What test participant information does UserTesting collect and store as part of providing its services? Where is that information stored?
The UserTesting platform provides customers with videos of real users tests, and in some cases written test plans and research reports resulting from those videos.
All videos of user tests along with all associated confidential and proprietary data is hosted at Amazon Web Services (AWS).
Test participants access their accounts via UserTesting to view available tests. If a test participant qualifies for a test, they’ll have the option to accept and launch the test.
Participants will be instructed to visit a website, app, or be provided with instructions for viewing a prototype or wireframe.
Does UserTesting collect Personally Identifiable Information (PII) in providing the services to its customers?
UserTesting does not intend to collect, store, or process PII on behalf of its customers.
In rare cases, inadvertent PII, including names, email and home addresses, phone numbers, faces (from videos), credit card and social security numbers, and medical records, may be captured in the video of a test. If this occurs, that information can be blurred in the videos to ensure the privacy and safety of our participants.
What’s the best way to avoid inadvertent capturing of PII during desktop studies? What about usability studies using the mobile recorder “in-the-wild”?
Depending on the type of testing you’re looking to do and the country involved, UserTesting may be able to help you design your studies in order to avoid inadvertently recording PII. A common practice is to create dummy accounts and credentials so that real PII is not required during the test. We recommend reviewing your corporate policy regarding PII before testing.
As our solution is not intended to collect or store any personal or sensitive information, UserTesting currently does not have any security certifications. Our third-party hosting service provider, AWS, is a SOC 2 and ISO 27017 certified hosting provider.
UserTesting requires an annual, independent security audit of both internal systems and the platform. Copies of the most recent audit reports are available upon request.
All data is encrypted at rest and in transit. Data is stored in encrypted form using 256-bit AES encryption. Encryption keys are managed by AWS Key Management Services.
UserTesting employs firewalls to protect our internal systems. A VPN system that uses two-factor authentication allows access inside the firewall to employees who need remote access to internal systems.
Wireless access within the site is allowed to computers that are on the domain. Other computers and mobile devices use an alternative access point that is outside the firewall.
Company-owned computers are managed on UserTesting’s domain and kept up-to-date with the latest operating system, antivirus, and productivity software updates.
BYOD (Bring your own device) computers must meet the above company standards to be used for business purposes.
All internal systems are backed up to AWS and securely stored in encrypted form.
UserTesting’s solution is a web-based platform that doesn’t require integration with a customer’s internal network, system, or code.
Complex passwords are required for customer and test participant access. Passwords must be at least 8 characters long and must contain at least one uppercase letter, one lowercase letter, and one digit. They may also contain special characters.
When users create new accounts, they create their own secure passwords. When existing users create accounts for others, the new users are invited by email and are then asked to create their own secure passwords.
Lost passwords are not retrievable but can be reset by the user by responding to an email sent to the account’s email address that is already on record.
Accounts are locked for 30 minutes if a user fails to supply a valid password 10 times in 30 minutes.
UserTesting conducts background checks on all employees, contractors, and consulting agencies, and does not hire individuals with inappropriate backgrounds.
Employees who leave the company or change business roles will have their access privileges revoked or modified within 24 hours.
UserTesting has an incident response plan to effectively escalate incidents to the appropriate level of authority, ensuring quick fixes that are followed up with a root cause analysis and work plan, to prevent future incidents. The incident response plan is reviewed annually.
Business continuity is included as part of UserTesting’s security policy. The platform has been designed to be robust and recoverable:
- The platform is hosted on multiple servers running at AWS with load balancing and failover provisions
- Instances can be spun up as needed if one fails
- Videos are stored in journaled S3 buckets
- Videos are stored in at least two geographically-diverse data centers
- Other data is stored in RDS with frequent backups
Data centers are located in geographically-diverse locations to ensure redundancy in the case of a catastrophic event.