Logo

What are you looking for?

Get help straight from the team at Userbrain

Security & GDPR

Data Protection at Userbrain

We protect your data by using industry-leading controls and systems that prevent unauthorized access and damage.

Last updated on 02 Feb, 2026

At Userbrain, data protection, confidentiality, and security are core principles of how we design and operate our service. We implement technical, organizational, and contractual safeguards to ensure that personal data is processed securely, lawfully, and transparently, in full alignment with the EU General Data Protection Regulation (GDPR).

This article provides a detailed overview of how we protect customer and tester data, how we comply with GDPR requirements, and which security measures are in place across our infrastructure and organization.

Is my data safe?

Yes. We use industry-standard security controls to protect all stored data and processed data by Userbrain.

  • Encryption at rest: Data is encrypted at rest using full-disk encryption (e.g. LUKS).

  • Encryption in transit: All data transfers between clients and servers are protected using SSL/TLS (HTTPS).

  • Access controls: Access to personal data is strictly limited to authorized personnel and protected by authentication, authorization, and logging mechanisms.

These measures are designed to protect against unauthorized access, disclosure, loss, or alteration of data.

Is your service GDPR compliant?

Yes. Userbrain acts as a data processor under Article 28 GDPR and provides a comprehensive Data Processing Agreement (DPA) to all customers.

The DPA governs:

  • The subject matter and duration of processing

  • The nature and purpose of processing

  • The categories of personal data and data subjects

  • The obligations and responsibilities of Userbrain as a processor

How does Userbrain ensure ongoing compliance with data protection laws?

We maintain compliance through a combination of organizational, legal, and technical measures:

  • Appointment of an internal Data Protection Officer

  • Regular employee training on data protection, IT security, and confidentiality

  • Central documentation of data protection policies and procedures

  • Continuous review and updating of technical and organizational measures

  • Formal processes for handling data subject requests (e.g. access, deletion)

These controls ensure that GDPR compliance is not a one-time effort, but an ongoing operational practice.

What is your data retention policy?

Customers can trigger a GDPR-compliant deletion at any time. Data is destroyed through a controlled, GDPR-compliant deletion process that ensures personal data is permanently removed from active systems and backups in accordance with legal obligations, retention rules and our data retention policies.

This process:

  • Permanently removes all customer and tester data

  • Includes user accounts, metadata, and all user test video recordings

  • Leaves no recoverable traces in active systems

Do you support the EU–US Privacy Shield?

No. The EU–US Privacy Shield has been declared invalid by the European Court of Justice and is no longer used as a transfer mechanism.

Where personal data is transferred to third countries, this is done based on:

  • Customer instructions

  • Contractual safeguards

  • GDPR-compliant transfer mechanisms

Where is my data stored?

  1. Primary data (non-video): Stored on servers located in the EU (Frankfurt, Germany)

  2. Video recordings: Stored on a global Content Delivery Network (CDN) for performance reasons and later archived on EU-based servers.

Who has access to my data?

Only:

  • You (the customer and authorized users within your workspace)

  • A limited number of authorized Userbrain administrators, strictly as required for service operation and support

No third parties receive access outside the scope of contractual and GDPR obligations.

How is data backed up and recovered?

  • Daily backups

  • Redundant storage

  • Continuous monitoring and reporting

  • Documented recovery plans to restore data quickly after technical or physical incidents

These measures ensure high availability and resilience of the service.

Do you rely on sub-processors or cloud providers?

Yes. Userbrain relies on vetted infrastructure and service providers, including:

  • DigitalOcean LLC – hosting and backend infrastructure

  • Amazon Web Services (AWS) EMEA SARL – hosting and infrastructure

  • Additional providers for communication and CRM purposes

Customers are informed in advance about changes to the list of sub-processors and may object where applicable.

ISO27001 Compliance

Userbrain is currently not certified under ISO 27001 or SOC 2 Type II.

At present, formal certification is not on our immediate roadmap. However, many of the technical and organizational measures required by these standards are already implemented as part of our GDPR compliance program.

Was this page helpful?
Previous

How Userbrain uses AI

Next