Policies

Security

Protecting customer data is a top priority at UserLeap. You can trust us to keep your data secure and meet your compliance requirements.

Enterprise-level protection

Certifications

UserLeap is SOC2 Type II certified. A report is available upon request.

UserLeap has a certification for compliance with ISO/IEC 27001:2013. An independent body has audited our compliance with this standard and issued our ISO 27001:2013 certificate.

GDPR

GDPR & privacy compliance is critical for businesses to be able to function today. UserLeap is GDPR and CCPA compliant, and also enables your business to choose your own compliance preferences.

UserLeap complies with the EU/Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries/Switzerland.

Data & Network Security

UserLeap uses Amazon Web Services (AWS) facilities in the USA to hosts its software. You can see Amazon’s compliance and security documents for more detailed information, including SOC 13 and ISO 27001.

UserLeap’s servers are located within our own virtual private cloud (VPC), protected by restricted security groups. We ensure that only the minimal required communication occurs between servers.

UserLeap conducts third-party network vulnerability scans annually.

Application Security

The web application architecture and implementation follow OWASP guidelines. They are built in Java using the Spring Security framework.

UserLeap undergoes pentests 2x per year. Results are available upon request.

UserLeap supports SSO using SAML (Okta, OneLogin, Rippling), G-Suite, Office 365, Salesforce.

User passwords are salted, irreversibly hashed, and stored in our database. Audit logging lets administrators see when users last logged in or when they last changed their password.

Access to UserLeap applications are logged, audited, and kept for at least one year.

Data Security

All connections to UserLeap are encrypted using SSL. Attempts to connect over HTTP is redirected to HTTPS. We maintain A+ grade for Qualys/SSL Labs.

All customer data is encrypted at rest and in transit, and purged from UserLeap systems subsequent to contract termination.

System passwords are encrypted using AWS KMS. Access is restricted, and implemented using VPN with Active Directory authentication.

Industry-standard PostgreSQL, Elastic Search and Mongo DB data storage systems hosted at AWS and/or by the respective vendors are used.

Including the Limited Use requirements, information received from Google APIs will adhere to Google API Services User Data Policy.

Security Policies

UserLeap conducts mandatory code reviews for code changes and periodic and in-depth security reviews. UserLeaps testing and development environments are separated from its production environment.

Background screening is conducted for all new hires.

Every year, engineers participate in secure code training covering OWASP Top 10 security flaws, common attack vectors, and UserLeap security controls.

UserLeap does not track PII.

UserLeap maintains a formal response plan for significant incidents.

Reliable. Secure. 
Compliant.

You can find UserLeap’s system availability details, scheduled maintenance, history of service events, and any relevant security incidents on its publically available system status page. UserLeap will provide SDK source code for enterprise partners.

Data security is a top priority for UserLeap, and we believe that working with skilled security researchers can identify weaknesses in any technology. If you believe you’ve found a security vulnerability in UserLeap’s service, please notify us per our Responsible Disclosure Policy.

Your customer data is safe with us

We take security seriously.

NDA Upon Request

Start to get meaningful 
insights in less than a day