Technical and Organizational Measures

Last updated: July 2, 2026

All capitalized terms used but not defined herein have the meaning set forth in the commercial services agreement (“Agreement”) between Customer and UserTesting Technologies, Inc. or any of its Affiliates (collectively, “UserTesting”).

UserTesting has implemented and maintains an information security and privacy program designed to provide a secure technology environment and to protect the Products, Services, and Customer Property against accidental, unlawful, or unauthorized access, use, destruction, loss, disclosure, or alteration. UserTesting’s approach to security and data protection incorporates both technical controls and organizational processes designed to implement the information security principles of confidentiality, integrity, and availability. These technical and organizational measures include the following:

Documentation

Copies of audit certificates/reports, policies, executive summaries of third-party penetration tests, and other security and privacy resources are available for download, subject to confidentiality undertakings. 

UserTesting Trust Center: https://trust.usertesting.com/

User Interviews Trust Center: https://trust.userinterviews.com/ 

Security and Privacy Certifications

UserTesting receives an annual SOC 2 Type 2 report attesting to the suitability of the design and operating effectiveness of its security controls. UserTesting is also ISO/IEC 27001:2022 and ISO/IEC 27701:2019 certified, meaning that UserTesting has undergone a third-party security and privacy audit and achieved internationally recognized standards for an effective information security and privacy management system (ISPMS). UserTesting, Inc. and UserTesting Technologies, Inc. have also self-certified to the EU-U.S. Data Privacy Framework but do not rely on it as a legal basis for cross-border transfers of personal data.

Security and Privacy Policies

UserTesting maintains and follows documented information security and privacy policies and practices that are mandatory for all UserTesting employees. At least annually, UserTesting reviews its policies and amends them as appropriate to maintain the security and privacy of the Products, Services, and Customer Property in accordance with industry standards. 

Personnel and Subcontractors

During onboarding and annually thereafter, all UserTesting employees are required to complete information security and privacy awareness training and to review and certify their compliance with applicable security and privacy policies. During offboarding, employees are reminded of any ongoing data protection and confidentiality obligations.‍

Background verification checks are conducted for all UserTesting employees in accordance with applicable laws and regulations, as well as for any independent contractors with access to Customer Property or technical privileged or administrative access to UserTesting production systems. All UserTesting employees, including supplemental personnel, are subject to contractual obligations of confidentiality.

For all third parties who may access Customer Property, appropriate due diligence is performed prior to provisioning access or engaging in data processing activities. Such third parties are bound by written agreements that include appropriate confidentiality and non-disclosure obligations as well as commitments regarding the integrity, availability, privacy and/or security controls (as appropriate) that meet or exceed the standards and requirements set forth herein. UserTesting remains responsible for the acts or omissions of its subcontractors.

Physical and Endpoint Security

UserTesting does not directly manage any data centers. UserTesting’s data center provider, Amazon Web Services (AWS), employs physical and environmental controls that meet or exceed industry standards and adhere to SOC 2 Type II and ISO 27001 certification standards. For more information, please visit https://aws.amazon.com/compliance/data-center/.

As UserTesting is a remote-first company, employees work predominantly from home, with voluntary access to physical corporate offices. These offices are completely isolated from the cloud production environments where UserTesting’s business infrastructure is deployed. No business services are hosted on-premise, and the office network serves solely as a generic internet gateway. Consequently, no customer or corporate data repositories reside within physical office facilities. Security controls are primarily enforced at the endpoint and cloud application layers, ensuring an identical, robust security posture regardless of whether an employee works from home or the office.

All corporate office locations are secured via electronic access control systems assigned to individual personnel and are protected by facility-level surveillance and/or internal security monitoring systems, as applicable. Visitors must sign in and be escorted at all times.

UserTesting’s clean desk policy mandates that employees keep all confidential information stored in a secure location and never left unattended in workspaces. In addition, UserTesting implements protections on employee computers, including antivirus/anti-malware software, firewalls, screen lock requirements, hard disk encryption and appropriate patch levels. Laptops intended for reuse are securely sanitized prior to reuse, and laptops not intended for reuse are securely destroyed in accordance with UserTesting’s asset management procedures.

Data Encryption

Data is encrypted at rest on UserTesting’s AWS-based infrastructure using AES 256, and endpoint devices utilize disk encryption using either AES 128 or AES 256. Data is encrypted in transit using TLS 1.2 or better.

Data Classification, Retention, and Deletion

UserTesting classifies data and information systems in accordance with legal requirements, sensitivity, and business criticality in order to ensure that information is given the appropriate level of protection. Customer Property is afforded the highest level of protection by UserTesting.

Customer Property is retained for as long as reasonably necessary to provide the Products and Services or as required by law. Following termination of a customer agreement, UserTesting will return and/or delete Customer Property in accordance with the Agreement. Notwithstanding the foregoing, UserTesting may retain Customer Property to the extent required by applicable law, provided that such data will be securely isolated and protected from any further processing, except to the extent required by applicable law.

Logging and Monitoring

UserTesting maintains centralized logging of system activity. Logs are configured to generate alerts for unusual activity and are securely retained for a minimum of 12 months.

UserTesting relies on 24x7 Security Operations Center (SOC) monitoring to support the review, triage, and escalation of security alerts. Alerts generated through centralized logging are reviewed through risk-based procedures.

System and Network Security

UserTesting, together with its infrastructure providers, employs network configuration, segmentation, and hardening measures designed to protect its systems and environments. These measures include the use of network security controls, such as security groups, to restrict inbound and outbound traffic based on defined access rules.

UserTesting employs a Web Application Firewall designed to help prevent certain common types of attacks, as well as intrusion detection capabilities to help detect potential threats. UserTesting also uses tools designed to prevent the deployment of common types of malware, including ransomware, in all endpoints and servers.

Access to the private production network requires secure connectivity through a zero trust network access solution. Such access is limited to authorized personnel and is subject to centrally managed access controls.

UserTesting segregates development and staging environments from production environments.

Vulnerability Management and Penetration Testing

UserTesting performs vulnerability scans on infrastructure devices, servers, and user computers at least monthly. Cloud infrastructure, virtual instances, web applications, and production code changes are scanned for vulnerabilities to ensure any vulnerabilities are identified and remediated quickly.

An independent third party performs a penetration test of all public-facing systems at least annually.

Data Loss Prevention 

UserTesting deploys data loss prevention (DLP) tools on company workstations to track and alert on unusual activity. Additional DLP tools are deployed in critical cloud infrastructure.

UserTesting prohibits the use of removable media storage to process or store Customer Property. UserTesting also blocks the ability to write to removable media storage on employee laptops. 

Secure Development

All software developers are required to adhere to UserTesting’s documented standards for secure software development and must complete a secure coding training annually. UserTesting-developed software is version controlled and synced between contributors (developers). Access to the central repository is restricted based on an employee’s role. All code changes are required to follow formal change control procedures, including senior engineer approval, a process for testing changes, security testing, system acceptance testing, and a process for remediating unsuccessful changes.

Customer Authentication

UserTesting supports login via single sign-on using SAML 2.0 protocols. This enables customers to implement additional security requirements for passwords and the login process.

Where SSO is not enabled, complex passwords are required for access. When users create new accounts, they create their own secure passwords. When existing users create accounts for others, the new users are invited by email and then create their own secure passwords. Lost passwords are not retrievable but can be reset by the user by responding to an email sent to the account’s email address on record.

Accounts are locked if a user fails to supply a valid password. Users are logged out of the system after periods of inactivity.

Access Control and Data Segregation

UserTesting determines the type and level of access granted to personnel based on the principle of least privilege. Single sign-on, MFA, and complex password requirements are in place to enforce secure authentication. All user access requests are documented and can be granted only by authorized administrators. Access rights are reviewed at least quarterly for critical systems, at least annually for all systems, and as part of any job role change. Employees who leave the company or change business roles will have their access privileges revoked or modified within 24 hours.

UserTesting segregates Customer Property at the application layer and logs access to any assets containing Customer Property. Every web request is authenticated and authorized to access that data. UserTesting ensures that when Customers input data, it is segregated from other customers’ data based on their authenticated request.

Availability and Resilience

UserTesting’s platform has been designed to achieve high availability and resilience. UserTesting maintains and follows documented business continuity and disaster recovery policies and procedures, which are reviewed and tested at least annually. The platforms are  hosted across highly available cloud infrastructure, utilizing advanced load balancing and redundant failover protocols to maximize uptime. Backups are taken and stored in accordance with data classification and retention requirements to enable restoration.

Incident Response

UserTesting maintains and follows documented incident response policies and procedures, which are reviewed and tested at least annually. UserTesting will promptly notify affected parties and regulatory agencies of relevant security incidents to the extent required by, and in accordance with, UserTesting’s policies, contractual commitments, and/or legal or regulatory requirements.