Effective Date: 10/2/2019
Protecting customer data is a top priority at UserLeap. We understand you are trusting us with your data and we take the responsibility of securing it extremely seriously.
- 1.1 System architecture. UserLeap’s architecture is designed to be secure and reliable. We use an n-tier architecture with firewalls between each tier. Services are accessible only by other services that require access. Access keys are rotated regularly and stored separately from our code and data.
- 1.2 Failout and disaster recovery. UserLeap is built with fault tolerance capability. Each of our services is fully redundant with replication and failover.
- 1.3 Data Centers. Our application is hosted and managed within Amazon Web Services (AWS) secure data centers. These data centers have been accredited under: ISO 27001 SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 - Type II) PCI Level 1 FISMA Moderate Sarbanes-Oxley (SOX)
- 1.4 Vulnerability scans. UserLeap uses security tools to continuously scan for vulnerabilities. Additionally, vulnerabilities in third-party libraries and tools are monitored and software is patched or updated promptly when new issues are reported.
- 1.5 Firewall. Our servers are protected by firewalls and not directly exposed to the Internet.
- 1.6 Corporate Network. UserLeap runs a zero-trust corporate network. There are no corporate resources or additional privileges from being on UserLeap’s corporate network.
- 1.7 Software Development Kits. iOS & Android. No PII is stored on disk by these frameworks and requires internet permissions to access UserLeap servers and disk usage to persist authentication credentials. Web. No PII is stored in cookies or local storage by this framework and requires internet permissions to access UserLeap servers and local storage to persist authentication credentials. We provide nonce and SHA support for our self-hosted JS option which ensures the files have not been altered and are trusted.
- 2.1 Data storage. UserLeap data stores are accessible only by servers that require access. Access keys are stored separately from our source code repository and only available to the systems that require them. Additionally, production environments are sandboxed from testing environments.
- 2.2 Backups. We maintain secure encrypted backups of important data for a minimum of 30 days. We do not retroactively remove deleted data from backups as we may need to restore it, if removed accidentally. Backup data is fully expunged after 90 days.
- 2.3 Logs. We aggregate logs to secure encrypted storage. All sensitive information (including passwords, API keys, and security questions) is filtered from our server logs. Log data is fully expunged after 365 days.
- 3.1 Passwords. We never store passwords in a form that can be retrieved. Instead, we store an irreversible cryptographic hash using a function specifically designed for this purpose. Authentication sessions are invalidated when users change key information and sessions automatically expire after a period of inactivity.
- 3.2 Monitoring. We monitor and rate limit authentication attempts on all accounts.
- 3.3 User roles. We provide multiple user roles with different permissions levels within the product. Roles vary from account owners, to admins, users, and roles that limit visibility of Personally Identifiable Information (PII).
- 4.1 HTTPS. All UserLeap web traffic is served over HTTPS. We force HTTPS for all web resources, including our REST API, web app and public website. We also use HSTS to ensure that browsers communicate with our services using HTTPS exclusively. Additionally, we use only strong cipher suites. We support a minimum TLS version of 1.2.
- 4.2 Encryption. Our primary databases, including backups, are fully encrypted at rest. In addition, all archives and logs are fully encrypted at rest. We use industry standard encryption algorithms.
- 5.1 Incident response. UserLeap has a defined protocol for responding to security events.
- 5.2 Confidentiality. All employees have signed confidentiality agreements with UserLeap.
- 5.3 Disclosure. Data security is a top priority for UserLeap, and UserLeap believes that working with skilled security researchers can identify weaknesses in any technology.
- If you believe you’ve discovered a potential vulnerability, please let us know by emailing us at security [at] userleap [dot] com. We will acknowledge your email within one week.
- Provide us with a reasonable amount of time to resolve the issue before disclosing it to the public or a third party. We aim to resolve critical issues within ten business days of disclosure.
- Make a good faith effort to avoid violating privacy, destroying data, or interrupting or degrading the UserLeap service. Please only interact with accounts you own or for which you have explicit permission from the account holder.
While researching, we'd like you to refrain from:
- Distributed Denial of Service (DDoS)
- Social engineering or phishing of UserLeap employees or contractors
- Any attacks against UserLeap’s physical property or data center
UserLeap is always open to feedback, questions, and suggestions. If you would like to talk to us, please feel free to email us at security [at] userleap [dot] com.