Security & Compliance

Compliance

UserVoice is Committed to Accessibility

UserVoice is committed to a course of accessibility compliance and transparency, and works with independent 3rd-party consultants to assess our products for compliance with the Level A and AA Success Criteria in WCAG (Web Content Accessibility Guidelines) 2.0.

View our accessibility reports

UserVoice is PCI DSS Compliant

UserVoice does not store credit card information in our database. All credit card data is stored securely in our payment gateway, Braintree, which is also PCI compliant. UserVoice has been verified as Payment Card Industry Data Security Standard (PCI DSS) compliant. This compliance is handled by SecurityMetrics and includes a self-questionnaire and quarterly security scan (last scan September 4, 2017) of our servers.

Safe Harbor

UserVoice is able to be used by U.S. Government entities

We’ve worked with the GSA to amend our standard Terms of Service to comply with restrictions specific to United States federal laws and regulations. The complete details of this amendment can be found here: Amendment to UserVoice Terms of Service.

Data Security

The UserVoice platform is hosted in multiple data centers on the Google Cloud Platform (GCP).

UserVoice‘s hosting provider GCP meets rigorous privacy and compliance standards.

Details can be found on GCP's Security and Data Compliance Page. In summary, the platform is SSAE16 / ISAE Type II compliant, ISO 27001 certified, ISO27017 certified, ISO27018 certified, and PCI DSS v3.2 compliant.

SSAE 16

Access to all UserVoice servers is secure.

  • Firewalls are set to default-deny. The only services that are allowed are SSH (all servers; non-standard port) and HTTPS (web servers only).
  • Database connections are only accepted from other UserVoice servers on a private subnet.
  • All communication with servers (outside of public HTTPS access) is over encrypted secure shell (SSH) and password authentication is disabled. SSH authentication is available only via public/private key authentication.
  • In-depth information on our SSL implementation is available via this Qualys SSL Report on UserVoice.
  • Access for internal employees to individual servers, where allowed, is only available through a VPN that enforces 2 Factor Authentication.

UserVoice servers and software are running the latest versions of software and security patches.

  • We strive to keep all server software on the latest version; however, when that‘s not possible we do ensure that the latest security patches are installed/up to date. This is reviewed monthly (though patches are often installed as soon as they come out).

UserVoice is written to protect against common attacks.

UserVoice software is written using common libraries to protect against SQL Injection, XSS Vulnerabilities, and other common exploits. We scan our application both statically (against known vulnerabilities in libraries and common patterns) and dynamically (using Qualys application scanning) regularly. Our application is also subject to a third party penetration test, conducted annually.

Your data is stored securely.

All of the data we store is encrypted at rest, and personally identifiable information is additionally hashed using bcrypt.

Your access to UserVoice is secure.

All access to your UserVoice admin console (yourdomain.uservoice.com/admin) is always over a secure (SSL encrypted) connection.

Your user's access to UserVoice is secure.

All connections to our web portal are secured over an SSL encrypted connection, including all widgets which customers use to submit tickets or capture feedback.

Access is logged.

Server access logs for auditing are kept for 7 days. Access logs for web servers are kept for 396 days.

Data is co-mingled but secure.

UserVoice is a multi-tenant SaaS solution: customer data is co-mingled on the same database tables, but all data is scoped by an account ID to ensure that one account cannot access data of another account. Unit, functional, and integration tests are run continuously on our CI servers to ensure that it‘s not possible for account data to leak.

Development and test environments do not use customer data.

We use fake customer data in those environments.

Nightly backups are stored offsite and encrypted.

  • A live backup is performed in near real-time.
  • Backups are always full backups of all tables in the UserVoice MySQL database.
  • Backups do not include secondary data (like pageview tracking, denormalized reporting data) that is stored in various other data stores.
  • Backups are done nightly and encrypted with a shared password and stored offsite.
  • Backups are tested and restored daily.
  • Backups are kept for 30 days.
  • Backups are never kept on portable/removable media.

Deleted data is retained for up to 60 days.

Some data that‘s deleted in the UserVoice system is soft deleted and can be recovered inside of 30 days. After 30 days, that data is hard deleted and can only be recovered via full backup for another 30 days.

Reliability

Uptime for the last six months was 99.95%.

As of May 1, 2018. We track uptime using Pingdom testing at feedback.uservoice.com at a one-minute resolution as well as monthly uptime stats live at status.uservoice.com

UserVoice assets and widgets load quickly from anywhere in the world.

All static files (JS, CSS, widgets, images) are compressed and served from our CDN (Cloudflare), which has edge servers located around the world.

UserVoice widgets will not impact your page load times.

UserVoice widgets are written in such way that they won‘t block page load and instead only load after the initial page is loaded. This means that your page load times are not impacted by installation of any UserVoice widget.

Network-level redundancy.

Provided by the Google Cloud Platform.

Application-level redundancy.

  • Redundant front-end proxy web servers.
  • Behind them are multiple application servers sitting behind a load balancer that ensures that if a server goes offline requests are immediately funneled to the remaining servers.
  • Database is arrayed in a standard master-slave configuration to provide a live backup and failover database should the master database server go offline.
  • Redundant secondary data stores.
  • Application is hosted in multiple availability zones to protect against downtime.

Internal as well as external monitoring means we respond quickly to any service issues.

  • Internal system monitoring tools (Consul health check) check on all systems every five minutes, and critical systems or errors are checked every minute.
  • Any critical errors (ex: server offline) triggers SMS alerts to the entire systems engineering team.
  • Pingdom is used to both monitor uptime of UserVoice sites as well as our internal tools (Consul health check). The watcher of the watchers, if you will.
  • Application level monitoring includes custom internal tools (based on statsd) to track application events, tracking all 500 errors (failed requests) using Bugsnag and New Relic APM to track error rates and response times.
  • A critical issue policy is followed to ensure that proper issue escalation occurs. After any critical incident (defined as any incident that impedes end-users from performing core functionality), engineering is required to provide a write-up and retrospective on what went wrong and how it can be prevented in the future. These write-ups are often shared with customers via status.uservoice.com.
  • Real-time notifications about any current service delivery issues are available at status.uservoice.com.

PII and Cookies

Names, emails, and IP addresses are the only personally identifiable information (PII) stored in the UserVoice database.

Cookies are required for normal operation of UserVoice; however, no PII is stored in any of the cookies that UserVoice uses:

Cookie Name Expiration Description
__utma, __utmb, __utmc, __utmz, __utmvvariesUsed by Google Analytics.
_uvsidend of sessionUsed to track whether you‘re logged in or not. See below for more info.
_uservoice_tz90 daysYour time zone.
uvts1 yearUsed to track user usage analytics.
_rfend of sessionUsed to determine if your information is up to date. It‘s usually just a number like 0 or 1.
auth_token1 yearUsed for “remember me” functionality to keep you logged in between sessions (i.e. closing and reopening your browser). Only appears if you log in and click the “Keep me logged in” link, or if you vote anonymously.

_uvsid.

The _uvsid is something that all apps use in order to determine if you‘re logged in and authorized to do logged-in actions. All apps that require authentication use some version of it. That‘s the reason for those "you have to enable cookies in order to use this site" sort of warnings. If you were to delete it you would be logged out. If you log back in, we put it back with another securely random number.

Third Party Infrastructure

3rd Party Infrastructure Service Providers that the UserVoice platform relies on and the data shared with each:

Provider Name Description Handles PII data
Google Cloud Platform Hosts our production servers. Yes
CloudFlare CloudFlare acts as our CDN and as DDOS protection. All HTTP requests pass through CloudFlare. Yes
Amazon We store assets and database backups in Amazon S3 and use EC2 to perform database backups. Yes
Mailgun Incoming emails and outgoing emails pass through Mailgun’s servers. Yes
embed.ly Emed.ly is used in our Knowledge Base product to embed rich media snippets. Embed.ly primarily has access to the embedded snippet URL, which are typically public. No
Pusher We use Pusher to do live updates in admin console for things like ticket counts and the leaderboard. No
Bugsnag Exceptions and errors in our application are sent to Bugsnag. Yes
Akismet We use Akismet to check content for spam. Yes
Google Analytics Provides anonymous usage tracking. No
Full Story Our UX team uses this to analyze admin sessions in order to improve our product. Yes

Common Questions

We have over _____ pageviews a month. Can we install your widget on our site?

Yes. See the previous section on assets/widget performance. Your traffic will likely be a drop in the ocean for us but if you're expecting over 100MM pageviews per month we'd love to chat with you before you go live. Also, if you expect more than 5MM widget embed impressions per month you should check our Fair Usage Limits.

Do you have a have a rigorous screening process for your employees?

In addition to all legally obligated checks for employment, all of our employees undergo a criminal background check.

Our employees are also provided with all of the details about our policies for maintaining the security of our systems, and as those policies are updated, our employees are notified immediately. We periodically audit compliance with these policies.

Do your employees have to sign confidentiality agreements?

Yes, each and every employee.

Do you have a _____ ethics policy?

No. We‘re guided by our company values and good old common sense. We believe that policies around ethics lead to less ethical behavior.

Would you be opposed to us performing penetration testing on your network/systems?

No, but we‘d prefer you tell us first. Not because we‘ll do anything different but so we‘re not surprised by the slew of bad requests (and the notifications that will go with them) that come from such testing. More importantly, by telling us that you‘ll be testing we can make sure you‘re not mistaken for a spammer and blocked.

How can I report security issues?

Please get in touch with our engineers at security@uservoice.com to responsibly disclose security vulnerabilities or concerns you have.

Phew! Wow, we can‘t believe you‘re still awake. Kudos to you! If you do have additional questions, please contact us and we‘ll help you out.

Accessibility

UserVoice is committed to a course of accessibility compliance and transparency, and works with independent 3rd-party consultants to assess our products for compliance with the Level A and AA Success Criteria in WCAG (Web Content Accessibility Guidelines) 2.0.

Accessibility Standards Compliance

UserVoice has adopted the Web Content Accessibility Guidelines (WCAG) 2.0, at the Level AA conformance level, for all websites and mobile applications. WCAG 2.0 is a set of voluntary technical guidelines for web accessibility. It is the most well-documented set of accessibility standards in the world, and there are numerous resources available of how to comply with the Success Criteria across a wide variety of technologies.

WCAG 2.0 Level AA meets the legal requirements of most domestic and international accessibility laws:

In addition, as a platform with complex widgets and applications, we are working to comply with the WAI-ARIA Authoring Practices 1.1 to ensure a standards-compliant site that provides a good experience for users of assistive technology.

Reports

How we perform audits

Audits are performed by independent 3rd-party consultants using a combination of automatic and functional tests to test website and mobile application accessibility. Using automatic testing tools, we look for common issues like missing alternate text, incorrect form labels, and low-contrast text.

Manually conducted functional performance tests are done using only a keyboard, screen magnification software, and a desktop and/or mobile screen reader, identifying issues that cannot be automatically detected, like components that do not work with a keyboard or focus traps. Tools used include the WAVE Toolbar, NVDA, JAWS, and ZoomText.

A couple of things to be aware of

  • If you create a custom design for your UserVoice Web Portal, your team will be responsible for ensuring your custom design is accessible.
  • If you use our Knowledge Base feature, this content is created and formatted by your team, so your team will need to ensure they are creating accessible content.

Frequently Asked Questions

Q: What standards does UserVoice comply with?

A: Web Content Accessibility Guidelines (WCAG) 2.0, at the Level AA conformance level. Learn more at w3.org or Wikipedia.

Q: Does UserVoice support Section 508, WAI, EN 301 549, and other guidelines?

A: Yes. These guidelines are all based on the WCAG 2.0 AA standard.

Q: How do you pronounce “WCAG”?

A: “way caag”

Q: Are known issues being addressed?

A: Yes! We’re currently working to resolve accessibility issues for our Web Portal and Widgets first because they affect our customers customers. We’ll then be working to resolve known issues in our Admin Console and Contributor Sidebar apps.

Q: I’ve found an issues that’s not on one of the reports. Where do I report this?

A: Please let us know at accessibility@uservoice.com with details of the issue, as well as the corresponding WCAG 2.0 success criteria it applies to.

Q: I have other questions regarding the accessibility of UserVoice. Who should I talk to?

A: Please contact accessibility@uservoice.com.

GDPR Compliance

Version 1.3, April 6, 2018

This page is intended to provide information about UserVoice’s GDPR compliance tooling. The primary audience is for business customers that use our service and need to understand how we comply with the requirements of the GDPR.

Notice for end users

If you’ve arrived here looking for information about how to exercise your rights from within the UserVoice application, please see the following two articles:

Please note that following these instructions will only remove the information stored in UserVoice systems.

Goals in GDPR Compliance

UserVoice is required to be in compliance with the GDPR since we offer services to residents of the EU. In order to offer our service, we must collect data that can identify people. In addition to our obligation to follow the regulation, UserVoice intends to follow best practices in privacy and protection of data.

Our Role as a Data Controller and Data Processor

UserVoice has customers who are both companies and individuals.

We offer a product to companies that allows them to collect and analyze product feedback provided by individuals who may reside in the EU. In this case, through our contract with the company who is our customer, we are acting as a data processor. We collect, store, and retrieve data on their behalf and at their request.

We also use our own product to collect, store, and retrieve data to analyze our own product. In this capacity, we are both a data controller and data processor, since the data processing is happening for our own purposes.

Our Use of Third Party Data Processors

UserVoice makes use of third party services in infrastructure, reporting, and analytics. It is our obligation to ensure that the processing of data on our behalf is also GDPR compliant.

Consent Collection

When acting in our role as a data processor, it is the obligation of the data controller (our customer, a company) to ensure that they have collected consent and made clear that personal data is being collected for the purposes served by the UserVoice platform.

When acting in our role as a data controller, it is our obligation to make sure that we have collected consent to allow us to store and use data for the purposes served by the UserVoice platform.

However, whenever there is an opportunity for a user to create an account via a UserVoice controlled web property - in our case idea portals and widgets (the first opportunity to provide personal data), UserVoice will prompt the user to ensure that EU residents are informed of the data that is collected and the purposes for which it is being used and allow them to give consent.

Since these are not the only ways to provide personal data to UserVoice (for example, personal data can be submitted to us by data controllers through the API or data import functionality), data controllers must still ensure that they have appropriate consent collected for EU residents. Specifically, our SDKs, including iOS and Android SDKs, do not include any mechanism to collect consent. These SDKs are meant to be embedded by host applications whose UI is under control of the parent application, therefore the producer of the application is the Data Controller and should collect consent for this purpose.

Additionally, we will detect (through IP address) when a known user has changed from a non-EU location to and EU location. If we do not yet have a consent record upon noticing this change, we will prompt the user for consent.

Right to access / Right to portability

UserVoice has created an API[1] endpoint that can be used to export end user data. Documentation about the endpoint is located and kept up-to-date here:

https://developer.uservoice.com/docs/api/v2/reference/#/users_2

The endpoint will send an email to the identified user containing their personal information along with their user-submitted content, including ideas and comments. Companies can invoke this endpoint on their end users’ behalf, and if they do so, they can include a custom message in the email that can, for example, describe the purpose of the email, who initiated its delivery, and what is contained in it.

A user interface is be provided for end users to invoke this endpoint, instructions for which are linked in the “Notice for end users” section above.

This method is asynchronous. Results are delivered via email because the volume of content may be too large to return in a single API call. The results should be delivered within minutes.

Right to Erasure / Opt-out

UserVoice has created an API endpoint that can be used to invoke a Data Subject’s Right to Erasure or desire to Opt-out. Documentation about the endpoint is located and kept up-to-date here:

https://developer.uservoice.com/docs/api/v2/reference/#/users_5

This endpoint will remove the record of the user, point any user-generated content (ideas, comments, tickets, votes) to an anonymous user, and redact any personal information from the user generated content (i.e. any names, ID numbers, contact information, etc... will be removed). UserVoice administrators are always welcome to further remove content beyond these automated means. For example, they may choose to delete content associated with the user rather than simply de-identify it.

Erasure and Opt-out are logically the same thing within UserVoice, so this endpoint can be used for both purposes.

A user interface is be provided for end users to invoke this endpoint, instructions for which are linked in the “Notice for end users” section above.

This method is synchronous, immediate, and not reversible. An API return code of 200 or a message in the user interface will indicate successful execution of the routine.

Notification in the event of a Data Breach

We will notify the owners of UserVoice accounts within 48 hours of the discovery of a data breach. We will work with our customers to inform Data Subjects of the breach.

Data Processing Agreements

UserVoice has created a Data Processing Agreement with all of the required language and information that you can download and execute. Enterprise customers who have custom DPAs can submit the DPA for review to support@uservoice.com.

UserVoice Customer DPA

Contact Information

Questions and concerns can be directed via email to dpo at UserVoice dot com


[1] For basic usage information about our API, including authentication, please refer to https://developer.uservoice.com/docs/api/v2/getting-started/