We appreciate you trusting UserEngage with gathering and storing all the valuable data you need. We want to ensure you that all the data is kept private and secure. In this section, our aim is to provide you with transparency about the ways we store and protect all the gathered information. We promise to keep updating the page due to adding new security measures and improvement to UserEngage. Everything to ensure that your data is safe.
Security is a priority for UserEngage because we are aware of the importance of the data we store in our service. We have a security program focused on product security, physical and logical infrastructure controls, policies, employee awareness, intrusion detection, and assessment activities.
All the employees are familiar with the Incident Response program to find out suspicious activity on the service. The program enables to take an immediate action in response to security issues and helps to develop new ways of detecting potential attacks against any assets (tangible and intangible) that we provide you with.
We have a fixed schedule of assessing our infrastructure as well as applications for any vulnerabilities. The security team of UserEngage constantly works on the improvement of tools we have and evaluating new ones to increase the coverage.
Load balancers, firewalls, and VPNs are used to define UserEngage network boundaries. The combination of these tools enable us to control which services are exposed online and to separate our production network from our computing infrastructure as a whole. The access it the production infrastructure is granted only if one meets the business and authentication requirements.
UserEngage is protected with an on-demand mitigation service against distributed denial of service (DDoS).
Your password is never stored in plaintext. In an event of storing your account, we ensure it’s secure by using PBKDF2 (Password Based Key Derivation Function 2) where each credential receives a unique salt. The number of hashing iterations is selected by us in such a way to cope with user experience and passwords cracking complexity.
We are never going to require you to set a complex password, nor will the password strength meter make you choose one. Password guessing attacks are handled by use by limiting failed login attempts on both a per-account and per-IP-address basis.
Two-step verification (2SV) is offered for all accounts, together with a time-based one-time password algorithm (TOTP). Users having a premium account, may generate codes on a local basis using an app on a mobile device via a text message.
To protect our users from malicious content, we guarantee to scan all emails received using a commercial anti-virus scanning engine.
Upon receiving an email from UserEngage, we want to ensure you that the sender is always UserEngage. It’s always legitimate since we publish an enforcing DMARC policy to let you sleep well and not to worry about the email security issues. Every email is sent with @userengage.io, which enables us to make it cryptographically signed using DKIM, originating from an IP address that is published in our SPF record.
Protecting your data is our highest priority so we rank securing our Internet-facing web service as crucial. The security team at Userengage improves code security hygiene and improves the security by monitoring issues, including: CSRF, injection attacks (XSS, SQLi), session management, URL redirection, and clickjacking.
Every single third party client is authenticated through OAuth, which provides you with a permanent ability to connect a third party application to your account without sharing your login credentials. When the authentication to UserEngage is successful, the token is returned to the client to authenticate your access from that moment on. It enables to get rid of the need for a third party application to every get the access to your username and password on a device you use.
We use a well-defined thrift API for all actions, which enables us to broker all communications and in this way, establish authorization checks as fundamental in the app architecture. No direct object access can take plan within UserEngage and each client’s authentication token is examined upon every access to the service.
Your data is never segmented from other users’ data, which means that may be stored on the same servers as another user’s data. Nobody but you have the access to the data, unless you explicitly share it. See the Product Security section for the ways we use the authorization model for access to private and shared content.
MEDIA DISPOSAL AND DESTRUCTION
UserEngage guarantees that the data stored in the service will be never repurposed for use outside the platform. We provide all the needed procedures to destroy all the storage media by degaussing and physically destroying prior to disposal.
CUSTOMER ACCOUNT ACCESS
Because of being a cloud service, UserEngage provides an administrative tool, which let our customer service resolve all the issues concerning our customers. However, we limit the number of employees that have access to the data within this administration tool.
Server-side logging of customer interactions with UserEngage is performed. It involves web server access and activity logging (for actions taken through our API). Successful and unsuccessful login events are included in these logs.
Your data in transit is protected with the use of industry standard encryption, known as transport layer security (TLS), security socket layer (SSL) technology. UserEngage supports HTTP Strict Transport Security (HSTS) for the service (www.userengage.io). A mix of cipher suites is supported together with TLS protocols to ensure a strong encryption for browsers and clients, and backward compatibility for legacy customers who need it.
UserEngage supports STARTTLS for the inbound and outbound email channels . If TLS is supported by your email service provider, your email is to be encrypted in transit (to and from UserEngage)
Our main objective is to provide you with all the best we have, to enable you to engage your users 24/7. As a result, we operate a fault tolerant system by having:
- Diversified Internet connections with multiple paths.
- Switches, routers, load balancers, and firewalls (redundant network infrastructure)
- Independent shards, servicing a small part of UserEngage user base (scalable system)
- Redundant servers, giving hot standby capabilities if a single server fails (shards designed in pairs)
- Redundant power to power the servers; redundant network hardware, RAID configuration for storage.
Fault tolerant facility services including: power, HVAC, and fire suppression is provided by our colocation vendor. All the updates available on https://twitter.com/userengage_io
We guarantee that we back up all customer content at least once per day and a private network link is used to replicate those backups. If a site failure should occur in our primary data center, we can recover fast. We do not utilize any sort of media for backups.
Every single data centers has undergone a SOC-1 Type 2 audit, which attests their ability to physically ensure the security of our service. Only UserEngage & datacenter provider appointed personnel have physical access to this infrastructure. All UserEngage data is stored inside 4 countries USA, Canada, France, Singapore.