At Userbrain, data protection, confidentiality, and security are core principles of how we design and operate our service. We implement technical, organizational, and contractual safeguards to ensure that personal data is processed securely, lawfully, and transparently, in full alignment with the EU General Data Protection Regulation (GDPR).
This article provides a detailed overview of how we protect customer and tester data, how we comply with GDPR requirements, and which security measures are in place across our infrastructure and organization.
Is my data safe?
Yes. We use industry-standard security controls to protect all stored data and processed data by Userbrain.
Encryption at rest: Data is encrypted at rest using full-disk encryption (e.g. LUKS).
Encryption in transit: All data transfers between clients and servers are protected using SSL/TLS (HTTPS).
Access controls: Access to personal data is strictly limited to authorized personnel and protected by authentication, authorization, and logging mechanisms.
These measures are designed to protect against unauthorized access, disclosure, loss, or alteration of data.
Is your service GDPR compliant?
Yes. Userbrain acts as a data processor under Article 28 GDPR and provides a comprehensive Data Processing Agreement (DPA) to all customers.
The DPA governs:
The subject matter and duration of processing
The nature and purpose of processing
The categories of personal data and data subjects
The obligations and responsibilities of Userbrain as a processor
How does Userbrain ensure ongoing compliance with data protection laws?
We maintain compliance through a combination of organizational, legal, and technical measures:
Appointment of an internal Data Protection Officer
Regular employee training on data protection, IT security, and confidentiality
Central documentation of data protection policies and procedures
Continuous review and updating of technical and organizational measures
Formal processes for handling data subject requests (e.g. access, deletion)
These controls ensure that GDPR compliance is not a one-time effort, but an ongoing operational practice.
What is your data retention policy?
Customers can trigger a GDPR-compliant deletion at any time. Data is destroyed through a controlled, GDPR-compliant deletion process that ensures personal data is permanently removed from active systems and backups in accordance with legal obligations, retention rules and our data retention policies.
This process:
Permanently removes all customer and tester data
Includes user accounts, metadata, and all user test video recordings
Leaves no recoverable traces in active systems
Do you support the EU–US Privacy Shield?
No. The EU–US Privacy Shield has been declared invalid by the European Court of Justice and is no longer used as a transfer mechanism.
Where personal data is transferred to third countries, this is done based on:
Customer instructions
Contractual safeguards
GDPR-compliant transfer mechanisms
Where is my data stored?
Primary data (non-video): Stored on servers located in the EU (Frankfurt, Germany)
Video recordings: Stored on a global Content Delivery Network (CDN) for performance reasons and later archived on EU-based servers.
Who has access to my data?
Only:
You (the customer and authorized users within your workspace)
A limited number of authorized Userbrain administrators, strictly as required for service operation and support
No third parties receive access outside the scope of contractual and GDPR obligations.
How is data backed up and recovered?
Daily backups
Redundant storage
Continuous monitoring and reporting
Documented recovery plans to restore data quickly after technical or physical incidents
These measures ensure high availability and resilience of the service.
Do you rely on sub-processors or cloud providers?
Yes. Userbrain relies on vetted infrastructure and service providers, including:
DigitalOcean LLC – hosting and backend infrastructure
Amazon Web Services (AWS) EMEA SARL – hosting and infrastructure
Additional providers for communication and CRM purposes
Customers are informed in advance about changes to the list of sub-processors and may object where applicable.
ISO27001 Compliance
Userbrain is currently not certified under ISO 27001 or SOC 2 Type II.
At present, formal certification is not on our immediate roadmap. However, many of the technical and organizational measures required by these standards are already implemented as part of our GDPR compliance program.