Security Center
Date of Last Revision: Feb 2023
Technical security
At UserBit, we treat privacy and data security as our top most priority. Here, we have documented some of the ways we make sure your information is always safe and secure when you're using UserBit.
If you have specific questions, please don't hesitate to get in touch with us at support@userbit.com.
Server-side Encryption
At UserBit your at-rest data and metadata is encrypted under the 256-bit Advanced Encryption Standard before it is written to disk, and each encryption key is itself encrypted with a regularly rotated set of master keys.
Transport Layer Security
To protect your data as it travels over the Internet during read and write operations, UserBit uses Transport Layer Security (HTTPS).
Robust Access management
Access to user data on UserBit is maintained via strict database level security rules to protect privacy and data confidentiality. By default, authenticated users have access to their own data only. Users can opt to share their data with their teammates via shared projects or by choosing to invite ohter users explicitly.
Payment processing
All payment related services are provided by Stripe, which is certified as a PCI Level 1 Service Provider. UserBit does not and cannot store or access sensitive payment information.
Comprehensive Authentication Security
UserBit uses firebase authentication framework built by the same team that developed Google Sign-in, Smart Lock and Chrome Password Manager, Firebase security applies Google's internal expertise of managing one of the largest account databases in the world.
Single Sign-On
UserBit administrators on Enterprise plan can enable single sign-on (SSO) using any SAML-based identity provider (IdP) like Okta, Google, OneLogin,Microsoft Azure Active Directory.
Two-factor Authentication
UserBit offers SMS based two-factor authentication to protect against harmful data breaches, which are commonly caused by weak or stolen credentials.
Application Security
UserBit follows industry standard best practices for product development. All our releases and new features are thoroughly tested for security vulnerability before deployment.
In addition, UserBit is equipped with thorough internal logging and audit trail features that provide transparency into usage and access. With the help of Google's infrastructure, we get alerted to and react quickly to all security concerns.
UserBit's infrastructure is entirely hosted on Google Cloud Platform (GCP) which takes advantage of the same security model as Google Apps like Gmail and Search. A detailed whitepaper on security policy can be downloaded here:
https://services.google.com/fh/files/misc/google_security_wp.pdf
Data Center Physical Security
UserBit uses Google's data centers and servers that are located in USA. These data centers feature a layered security model, including safeguards like custom-designed electronic access cards, alarms, vehicle access barriers, perimeter fencing, metal detectors, and biometrics. The data center floor features laser beam intrusion detection.
Moreover, these data centers are monitored 24/7 by high-resolution interior and exterior cameras that can detect and track intruders. Access logs, activity records, and camera footage are reviewed in case an incident occurs. UserBit employees do not have physical access to these servers and data centers.
Data security
Encryption
All data on UserBit is automatically encrypted at rest and in transit. Any new data stored in persistent disks is encrypted under the 256-bit Advanced Encryption Standard (AES-256), and each encryption key is itself encrypted with a regularly rotated set of master keys.
During transit, all read and write operations on UserBit are protected using Transport Layer Security (HTTPS).
Access
The storage stack and secured layers of UserBit application require that incoming requests are authenticated and authorized. Data stored in our noSQL cloud database is protected by database level security rules and Google's Identity and Access Management (IAM). Only authorized employees at UserBit have electronic access to user data.
Customer data is logically isolated from that of other customers and users, even when it's stored on the same physical server. Only a small group of Google employees have access to customer data.
Disposal
User deleted data on UserBit is immediately wiped from our production database. Some critical deleted data like the project structure remains in our backup storage for 30 days, after which it is wiped from there as well. In the event that customers are unable to delete their data, they can also reach out to UserBit support to get their data wiped.
When retired from Google’s systems, hard disks containing customer information are subjected to a data destruction process before leaving Google’s premises.
Backups
All customer data and account content on UserBit is backed up regularly on a separate cloud storage.
More details on our data processing and security can be found in our Data processing agreement (DPA)
Billing
UserBit does not store or transmit any sensitive payment data. All of our payment services are handled securely by our payments partner, Stripe, which is certified as a PCI Level 1 Service Provider.
You can read more about Stripe's privacy and security policy here: https://stripe.com/privacy.
Privacy and GDPR
UserBit has the operational, product, and policy frameworks in place to support the rights and obligations under the General Data Protection Regulations (GDPR). Learn more about our GDPR initiatives here.
Security Incident response plan
UserBit team is trained on appropriate incident response procedures in the case of a data breach. You can find more information about it in our Information Security Incident Response Plan.
