UserGuiding Security focuses on protecting customer data from unauthorized access and implements the following controls:
Data Classification & Handling
UserGuiding classifies customer data and establishes the most appropriate way of handling, storing, retrieving, and disposing of this data according to its classification. Customer data is classified at the highest level.
Data Encryption in Transit and At Rest
UserGuiding uses the best practice encryption algorithms for cryptographic controls to ensure the security of data and the environment that data is stored in.
All data is encrypted at rest and in motion. All data-in-transit uses TLS connections, and data-at-rest is encrypted by default, always. Database backups are also automatically encrypted at rest. Encryption Keys are managed by using GCP (Google Cloud Platform) services coupled with industry-standard methods. The service is SOC 2 Type 1 certified and HIPAA ready.
Applications use a layer between application business logic and database resources. This intermediate layer ensures that one customer is not able to access another customer’s data. Data in databases are designed to be segmented for tenants.
Credit Card Information Security
UserGuiding uses Stripe as a third-party payment processing service. Credit card information is sent directly to Stripe in an encrypted form and processed securely. UserGuiding does not store, collect and process credit card information of customers. Stripe is PCI compliant and our use of their service preserves that PCI compliance.
Systems & Communication Security
The security of our infrastructure and networks is crucial. Providing a secure network environment is one of the important goals of our security program. Within UserGuiding infrastructure, public-facing networks and private networks are isolated from each other to protect customer data.
TLS1.2 protocol is used for transferring all customer data. Also IP restriction is used or accessing GCP.
Public networks are protected against global threats including DDOS spoofing & port scanning with multiple levels of firewall. Network systems are managed by the designated operators with a specific business need. The Development and maintenance section of this document describes how the changes are applied.
UserGuiding uses multiple security tools to configure and asses vulnerabilities and intrusion detection.
Wherever feasible, UserGuiding adopts serverless services provided by GCP by hardening security of these services. Adopting serverless allows UserGuiding to increase the overall security of our applications and systems.
UserGuiding maintains extensive logs specific to the application, operating system, and database layers. The responsible users and user groups monitor and review all log data.
Log information is protected against tampering and unauthorized access. System administrator and system operator activities are logged, and access/change actions can be reviewed.
Protection from malware and malicious code
Servers and endpoint devices such as laptops and desktops are protected and monitored from malwares, malicious and unsafe codes or applications by deploying a set of protection tools.
In order to prevent a breach of data, UserGuiding controls all changes in the production environment according to security requirements defined throughout this document. All tests are documented and approved before deployment.