Welcome to the
Trust Center

ISO/IEC 27001

Userlane is certified for implementation of information security management standards.

Userlane exemplifies its commitment to providing a secure product and fulfilling customer needs from a business and security compliance standpoints by receiving ISO/IEC 27001 certification. ISO 27001 is the international standard for information security. It provides a framework for information security management practices and helps organizations establish, implement, operate, monitor, review, maintain and improve ISMS. ISO 27001 is accepted worldwide as an assurance that proper and continual measures have been taken to protect valuable company data.

Download ISO/IEC Certificate

Userlane Partners with Microsoft for Secure Infrastructure & Hosting

Why we chose Microsoft Azure‍

Userlane decided to work with Microsoft Azure to ensure the strict security and compliance requirements of our enterprise and public service clients are met and allow us to provide a scalable, frictionless service at a global scale.

Userlane is a certified partner of Microsoft.

By joining forces with the industry leader Microsoft, Userlane can rely on a proven security architecture: Over 3,500 dedicated Microsoft cybersecurity professionals help protect, detect, and respond to threats.

All of Userlane’s databases, application servers and network infrastructure are hosted by Microsoft Azure.

By relying on Microsoft, Userlane can leverage significant investments that have been made towards the security and compliance of data centers:

• Microsoft Azure is certified with ISO 27001 – a common standard in the industry.
• Since the beginning of 2017, Microsoft Azure is also certified with ISO 27018 – a new standard for the protection of personal data in the Cloud.
• Read Microsoft’s Whitepaper about Microsoft Azure Security, Privacy, Compliance‍
• ISO 27001
• ISO 27018

Userlane exclusively uses EU data center regions.

In order to ensure that the data cannot be used without authorization or passed on, we have also contractually limited the use of the services to the EU region and regulated the access options accordingly. This also applies to the case of maintenance.

Userlane is committed to an uptime SLA of 99.5%.

The infrastructure of Microsoft Azure is built for availability. This allows us to guarantee an availability time of 99.5%. This allows less than 4 hours of unavailability per month.

In the past, we have seen our performance surpass this minimum barrier on a regular basis.

Security Operations

Encryption

Data at rest

All databases use a so-called “at rest” encryption. This means that data can only be read if proper authentication takes place on the respective database system. The files in which the data is stored are stored in encrypted form so that they can only be read by database systems that have the appropriate decryption key.

Data in transit

Userlane applies transport encryption whenever data has to be transmitted over an insecure or public network (e.g. outside the virtual private cloud). The type of transport encryption depends on the encryption requested by the client system. Userlane uses HTTPS connections with 256-bit SSL certificates for all communications with clients.

Firewalls

Userlane works with Azure Network Security Groups to ensure that services running within the Azure environment are accessible only to the networks that need it. Access to network ports of various services is restricted to the extent that access is only possible through services that need access.

Penetration Tests

Userlane works with recognized security experts and researchers. Together we aim for the highest possible security of our systems.

We perform penetration tests on a yearly basis. Our contractor Cobalt maintains a core of 200+ highly vetted, certified security researchers.

Monitoring

Userlane uses various monitoring tools to ensure maximum availability, performance and security of the application.  The monitoring includes but is not limited to the following parameters:

Availability

• Availability of the application
• Accessibility of backend systems and services

Resources

• CPU utilization
• Utilization of network interfaces
• Utilization of persistent and volatile storage

Performance

• Response times of the application
• Response times of backend systems
• Query times for database contents

Security

• Update status of systems
• Error logs
• Access logs

Backups

Userlane drives continuous backups of databases. Those can restore the database state to what it was at any specific time, down to the second. The backups are stored in the same region. Backups are retained for 30 days. These backups are treated as sensitive data. Only specific personnel can access these backups after an internal authorization process.

Rachel Fletcher

legal@userlane.com

Other presences online

The information above apply as well to the following web presences:

Tweets by UserlaneHQ

https://www.facebook.com/userlane

https://www.xing.com/companies/userlane.com

https://www.linkedin.com/company/userlane

https://medium.com/@Userlane

Copyright

The content and works created by the site operators on these pages are subject to German copyright law. Duplication, processing, distribution, or any form of commercialization of such material beyond the scope of the copyright law shall require the prior written consent of its respective author or creator. Downloads and copies of this site are only permitted for private, non-commercial use. Insofar as the content on this site was not created by the operator, the copyrights of third parties are respected. In particular, third-party content is identified as such. Should you nevertheless become aware of a copyright infringement, please inform us accordingly. If we become aware of any infringements, we will remove such content immediately.

Liability for content

As a service provider, we are responsible for our own content on these pages in accordance with general legislation pursuant to Section 7 (1) of the German Telemedia Act (TMG). According to §§ 8 to 10 TMG, however, we are not obligated to monitor transmitted or stored third-party information or to investigate circumstances that indicate illegal activity. Obligations to remove or block the use of information according to general laws remain unaffected. However, liability in this regard is only possible from the point in time at which a concrete infringement of the law becomes known. If we become aware of any such infringements, we will remove this content immediately.

Userlane values privacy

The security and integrity of all data that enters or leaves any Userlane system are of high value to us. We constantly strive to build on our high standards and leverage them to provide our clients with the peace of mind that their business is running in a secure environment. We do this by living and fostering a culture that is security-aware and privacy-aware. We built Userlane as a privacy-first company because we strongly believe that security and privacy must be a deep-rooted and upheld value of organizations worldwide. Our approach to security and privacy is built on the following three principles:

Data frugality

Userlane only stores data that is required to deliver its services. By default, we minimize the amount of data that runs through our systems. Thereby we ensure critical customer data is neither collected nor processed by us, unless our customers explicitly demand it for targeting, analytical or compliance purposes.

Proven technologies

We validate our technology choices with industry best practices and vendor compliance processes. We rely on languages, frameworks, and systems that are used in business-critical applications by various enterprises and governmental agencies around the world.

Highest security standards

We apply high-security standards with every change we make. We are aware that a chain is only as strong as its weakest link, so every choice matters. Our culture and values embody the high responsibility we take on.

Download Data Processing Addendum (DPA)

This Data Processing Addendum supplements the Userlane Master Subscription Agreement / Terms of Service concluded by and between the Customer (referred to as “Customer” or “Controller” hereinafter) and Userlane GmbH, St.-Martin-Str. 102, 81669 Munich, Germany (referred to as “Processor” hereinafter).

This document can be printed for reference by using the print command in the settings of any browser.

Preamble

This Data Processing Addendum (hereinafter: ”Agreement” or “DPA”) specifies the contractual parties’ obligations under data protection law resulting from the Processor’s data processing on behalf of the Customer based on Userlane Master Subscription Agreement / Terms of Service (hereinafter: “Main Contract”) concluded between the parties.

Section 1 Object of the DPA; Controller Instructions

1. The Processor processes the Customer’s personal data. Type and purpose of this data processing can be consulted in Schedule 1 of this Agreement and in the Main Contract.
2. The Customer is authorised to issue instructions to the Processor regarding the data processing. In principle, instructions are to be issued in text form. If, on an exceptional basis, instructions are given verbally, they are to be subsequently documented in writing in text form without delay by the Customer. The Processor and all the Processor’s subordinates with access to personal data may only process the data that are the object of this Agreement further to the Customer’s instruction, including the powers granted in this Agreement, unless they are legally obliged to do the processing. The Processor shall inform the Customer without delay if they believe that an instruction violates data protection regulations. The Processor shall be entitled to defer the execution of the instruction in question until such time as it is confirmed or changed by the Customer.

Section 2 Obligations of the Processor

1. The Processor shall structure in-house organisation in a manner complying with data protection requirements. Processor shall enact technical and organisational measures that meet the requirements of the General Data Protection Regulation (Art. 32 GDPR).
2. In executing the work, the Processor shall only use employees that have been familiarised with the relevant data protection regulations and properly obligated to maintain secrecy (Art. 28 Para. 3 Clause 2 lit. b and Art. 29 GDRP).
3. In Schedule 2, the Processor has documented the implementation of the technical and organisational measures needed for the specific performance of this Agreement. The Customer is familiar with these technical and organisational measures and is responsible to evaluate that these measures are offering adequate risk protection for the data to be processed.
4. The technical and organisational measures are subject to technical progress and development. The Processor is permitted to implement adequate alternative measures assuming that the security level of the measures according to Schedule 2 may not be undercut. Important changes are to be documented.
5. The Processor shall assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III GDPR. This includes responding to data subjects’ inquiries concerning either the Controller’s information obligation, their right of access, their right of rectification, erasure, restriction of processing, data portability and related communication obligations of the Controller, or the right to object to automated decisions, including profiling, if the data subject asserts any such rights. Furthermore, the Processor will assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the Processor.
6. Where a data subject contacts the Processor with one of his rights under Chapter III GDPR, Processor may only provide information about personal data from the contractual relationship after prior instruction in accordance with Section 1 of this Agreement or upon prior approval by the Controller.
7. Contact details of the Processor s data protection officer and the internal representative are mentioned in Schedule 3.

Section 3 Customer and Supervisory Authority Controls

1. If, on a case-by-case basis, it should become necessary for the Customer to inspect the technical organisational measures, such inspections will be conducted during normal working hours, without disturbance to operations, further to prior notification and allowing for an appropriate lead time.
2. The Processor may make inspection contingent upon the signing of a confidentiality agreement regarding the data of other customers, and the technical and organisational measures established, if the Customer does not commission an investigator who is under a secrecy obligation for legal reasons and/or for reasons of professional law.
3. If the investigator commissioned by the Customer is in competition with the Processor, the Processor shall have veto power.
4. If a data protection supervisory authority or another of the Customer’s sovereign supervisory authorities wants to inspect the data processing, the Processor will support the Customer. The above paragraphs apply accordingly.

Section 4 Correction, Restriction, and Deletion of Data

1. The Processor may only delete or restrict the processing of the data to be processed under the terms of this Agreement if this is provided for in the Main Contract or in this Agreement or if the Customer issues a corresponding instruction. If a data subject addresses the Processor directly with a wish for deletion, this request shall be transmitted without delay to the Customer by the Processor.
2. After the end of this DPA, all personal data that are the object of this Agreement shall either be deleted or returned by the Processor, at the Customer’s request, to the extent that there are no obligations for storage of the personal data under applicable statutory provisions.
3. Copies or duplicates of the data will not be issued without the Customer’s knowledge. Processor is entitled to create backups, to the extent needed to ensure proper data processing. Processor is also entitled to process data needed to meet statutory retention requirements.

Section 5 Subcontractors

1. In terms of this provision, sub-contractual relations entail those services that relate directly to provision of the main service. This does not include ancillary services availed of by the Processor, e.g., as telecommunications services, postal/transport services, maintenance and user service, or disposal of data carriers, as well as other measures to ensure the confidentiality, availability, integrity, and capacity of the hardware and software of the data processing equipment. However, in order to ensure the protection and safety of the Customer’s data in outsourced ancillary services as well, the Processor is bound to conclude appropriate and legally compliant contractual agreements and to take control measures.
2. The Processor may only commission sub-contractors (additional contract processors) with the prior approval of the Customer, or pursuant to information from the Customer that corresponds to the requirements of Art. 28 Para. 2 s.2 GDPR. Consent shall be deemed to have been granted and the new subcontractors shall be deemed to have been approved if the Customer does not object either in writing or by e-mail within one month of receipt of the notice of amendment. The Customer will be particularly informed of this consequence by the Processor as part of the notification of amendment. The Customer hereby approves the subcontractors named in test-userlane-new.pantheonsite.io/subprocessors.
3. If the Customer objects against any new subcontractor, the Processor is not allowed to include this subcontractor in processing Customer’s data. As a consequence of Customer’s objection Parties shall be entitled to terminate the Main Contract with a one-month notice period without Processor being obliged to refund any paid license fees.

Section 6 Remuneration

Remuneration for all of the Processor’s activities is not part of this Agreement but is based solely on the Main Contract.

Section 7 Term

This Agreement shall apply in this form upon signature of the Main Contract. This Agreement shall end upon the full implementation of the measures described in Schedule 1, without requiring a notice of termination by one of the parties, or with the end of the Main Contract.

Section 8 Final provisions

1. Changes and supplements to this DPA require written form or text form. This shall also apply to a waiver of this form requirement.
2. This Agreement shall also apply if and insofar as authorities or courts deviate mutatis mutandis from a joint responsibility of the contracting parties pursuant to Art. 26 GDPR.

Schedule 1:

Subject Matter, Type, and Scope of Data

Follow up on page 6 (PDF version)

Schedule 2:

Technical and organizational measures

Follow up on page 8 (PDF version)

Schedule 3:

Data Protection Contact Details

Data Protection Coordinator: Petr Profous – Information Security Officer

Contact us: dpo@userlane.com

Data Protection Officer: DataCo GmbH

Contact us: lmehl@consulting.dataguard.de

Learn how other enterprises unlock their potential with Userlane

Contact sales