Security, data protection, and compliance
SECURITY
Product Security
Product security is of paramount importance at UserGems. UserGems uses a software development lifecycle in line with general Agile principles. When security effort is applied throughout the Agile release cycle, security oriented software defects are able to be discovered and addressed more rapidly than in longer release cycle development methodologies. Software patches are released as part of our continuous integration process. Patches that can impact end users will be applied as soon as possible but may necessitate end user notification and scheduling a service window.
UserGems performs continuous integration. In this way we are able to respond rapidly to both functional and security issues. Well defined change management policies and procedures determine when and how changes occur. This philosophy is central to DevOps security and the development methodologies that have driven UserGems adoption. In this way, UserGems is able to achieve extremely short mean time to resolution for security vulnerabilities and functional issues alike. UserGems is continuously improving our DevOps practice in an iterative fashion.
Physical Security
The UserGems production infrastructure is hosted in Cloud Service Provider (CSP) environments. Physical and environmental security related controls for UserGems production servers, which includes buildings, locks or keys used on doors, are managed by these CSP’s. “Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors.” (See the AWS Shared Responsibility Model)
Corporate Security
UserGems leverages internal services that require transport level security for network access and individually authenticate users by way of a central identity provider and leveraging two factor authentication wherever possible.
All UserGems personnel undergo regular security and privacy awareness training that weaves security into technical and non-technical roles; all employees are encouraged to participate in helping secure our customer data and company assets. Security training materials are developed for individual roles to ensure employees are equipped to handle the specific security oriented challenges of their roles.
DATA PROTECTION
Authentication and Access Management
End users may log in to UserGems using an Identity Provider, leveraging UserGems’ support for the Security Assertion Markup Language (SAML) or via the “Sign-in with Outreach” OpenID service. These services will authenticate an individual’s identity and may provide the option to share certain personally identifying information with UserGems, such as your name and email address to pre-populate our sign up form. UserGems’ SAML support allows organizations to control authentication to UserGems and enforce specific password policies, account recovery strategies and multi-factor authentication technologies.
Protection of Customer Data
Data submitted to the UserGems service by authorized users is considered confidential. This data is protected in transit across public networks and encrypted at rest. Customer Data is not authorized to exit the UserGems production service environment, except in limited circumstances such as in support of a customer request.
All data transmitted between UserGems and UserGems users is protected using Transport Layer Security (TLS) and HTTP Strict Transport Security (HSTS). If encrypted communication is interrupted the UserGems application is inaccessible.
UserGems leverages data centers of Cloud Service Provider (CSP) in the United States. UserGems utilizes encryption according to best practices at various points to protect Customer Data and UserGems secrets, including encryption at rest (e.g. AES-256) and KMS-based protections for the protection of secrets (passwords, access tokens, API keys, etc.).
Access to Customer Data is limited to functions with a business requirement to do so. UserGems has implemented multiple layers of access controls for administrative roles and privileges. Access to environments that contain Customer Data requires a series of authentication and authorization controls, including Multi-Factor Authentication (MFA). UserGems enforces the principles of least privilege and need-to-know for access to Customer Data, and access to those environments is monitored and logged for security purposes. UserGems has implemented controls to ensure the integrity and confidentiality of administrative credentials and access mechanisms, and enforces full-disk encryption and unique credentials for workstations.
UserGems monitors critical infrastructure for security related events by using a custom implementation of open source and commercial technologies. Activity data such as API calls and operating system level calls are logged to a central point where the information is passed through a series of custom rules designed to identify malicious or unapproved behavior. The results of these rules are fed into an orchestration platform that triggers automated actions, which may include directly alerting the security team or triggering additional authentication requirements.
COMPLIANCE
Certifications, Attestations and Frameworks
UserGems maintains active SOC 2 and has automated continuous monitoring in place to ensure that we stay compliant.
We conduct continuous network vulnerability testing and contract an independent third-party to conduct penetration testing whenever there are major changes to our application and at least annually.
UserGems went through a full security check with Salesforce AppExchange in order to offer UserGems to Salesforce customers. The sole intention of the Salesforce security review is that customers can be sure that the provider of the published app meets industry best security standards (as described here).
This review by Salesforce further includes an additional third party penetration test. Click here for more information.
Laws and Regulations
UserGems’ solution is compliant with various data protection laws and regulations applicable to the services we provide.
GDPR
UserGems is compliant with the General Data Protection Regulation (GDPR) which went into effect on May 25, 2018. UserGems has worked to enhance its products, processes, and procedures to meet its obligations as a data processor. For more information about our position on the GDPR, please visit https://www.usergems.com/gdpr/.
CCPA
UserGems is also adhering to the requirements of CCPA. UserGems added services in order to be compliant with CCPA (e.g. an option for data subjects to contact us for "Do Not Sell My Information") and to support customers with your compliance (e.g. through a data deletion or a data disclosure possibility). For more information on "Do Not Sell My Information", please visit https://www.usergems.com/ccpa/.
Vendor Management
UserGems leverages a number of third party applications and services in support of the delivery of our products to our customers. The UserGems Security Team recognizes that the company’s information assets and vendor dependencies are critical to our continuing operations and delivery of services. As such, UserGems’ Security and Privacy teams have established a vendor management program that sets forth the requirements to be established and agreed upon when UserGems engages with third parties or external vendors. These engagements are designed to assess the technical, physical, and administrative controls in place and to ensure they are commensurate with the expectations of UserGems and its customers.
REPORT AN ISSUE
Disclosure
If you believe you’ve discovered a bug in UserGems' security, please get in touch at security@usergems.com and we will get back to you within 24 hours, and usually earlier.
We request that you not publicly disclose the issue until we have had a chance to address it.