Security

Last updated: Wed 2nd Jan, 2019




Safety first

We understand you’ll be trusting us with your user research data, including potentially sensitive information about your own customers or participants.Our application is built on world-class, modern cloud infrastructure designed to ensure the safety of your data. We have chosen proven third party cloud providers with a great security track record. We also employ extra measures including regular backups, data encryption, sanitized logging, and common attack prevention.


You're data is you're data

We’re not in the business of selling your data (anonymized or otherwise). You own your data and we will never sell it to third parties. We also won’t look at your data unless you give us permission for a support case.



Data encryption

To ensure security your data is encrypted while moving between us and your browser with Transport Level Security (TLS).


GDPR

Insightful is GDPR ready with a privacy-by-design architecture, clear privacy policies, and features to help users manage their personal information.


PCI DSS

Our payments provider Stripe has been audited by an independent PCI Qualified Security Assessor and is certified as a PCI Level 1 Service Provider.


Database-level security

Our access logic is written in the database. Robust policy-based access controls minimize risk and improve auditing.


CSRF prevention

Cross-site request forgery prevention helps to protect users from attacks from other websites they might visit.



Does your software lifecycle include security?

Security is integrated into our day-to-day development. We maintain high awareness of potential security issues through code reviews, automated and manual testing, library reviews, and ‘dogfooding’ with a staging environment.


How do you segregate customers?

Individual team membership is enforced through models and controllers. Access to project data is enforced through PostgreSQL Row Level Security (RLS) using transaction-scoped config variables, referenced in RLS policies.


Is data encrypted in transit over networks?

Data is encrypted while moving between us and the browser with Transport Level Security (TLS). SSL certificates are issued and managed through Amazon Web Services (AWS), and we enable HTTP Strict Transport Security (HSTS).


Can staff read customer data?

Customer data is hidden and encrypted in the database using database roles. Only founders can access the AWS portal. Our policy is to seek written permission from the customer to view customer data during a support case, if necessary.


How do you secure user accounts?

We employ password strength requirements, Cross-Site Request Forgery (CSRF) protection, secure password reset practices, and log in attempt rate limiting with automated account lockout rules.


How are passwords stored?

Our user authentication system uses BCrypt to hash and salt user passwords. Each password has a uniquely generated salt, and the ‘pepper’ is stored independently from the database.


What third party data subprocessors do you use?

We use a number of industry-standard cloud vendors to run Insightful, including Amazon Web Services (AWS), Heroku, and Stripe.


Do you track issues in open source software?

We employ an automated service called Sqreen to stay up-to-date with open source dependencies, and GitHub Security Alerts for vulnerability alerts in dependencies.


What security features are on your roadmap?

New security features are high on our roadmap. These include Two-Factor Authentication (2FA), account-level permissions, password policies, and more.