UserTesting’s solution provides recorded videos of Customers’ user tests, and in some cases written test plans and research reports from the results of those videos. User tests videos would contain whatever information a customer exposes to a tester[M1] during the user tests along with the audio responses of Testers. Such video files and associated data are processed and store on UserTesting’s servers and data centers.
How does a Tester get access to my user test studies and my proprietary property that is being tested?
A Tester accesses his tester account on usertesting.com to view available tests. If a Tester qualifies for a specific user test, the tester will have the UserTesting desktop/mobile recorder launch and provide him instructions on where to begin. When the test is a web test, the recorder opens the customer hosted web content in a browser and provides the tester with instructions for providing feedback. When the test is an App test or prototype test, appropriate instructions are provided for downloading /opening the app or prototype (which may be hosted by the customer or UserTesting as appropriate). All activity will be recorded once the user test begins.
Does UserTesting collect Personally Identified Information (PII) in providing the services to its Customers?
UserTesting is not in the business of collecting PII nor does it ever intend to collect, store or process PII on behalf of its customers. In rare cases inadvertent PII may be captured in the video and/or the audio of a test. It is important to take precautions and work with your Customer Success Manager (or other UserTesting personnel) to use best practices when conducting User Tests to avoid inadvertent recording of PII. If a customer determines that the recording of PII is unavoidable with a particular study, please contact your Customer Success Manager to facilitate the test before launching such User Tests.
What is the best way to avoid inadvertent capturing of PII during desktop studies? What about usability studies using the mobile recorder “in-the-wild”?
Never request a Tester to provide their personal information (including, but not limited to, full name, date of birth, social security number, email, postal address, phone number, credit card or other financial information, or medical records). If the test includes completing forms, inputting payment information, or otherwise providing personal information, instructions should be clearly provided that testers should provided false or “dummy” information. Customers should also use the “blur” feature to conceal any PII that could be displayed on screen. For destination or “in-the-wild” tests with the mobile recorder, Testers should be instructed to not record their own image, or focus on other individuals while recording the location, products, or testing environment.
All videos of user tests along with all associated confidential and proprietary data are hosted at Amazon Web Services (AWS).
As our solution is not intended to collect or store any personal or sensitive information, UserTesting currently does not have any security certifications. Our third-party hosting service provider, AWS, is a SOC 2 and ISO 27017 certified hosting provider.
Yes. Company policy requires annual independent security audits of both internal systems and the service. Copies of the most recent audit reports are available upon request.
Yes. All data (video files, client data and tester data) is encrypted at rest and in transit. Data is stored in encrypted form using 256bit AES encryption. Encryption keys are managed by AWS Key Management Services. All communication to and from the data center is encrypted via SSL.
UserTesting employs firewalls to protect our internal systems. A VPN system that uses two-factor authentication allows access inside the firewall to employees with a need to access internal systems remotely.
Wireless access within the site is allowed to computers that are on the domain. Other computers and mobile devices use an alternative access point that is outside the firewall.
Company owned computers are managed on the company domain and kept up to date with the latest updates, anti-virus software as well as productivity software.
BYOD computers must meet the above company standards to be used for business purposes.
All internal systems are backed up to AWS and securely stored in encrypted form.
UserTesting’s solution is a web-based platform that does not require any integration with a customer’s internal network, system or code. All of UserTesting’s services are provided remotely, and all video/data capture is recorded from Tester’s screens while conducting user tests. UserTesting has no access to a customer’s backend while user tests are being performed.
Passwords must be at least 8 characters long and must contain at least on uppercase letter, on lowercase letter, and one number. They may also contain special characters. Lost passwords are not retrievable but can be reset by the user be responding to an email sent to the account’s email.
The system is protected from automated guessing by locking accounts when the password is not entered correctly 10 times in a 30 minute period. The account can be unlocked by resetting the password through the standard mechanism or waiting 30 minutes.
UserTesting conducts background checks on all employees, contractors and consulting agencies, and does not allow individuals with inappropriate backgrounds to have access to critical data. Employees who leave the company or change business roles have their access privileges revoked or modified within 24 hours. In addition, UserTesting buildings are protected by keycard locks that are assigned to individual employees. Facilities are monitored by video 24 hours a day, 7 days a week.
UserTesting has an incident response plan that escalates incidents to the appropriate level of authority, fixes them quickly and follows up with a root cause analysis and work plan to prevent similar issues from occurring again. An Incident Response Policy is reviewed on an annual basis.
Yes. As part of the company security policy, we have a business continuance [M2] policy / Disaster Recovery. For our service, we’ve architected the system to be robust and recoverable.
- The service is delivered by multiple servers running in AWS with load balancing and failover provisions.
- Instances can be spun up as need when one fails.
- Videos are stored in journaled S3 buckets
- Other data is stored in RDS with frequent backups
- Should a catastrophic event happen in the main data center, we can switch to an alternate data center and bring the system up again.