UserZoom sets the bar for security in UX Research platforms

UserZoom becomes the first usability company to meet SOC2 compliance

AICPA is the organization responsible for regulating SOC2 audits

In the world of UX insights, keeping users’ data private and secure is at the top of our priority list. Which is why we are proud to announce that as of Q4 2017 UserZoom has successfully passed and been certified with the “SOC2 Type 1” security rating by Coalfire. Coalfire is one of the leaders in Cybersecurity, with customers such as 3M, Concur, Intel, LexisNexis, and GoDaddy among others.

At the end of the day, being compliant with SOC2 certifies that our customers can trust us for safeguarding their data. We’re also proud to announce that UserZoom is the first usability company to meet SOC2 compliance. By achieving this certification, UserZoom has taken a great step forward in leading the UX sector in terms of platform security.

What is SOC2 compliance

SOC2 is a compliance framework that helps companies hosted in the Cloud demonstrate they are compliant with certain controls related to security and confidentiality, among others. In particular, it provides their customers with an objective and independent third party review to measure how secure a potential service provider is.

SOC2 certification consists of 5 Trust Service Principles (TSP): Security, Availability, Processing integrity, Confidentiality and Privacy. This certification process lasted 6 months, however, it is the culmination of the hard work performed during the last 7 years and proves how focused we’ve been on security at UserZoom, both in our platform and in the processes of the company.

Security has always been a top priority in UserZoom

Since the inception of the company security has always been a top priority for UserZoom. The proof is that we have a Security Department that’s led by one of our founding VPs, that’s formed by specialist IT Security Engineers, as well as the fact that security is completely integrated into the development process within our Engineering Department.

The goal of our Security Department is to take care of how UserZoom manages information and security, and to provide our customers with outstanding safety while using our services. Working side-by-side with the R&D Department allows UserZoom to build everything with security in mind from the outset.

A quick recap on all the ways we’re implementing safety and security of data here at UserZoom

Data handling: One of the greatest security concerns that customers always have is how we store their data. Two key factors are:

  • Encryption: All customer data in UserZoom is encrypted both when it’s stored and transmitted.
  • Segregation: Each UserZoom customer has its own database. That’s how we make sure that customer data does not get commingled and, therefore, become vulnerable.

Hosting infrastructure: UserZoom hosts data on a private cloud in Rackspace, an industry leader in the IaaS sector, which guarantees service availability and provides reliability to UserZoom with respect to its clients.

Penetration Testing and OWASP Top 10: Besides going through several internal and external security pentest audits, we undergo an annual Third Party Pentest with a well-known Company such as the NCCGroup.

Vulnerability scans: We perform a vulnerability scanner every 30 days to all our systems to check for security issues. In the event an issue is detected, we have a remediation plan in place to correct the issue with high priority.

Risk assessment: The Security Team carries out and maintains a risk assessment every time a potential issue is identified. It can be, for instance, due to the hiring of a new vendor or because an internal procedure has room for improvement.

Single Sign-on (SSO): UserZoom offers its customers the possibility to integrate the platform with customer’s login system. It is a value-added feature that provides an easier and more secure credential management.

Security documentation: We provide all our customers with the UserZoom Security Whitepaper, which is an updated and comprehensive document that contains useful information related to our security procedures and policies.

Additional certifications: Prior to SOC2, UserZoom has been awarded with further certifications:

  • TRUSTe Privacy Seal: This Privacy Seal certifies that our privacy policy and best practices have been reviewed by TRUSTe. It provides extra confidence on customers’ study participants with regards to their data processing and handling.
  • TRUSTe Trusted Download: The TRUSTe Downloads privacy certification follows a comprehensive and proven multi-step process to ensure UserZoom’s privacy practices meet applicable regulatory and industry standards.
  • Privacy Shield Framework: UserZoom complies with the privacy and security measures required by the European Commission and the U.S. Department of Commerce to be Privacy Shield certified, allowing the transmission of personal data from the EU to the U.S.
  • COPPA Safe Harbor Certification Program: PRIVO is an independent, third-party organization committed to safeguarding children’s personal information collected online. UserZoom is certified by PRIVO with respect to compliance with the Children’s Online Privacy Protection Act.

Moving Forward

For us this is not where we stop – it is merely the most recent major milestone, one of many which we’ve pursued and accomplished to date. In the words of Jordi Ibáñez, UserZoom’s VP of Security, “This milestone enhances UserZoom’s leadership in the UX sector by including Security in its roadmap as a key factor, and clearly demonstrates our commitment to privacy and security.”