken special care to ensure we are following and exceeding the top internationally recognized security standards to prevent unauthorized access, damage or deletion of any private information.

Below are some of the measures we have put in place to ensure ongoing data security:
Learn More
Userlytics’ Information Security Overview

Userlytics’ Information Security Overview

ISO 27001

ISO 27001 certification is the internationally recognized best practice framework for an Information Security Management System (ISMS) and ensures that we have invested in the people, processes, and technology to protect our customer´s data and privacy. Both our hosting provider (Amazon Web Services, AWS) and Userlytics itself are ISO 27001 certified, and AWS is also SOC 1, 2 and 3 certified, adding an additional layer of security to the data shared through our platform. Our RTO and RPO times are defined in our DRP as: RPO: 24h, RTO: 48h.

Standard Contractual Clauses (SCC) Compliant

Userlytics is fully compliant with the SCCs, a set of clauses ensuring appropriate data protection safeguards for data transfers from the EU to third countries. Compliance with these safeguards ensures the implementation of the right tools and security controls for provision of continuous monitoring and incident response.

Data Security


All confidential and proprietary data (including video files, customer and test participant data) is hosted through Amazon Web Services (AWS), a SOC 1, 2 and 3 as well as ISO 27017 certified hosting provider with the following global security certifications: CSA, ISO 9001, ISO 27001, ISO 27017, ISO 27018, PCI DSS Level 1, SOC 1, SOC 2 and SOC 3 as well as: CJIS, DoD SRG, FedRAMP, FERPA, FIPS, FISMA, HIPAA, and NIST.

Data Encryption

All of our data is stored in encrypted form using 256-bit AES encryption; AWS Key Management Services manages the Encryption keys. Additionally, all communications to and from our services are encrypted using TLS 1.2 or greater.

Data Security

Based on internationally recognized best practices (NIST and FIPS), we use the following encryption methods:

  • 01Encrypt data in transit
  • 02Encrypt data at rest
  • 03Encrypt backup data
  • 04Encrypt confidential information
  • 05Encrypt endpoints

Password and Login Protection

Our strict password policy applies to our platform and all our systems. Some of its features are:

  • Two-Factor Authentication
  • Prevents users from reusing the last 12 passwords
  • Mandatory password complexity
  • Locking accounts after multiple failed attempts
  • Session Inactivity Timeout
  • Single Sign-On
Password and Login Protection


At Userlytics, we take care of the products and services we provide to our customers. When developing software, we follow a series of standardized methodologies and phases and code analysis tools to ensure the product is safe.



We periodically review the security processes and measures of our suppliers and collaborators.

Data Sanitization and Asset Disposal

Data Sanitization and Asset Disposal

When a storage device has reached the end of its useful life, media that stored customer data is always securely decommissioned. We decommission media using NIST and BSI techniques.

Data Collection

Data Collection

Limited Participant PII

We only collect the participant PII that is necessary to manage demographics and connect our clients with the right test participants. We do not share a participant’s full details so as to protect their PII. Our system is also configured so as to allow our clients to “block” screen recording during specific tasks.

Learn More


Advanced Security Training for all Team Members

We conduct periodic cybersecurity courses for all personnel, specific to their roles. We also have a stringent hiring policy in place to guide the hiring of personnel, which entails pre-hire screenings and testing to ensure proper security awareness.


The Board of Userlytics is extensively involved in the development of the Userlytics' security framework. Our prioritization of information security ensures the company’s ISMS controls are properly integrated into our processes.


Disaster Recovery and Risk Management

Risk Management Assessment

Identifying security threats, the probability of their occurrence, and adapting processes, technologies, personnel and facilities to handle them is necessary to maintain the security of our client and participant information.

We are equipped with processes and tools to adequately assess, prevent, and mitigate any possible risks to our client´s security.

Disaster Recovery Plan

In line with our business continuity plan, Userlytics has a backup and recovery strategy that covers all relevant processes and assets of the organization to ensure adequate service to our clients.

Business Continuity Plan

It is a priority objective of the company to provide our customers with a Service Level Agreement (SLA) higher than 99%, allowing us to provide customers with service availability at all times, regardless of the circumstances. Our actual availability, since the founding of Userlytics in 2009, has been higher than 99.99%.

Incident Response Plan

As part of our dedication to data security, we are constantly monitoring for potential security threats and incidents.

Any potential threats are appropriately classified and communicated to stakeholders to comply with legislation and regulation, and more importantly, to assure our clients that their information is safe with us.

To this end, we have personnel and processes assigned to review threats and inform our stakeholders, as well as the tools, technology and policies to adequately mitigate these threats.

The Userlytics Security Team

The Userlytics security team is dedicated to implementing and maintaining internationally recognized security standards to prevent unauthorized access, damage or deletion of any private information. The team is made up of our Chief Information Security Officer (CISO) and a surrounding group of staff members trained in data and security protection.

With expertise in various areas of information security, membership in several international cybersecurity communities, and ownership of various industry-leading certifications, our security team is constantly learning and updating their knowledge on new risks and processes in order to keep your data safe.

Our security team implements various measures to ensure ongoing information security, including:

Our security team implements various measures to ensure ongoing information security
  • Daily security tools and logs monitoring
  • Weekly security scans, reports, updates, and meetings
  • Monthly security trainings
  • Required cybersecurity courses
  • Pentests (simulated cyber attacks) conducted on at least a yearly basis
Additional questions about our privacy and security practices may be forwarded to our security team: