Welcome to the
Trust Center

ISO/IEC 27001

Userlane is certified for implementation of information security management standards.

Userlane exemplifies its commitment to providing a secure product and fulfilling customer needs from a business and security compliance standpoints by receiving ISO/IEC 27001 certification. ISO 27001 is the international standard for information security. It provides a framework for information security management practices and helps organizations establish, implement, operate, monitor, review, maintain and improve ISMS. ISO 27001 is accepted worldwide as an assurance that proper and continual measures have been taken to protect valuable company data.

Download ISO/IEC Certificate

Userlane Partners with Microsoft for Secure Infrastructure & Hosting

Why we chose Microsoft Azure‍

Userlane decided to work with Microsoft Azure to ensure the strict security and compliance requirements of our enterprise and public service clients are met and allow us to provide a scalable, frictionless service at a global scale.

Userlane is a certified partner of Microsoft.

By joining forces with the industry leader Microsoft, Userlane can rely on a proven security architecture: Over 3,500 dedicated Microsoft cybersecurity professionals help protect, detect, and respond to threats.

All of Userlane’s databases, application servers and network infrastructure are hosted by Microsoft Azure.

By relying on Microsoft, Userlane can leverage significant investments that have been made towards the security and compliance of data centers:

• Microsoft Azure is certified with ISO 27001 – a common standard in the industry.
• Since the beginning of 2017, Microsoft Azure is also certified with ISO 27018 – a new standard for the protection of personal data in the Cloud.
• Read Microsoft’s Whitepaper about Microsoft Azure Security, Privacy, Compliance‍
• ISO 27001
• ISO 27018

Userlane exclusively uses EU data center regions.

In order to ensure that the data cannot be used without authorization or passed on, we have also contractually limited the use of the services to the EU region and regulated the access options accordingly. This also applies to the case of maintenance.

Userlane is committed to an uptime SLA of 99.5%.

The infrastructure of Microsoft Azure is built for availability. This allows us to guarantee an availability time of 99.5%. This allows less than 4 hours of unavailability per month.

In the past, we have seen our performance surpass this minimum barrier on a regular basis.

Security Operations

Encryption

Data at rest

All databases use “at rest” encryption, meaning data can only be read if proper authentication takes place on the respective database system. The files in which the data is stored are encrypted so that they can only be accessed by database systems holding the appropriate decryption keys. Userlane uses AES-256 encryption for all data at rest, with encryption keys securely managed via Azure Key Vault to ensure strict access controls and auditability.

Data in transit

Userlane applies transport encryption whenever data is transmitted over an insecure or public network (e.g., outside the virtual private cloud). The type of transport encryption depends on the encryption requested by the client system. Userlane prefers TLS 1.3 for data in transit (TLS 1.2 supported for compatibility) to provide the highest level of security, ensuring data confidentiality and integrity during transmission.

Firewalls

Userlane works with Azure Network Security Groups to ensure that services running within the Azure environment are accessible only to the networks that need it. Access to network ports of various services is restricted to the extent that access is only possible through services that need access.

Penetration Tests

Userlane works with recognized security experts and researchers. Together we aim for the highest possible security of our systems.

We perform penetration tests on a yearly basis. Our contractor Cobalt maintains a core of 200+ highly vetted, certified security researchers.

Monitoring

Userlane uses various monitoring tools to ensure maximum availability, performance and security of the application.  The monitoring includes but is not limited to the following parameters:

Availability

• Availability of the application
• Accessibility of backend systems and services

Resources

• CPU utilization
• Utilization of network interfaces
• Utilization of persistent and volatile storage

Performance

• Response times of the application
• Response times of backend systems
• Query times for database contents

Security

• Update the status of systems
• Error logs
• Access logs

Backups

Userlane drives continuous backups of databases. Those can restore the database state to what it was at any specific time, down to the second. The backups are stored in the same region. Backups are retained for 30 days. These backups are treated as sensitive data. Only specific personnel can access these backups after an internal authorization process.

Copyright

The content and works created by the site operators on these pages are subject to German copyright law. Duplication, processing, distribution, or any form of commercialization of such material beyond the scope of the copyright law shall require the prior written consent of its respective author or creator. Downloads and copies of this site are only permitted for private, non-commercial use. Insofar as the content on this site was not created by the operator, the copyrights of third parties are respected. In particular, third-party content is identified as such. Should you nevertheless become aware of a copyright infringement, please inform us accordingly. If we become aware of any infringements, we will remove such content immediately.

Liability for content

As a service provider, we are responsible for our own content on these pages in accordance with general legislation pursuant to Section 7 (1) of the German Telemedia Act (TMG). According to §§ 8 to 10 TMG, however, we are not obligated to monitor transmitted or stored third-party information or to investigate circumstances that indicate illegal activity. Obligations to remove or block the use of information according to general laws remain unaffected. However, liability in this regard is only possible from the point in time at which a concrete infringement of the law becomes known. If we become aware of any such infringements, we will remove this content immediately.

Userlane values privacy

The security and integrity of all data that enters or leaves any Userlane system are of high value to us. We constantly strive to build on our high standards and leverage them to provide our clients with the peace of mind that their business is running in a secure environment. We do this by living and fostering a culture that is security-aware and privacy-aware. We built Userlane as a privacy-first company because we strongly believe that security and privacy must be a deep-rooted and upheld value of organizations worldwide. Our approach to security and privacy is built on the following three principles:

Data frugality

Userlane only stores data that is required to deliver its services. By default, we minimize the amount of data that runs through our systems. Thereby we ensure critical customer data is neither collected nor processed by us, unless our customers explicitly demand it for targeting, analytical or compliance purposes.

Proven technologies

We validate our technology choices with industry best practices and vendor compliance processes. We rely on languages, frameworks, and systems that are used in business-critical applications by various enterprises and governmental agencies around the world.

Highest security standards

We apply high-security standards with every change we make. We are aware that a chain is only as strong as its weakest link, so every choice matters. Our culture and values embody the high responsibility we take on.

Download Data Processing Addendum (DPA)

 Upcoming Changes to Our Data Processing Agreement (DPA)
As part of our annual legal and compliance review, we are updating our Data Processing Agreement to reflect improvements in how we manage subprocessors, data handling, and customer rights.
The updated DPA will take effect on February 1, 2026, and applies to all processing activities from that date forward.
Customers will be notified of the upcoming changes via email in January 2026. Until then, the current DPA remains in effect.

➤ For transparency, you can review the upcoming version here

Mandatory Public Information pursuant to Art. 28 DA

Our services are subject to German law.
To prevent international governmental access to and transfer of non-personal data where such access or transfer would conflict with Union law or German law, we implement appropriate technical, organizational, and contractual measures. These include: primarily hosting data within the EU, encrypting data (e.g., during transmission), technical access restrictions such as identity and access management, password managers, single sign-on with 2FA, authorization management, monitoring and logging of access attempts, regular penetration testing, employee training, internal policies, and the review and contractual obligation of subcontractors.

Mandatory Information for Customers pursuant to Art. 25 and Art. 26 Data Act