Userzoom’s Technical and Organisational Measures


  • By default, UserZoom does not collect personal data. However, depending on the kind of studies and questions asked by the Customers, results may include the recording of the face and audio of study participants.
  • Customers are not able to identify the participant because identifiable information is not viewable by the Customer  in the platform or at any point during the provision of the Services, only a participant ID number is shown.


  • Data in transit encrypted up to TLS1.2 (HTTPS).
  • Data at rest is encrypted with AES256-bit.
  • Tunneling with remote connections VPN.


Physical access control

  • UserZoom’s hosting provider is AWS. AWS has in place several controls to provide security to their customers.
  • AWS is compliant with several security certifications: ISO27001, SOC1 (SSAE 18), SOC2, SOC3, PCI-DSS

Logical access control

  • Only senior management of UserZoom have access to the production environment. 
  • Users need to have the VPN client, with valid credentials and the MFA in place (certificate).
  • Access is granted on a need-to-know basis, previously reviewed and approved by senior management.
  • UserZoom meets the standard requirements of password complexity. For additional information, please review section 4.3 of the UserZoom security whitepaper.

Role-based access control

  • UserZoom logs every access in “UserZoom Manager” (being the Customer’s view of the platform) and in the production environment.
  • UserZoom works with the authorization concept:
    - Rights Management
    - Differentiated rights
    - Roles
    - Authorisation routines
    - Task-specific rights profiles

Monitoring of data transmission

  • Logging and monitoring.
  • Encryption of data transmissions using modern technological standards.

Erasure of data

  • Backups are stored for 90 days (or 30 days in relation to the UserZoom Go platform) after contract expiration, then are securely erased.

Monitoring of separation

  • Separate databases -> Data is logically segregated.
  • Separation of live and test data.
  • Sandboxing.
  • Separate Systems.


  • System-based logging.
  • Security/logging software.


Ensuring availability

  • Auto-scaling groups.
  • Disaster recovery concept.
  • Emergency plan.
  • Contingency plans and reporting channels.
  • DIsaster recovery test (annually):
    - Air conditioning
    - Fire and extinguishing water protection
    - Alarm system
    - Uninterruptible power supplies

Purpose limitation

  • Written agreement on commissioned data processing.
  • Training of all employees authorised to access data.
  • Committing employees to confidentiality.
  • Regular data protection audits.
  • Right to audit.

Resilience of the systems

  • Auto-scaling groups.
  • Ongoing monitoring services.

Post-incident recovery

  • Backup strategy.
  • Backup method.
  • Recovery concept for IT systems.

Regular review of technical and organisational measures

  • On an annual basis, UserZoom measures being audited during the SOC 2 Type 2.
  • On a regular basis, UserZoom performs internal security audits according to its internal policies.