We believe that the use of UserReplay indicates that a site owner cares about customer experience and customer service. We encourage openness about the use of the technology. Our software has stringent security measures and proven use cases extending to the detection and prevention of fraudulent activity.


Data Security and Privacy FAQs

Question:
What Does UserReplay record?
What is UserReplay’s approach to the processing of personal data?
Are there circumstances where Personal data can be captured?
Do UserReplay collect Passwords?
Do you record sessions from mobile devices?
How is the data transferred?
Where is the data that has been captured stored?
How can the data that has been recorded be accessed?
How long does UserReplay retain session data for?
Does UserReplay share any of its data with any third parties?
Can information entered onto the website be redacted?
Is the process of masking data 100% accurate?
Can a website visitor prevent their session from being recorded?
Do the visitors to the website know they are being recorded?
What external certifications does UserReplay have in place to prove it’s taking information security seriously?
 
A: UserReplay records the HTML that was shown to the individual website visitor along with the interactions they make with the site (mouse movements, clicking, interacting with forms) as well as any changes that these actions make to the page (expanding/collapsing parts of the screen, hovering over menus etc.). UserReplay does not record the assets referenced by the page (images, style sheets etc.). All data sent to UserReplay is encrypted in transit. All data entered by the website visitors can be redacted so that this cannot be seen by anyone during the replay of the session, the data redaction occurs in the website visitor’s browser and as such is never transmitted to UserReplay.
A: UserReplay does not allow the capture of personal data within its own environment. Personal data is redacted at the first point of contact, in the website visitor’s browser. In addition to automated monitoring we regularly audit our implementations manually to ensure we are not collecting personal data. It is essential that no personal data such as passwords, contact details or payment details are ever sent to UserReplay. To facilitate this, UserReplay has implemented a whitelist approach to scrubbing (Scrubbing is a term used by UserReplay to describe either completely excluding content from capture or masking textual content by obfuscating the characters). This approach means we scrub pages using a masking technique on all user input elements by default. As an extra precaution, the JavaScript tag has added intelligence to prevent it from ever capturing a valid credit card number, utilizing the Luhn algorithm to identify potential credit card numbers and scrub them as an additional check prior to sending the anonymized data to the UserReplay environment.
A: Yes. UserReplay offers multiple deployment options which allows the deployment of the solution within the website owners own security perimeter, where personal information is required, for instance, to meet a compliance requirement.
A: No. This field is redacted as part of the default settings of the service, so the entered information does not leave the browser. In addition, website owners who use the UserReplay solution can decide to either redact the password field or not to capture the password field at all.
A: Yes. You can replay sessions that took place on any device types, including mobile phones and tablets, and the replay will show exactly what was seen by the user of the website. Regardless of device type, the same masking approach to redacting personal data is taken.
A: All communication with the UserReplay environment is asynchronous via an encrypted link (HTTPS) for all session data collected.
A: UserReplay can be deployed onto a number of different infrastructure environments, either running on hardware controlled by the owner of the website or in a cloud environment hosted by UserReplay or under the direct control of the website owner. UserReplay can be deployed within any cloud hosting provider however UserReplay’s SaaS service is currently held in the UserReplay environment provided by Amazon Web Services or Google Cloud Platform. The data is located in the same geography in which the website owner is based. For customers based in the European Union, the data centers are currently located in the Republic of Ireland and Germany. All session data within UserReplay is encrypted at rest.
A: Access to the UserReplay session data is highly restricted to the website owner via a secure web portal with a strict password policy and multi-factor authentication is available.
A: The default length of time that session data is held in the UserReplay environment is 30 days, after which time the data is securely deleted. We believe that this is a sufficient length of time for the website owner to use the data for the legitimate purpose for which it had been collected, although the automatic deletion policy can be altered depending on the needs of the customer.
A: No. UserReplay will never share the data it holds with any third parties (other than the storage of session data at AWS/Google), unless required to do so by law.
A: Yes. In order to comply with our customers’ privacy policies UserReplay has developed many tools to exceed our client requirements and security best practice in the scrubbing of sensitive data. Regardless of deployment option, all input field contents are not recorded or stored – they appear starred-out, or masked, during playback. During the setup process, customers have the option to explicitly specify input fields they would like to reveal but this can only be configured if the field does not contain sensitive data. UserReplay regularly audit our SaaS environment to ensure we are not capturing sensitive data.
A: With the approach taken by UserReplay, the solution does not capture any user input elements by default, however there is the potential to capture personal data that is echoed back by the application in the response of a page (data echoed in input elements is still automatically scrubbed). In order to prevent this data being captured, UserReplay provides a method to scrub DOM nodes matching given CSS selectors on pages where the URL matches a given regular expression. This allows all child nodes of nodes matching the CSS selectors to be either completely excluded from capture or all child text nodes to be obfuscated before transmission to the UserReplay environment.
A: Yes. UserReplay allows website owners to disable data collection from users who have Do Not Track (DNT) set in their browsers.
A: We contractually require all customers of UserReplay to maintain a privacy policy that complies with all laws in the jurisdictions in which they operate. We believe that the use of UserReplay indicates that a web-site owner cares about customer experience and customer service and we encourage openness about the use of the technology.
A: The privacy of visitors to our client’s websites and the security of all types of data assets in our possession are of paramount importance to all of us at UserReplay. UserReplay has been accredited under ISO/IEC 27001:2013 since March 2017 (certificate number IS662212). This internationally recognized Information Security standard provides external validation that UserReplay takes the protection of any data within its control seriously, and evidences that it has the appropriate policies and procedures in place to provide the necessary technical, physical and procedural controls required to secure the data it holds. In the UK, User Replay Limited is registered with the Information Commissioner (registration reference Z3581835). UserReplay also complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union to the United States. UserReplay has certified to the Department of Commerce that it adheres to the Privacy Shield Principles.