Data Security and Privacy FAQs

2017

ABOUT USERREPLAY

What does UserReplay do?

UserReplay’s customer experience analytics platform helps companies discover a prioritized list of unidentified revenue opportunities, by visualizing customer obstacles and resolving revenue-draining issues up to 10 x faster.

We help your internal teams share the insights that matter most. And by giving you the data to understand and the proof to act, your IT and digital teams can deliver business value, together.

• Discover the customer experience or technical issues that stop visitors from converting.
• Monetize by applying a financial value to the issues to prioritize resolution.
• Optimize this revenue by interrogating the data and analytics.
• Resolve the issues up to 10 x faster to maximize existing revenue opportunities.

What is session replay? And where does it deliver value?

Session replay is the ability to replay a visitor’s journey on a website or within a web application. Its main value is to help improve customer experience, whilst also assisting in the identification of obstacles in the conversion processes on websites.

Session Replay supports the study of website usability and visitor behavior. And by linking to feedback tools such as voice of customer, the customer service and digital teams can replay a specific customer journey with all interactions.

For IT users, linking visitor session data to each replay allows online businesses to visualize performance from every customer’s perspective, providing the analytical and session data needed to resolve issues quickly.

Finally, in a fraud scenario session replay provides proof of customer actions and the data to identify specifics or trends.

What Does UserReplay record?

UserReplay records the HTML that was shown to the individual website visitor along with the interactions they make with the site (mouse movements, clicking, interacting with forms) as well as any changes that these actions make to the page (expanding/collapsing parts of the screen, hovering over menus etc.). UserReplay does not record the assets referenced by the page (images, style sheets etc.).

All data sent to UserReplay is encrypted in transit. All data entered by the website visitors can be redacted so that this cannot be seen by anyone during the replay of the session, the data redaction occurs in the website visitor’s browser and as such is never transmitted to UserReplay.

What is UserReplay’s approach to the processing of personal data?

UserReplay does not allow the capture of personal data within its own environment. Personal data is redacted at the first point of contact, in the website visitor’s browser.

In addition to automated monitoring we regularly audit our implementations manually to ensure we are not collecting personal data.

It is essential that no personal data such as passwords, contact details or payment details are ever sent to UserReplay.

To facilitate this, UserReplay has implemented a whitelist approach to scrubbing (Scrubbing is a term used by UserReplay to describe either completely excluding content from capture or masking textual content by obfuscating the characters).  This approach means we scrub pages using a masking technique on all user input elements by default.  As an extra precaution, the JavaScript tag has added intelligence to prevent it from ever capturing a valid credit card number, utilizing the Luhn algorithm to identify potential credit card numbers and scrub them as an additional check prior to sending the anonymized data to the UserReplay environment.

Are there circumstances where Personal data can be captured?

Yes.  UserReplay offers multiple deployment options which allows the deployment of the solution within the website owners own security perimeter, where personal information is required, for instance, to meet a compliance requirement.

Do UserReplay collect Passwords?

No.  This field is redacted as part of the default settings of the service, so the entered information does not leave the browser. In addition, website owners who use the UserReplay solution can decide to either redact the password field or not to capture the password field at all.

Do you record sessions from mobile devices?

Yes. You can replay sessions that took place on any device types, including mobile phones and tablets, and the replay will show exactly what was seen by the user of the website.

Regardless of device type, the same masking approach to redacting personal data is taken.

How is the data transferred?

All communication with the UserReplay environment is asynchronous via an encrypted link (HTTPS) for all session data collected.

Where is the data that has been captured stored?

UserReplay can be deployed onto a number of different infrastructure environments, either running on hardware controlled by the owner of the website or in a cloud environment hosted by UserReplay or under the direct control of the website owner.

UserReplay can be deployed within any cloud hosting provider however UserReplay’s SaaS service is currently held in the UserReplay environment provided by Amazon Web Services.  The data is located in the same geography in which the website owner is based.  For customers based in the European Union, the data centers are currently located in the Republic of Ireland and Germany.

All session data within UserReplay is encrypted at rest.

How can the data that has been recorded be accessed?

Access to the UserReplay session data is highly restricted to the website owner via a secure web portal with a strict password policy and multi-factor authentication is available.

How long does UserReplay retain session data for?

The default length of time that session data is held in the UserReplay environment is 30 days, after which time the data is securely deleted.  We believe that this is a sufficient length of time for the website owner to use the data for the legitimate purpose for which it had been collected, although the automatic deletion policy can be altered depending on the needs of the customer.

Does UserReplay share any of its data with any third parties?

No.  UserReplay will never share the data it holds with any third parties (other than the storage of session data at AWS), unless required to do so by law.

Can information entered onto the website be redacted?

Yes. In order to comply with our customers’ privacy policies UserReplay has developed many tools to exceed our client requirements and security best practice in the scrubbing of sensitive data. Regardless of deployment option, all input field contents are not recorded or stored – they appear starred-out, or masked, during playback.

During the setup process, customers have the option to explicitly specify input fields they would like to reveal but this can only be configured if the field does not contain sensitive data. UserReplay regularly audit our SaaS environment to ensure we are not capturing sensitive data.

Is the process of masking data 100% accurate?

With the approach taken by UserReplay, the solution does not capture any user input elements by default, however there is the potential to capture personal data that is echoed back by the application in the response of a page (data echoed in input elements is still automatically scrubbed).

In order to prevent this data being captured, UserReplay provides a method to scrub DOM nodes matching given CSS selectors on pages where the URL matches a given regular expression. This allows all child nodes of nodes matching the CSS selectors to be either completely excluded from capture or all child text nodes to be obfuscated before transmission to the UserReplay environment.

Can a website visitor prevent their session from being recorded?

Yes.  UserReplay allows website owners to disable data collection from users who have Do Not Track (DNT) set in their browsers.

Do the visitors to the website know they are being recorded?

We contractually require all customers of UserReplay to maintain a privacy policy that complies with all laws in the jurisdictions in which they operate. We believe that the use of UserReplay indicates that a web-site owner cares about customer experience and customer service and we encourage openness about the use of the technology.

What external certifications does UserReplay have in place to prove it’s taking information security seriously?

The privacy of visitors to our client’s websites and the security of all types of data assets in our possession are of paramount importance to all of us at UserReplay.

UserReplay has been accredited under ISO/IEC 27001:2013 since March 2017 (certificate number IS662212).  This internationally recognized Information Security standard provides external validation that UserReplay takes the protection of any data within its control seriously, and evidences that it has the appropriate policies and procedures in place to provide the necessary technical, physical and procedural controls required to secure the data it holds.

In the UK, User Replay Limited is registered with the Information Commissioner (registration reference Z3581835).  UserReplay also complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union to the United States.  UserReplay has certified to the Department of Commerce that it adheres to the Privacy Shield Principles.

UserReplay earns bsi ISO/IEC 27001 Information Security Management Certification
Click On the Image to View Certification

talk to an expert

The future of optimizing your digital customer experience is here. With UserReplay, it is easy to discover and monetize the revenue opportunities in your customer journey data.

Please fill in the form and a subject matter expert will be in touch with you right away. It could be the most valuable 3 minutes you spend this year.