Userzoom GO Technical and Organisational Measures

Pseudonymisation

  • By default, UserZoom does not collect personal data. However, depending on the kind of studies and questions asked by the Data Controller (UserZoom GO Customers), may include the recording of the face and audio of study participants. 
  • UserZoom GO Customers are not able to identify the participant because it does not appear in the name in UserZoom GO Platform, only an ID is shown. 

Encryption

  • Data in transit encrypted up to TLS1.2 (HTTPS) 
  • Data at rest is encrypted with AES256-bit 

Confidentiality

Physical access control

  • UserZoom GO hosting provider is Google Cloud Platform. GCP has in place several controls to provide security to their customers. 
  • GCP is compliant with several security certifications: ISO27001, SOC1 (SSAE 18), SOC2, SOC3, PCI-DSS 

Logical access control

  • Only Senior Management have access to the Production Environment. 
  • Accesses are granted on a need-to-know basis, previously reviewed and approved by Senior Management. 
  • UserZoom meets the standard requirements of password complexity.

Role-based access control

  • UserZoom GO logs every access in UZGO Platform and in the Production Environment 
  • UserZoom GO works with the Authorization concept: 
    • Rights Management 
    • Differentiated rights 
    • Roles 
    • Authorisation routines 
    • Task-specific rights profiles 

Monitoring of data transmission

  • Logging and monitoring 
  • Encryption of data transmissions using modern technological standards. 

Erasure of data

  • Backups are stored for 30 days after contract expiration, then are securely erased. 

Monitoring of separation

  • Separate databases -> Data is logically segregated 
  • Separation of live and test data 
  • Sandboxing 
  • Separate Systems 

Integrity

  • System-based logging 
  • Security/logging software

Availability

Ensuring availability

  • Auto-scaling groups 
  • Disaster Recovery Concept: 
  • Emergency Plan 
  • Contingency plans and reporting channels 

Purpose limitation

  • Written agreement on commissioned data processing 
  • Training of all employees authorised to access data 
  • Committing employees to confidentiality 
    • Regular data protection audits 
    • Right to audit 

Resilience of the systems

  • Auto-scaling groups 
  • Ongoing monitoring services 

Post-incident recovery

  • Backup strategy 
  • Backup method 
  • Recovery concept for IT Systems 

Regular review of technical and organisational measures

On a regular basis, UserZoom GO performs internal security audits according to its internal policies.