Product Security
Permissions
Global access roles allow GetWhy admins to set role-based permission levels for each user account, and project-level access controls allow permission levels to be set for specific projects.
Secure passwords
GetWhy enforces a password complexity standard, and credentials are stored using BCrypt with unique salts.
Account verification for users
Users are required to validate their accounts via a link provided in an automated e-mail.
Permanent deletion
Users can delete projects and study data from GetWhy if they have the appropriate access rights. The platform has all the features necessary for users to delete data and be compliant with GDPR. When customers are conducting their own studies using the self-service platform, the customer is a data controller and must delete personal data from the platform according to the customer’s own data privacy policy.
When GetWhy is conducting a study on behalf of a customer, GetWhy acts as a data controller, and personal data is protected and deleted according to our privacy policy.
High availability
We ensure high availability with automated and manual testing, production monitoring, logging and alerts, fast continuous deployments, and industry-standard cloud infrastructure.
Infrastructure Security
Hosting and storage
GetWhy services and data are hosted in Amazon Web Services (AWS) facilities in the EU.
Encryption
Data is encrypted while moving between us and the browser with Transport Level Security (TLS). At Rest: Your data only resides in the production environment encrypted with AES-256. In Transit: Network communication uses TLS, and it is encrypted and authenticated.
Vulnerability scanning
GetWhy uses third-party security tools to scan for vulnerabilities. Our engineers respond to issues raised. We have no vulnerabilities on the OWASP Top 10.
Penetration testing
We perform independent third-party manual penetration testing at least once per year, and depending on the risk assessment also when we have bigger systems changes. Contact us for a copy of the latest report.
Backup policy
Our backup processes ensure data and information consistency with the highest standards. We use AWS backup solution for data stores that contain customer data. Data is automatically backed up every 15 minutes, and we keep daily backups for 14 days. On an application level, we store logs of activity on a centralised log solution based on AWS Elasticsearch, Kibana and Logstash. Logs are stored for up to 15 days.
Monitoring & incident response
Production alerts are captured and automatically escalated. Outside of office hours, our engineering team has a best-effort and escalation policy. Security and confidentiality incidents submitted to support@getwhy.io or our in-app support chat will be resolved in accordance with the established incident policy.
Logging & audit trail
We log every user action performed in the system with a full audit trail.
Continuous delivery
We have a state-of-the-art agile software development lifecycle methodology and change management procedures. Our deployment method requires no downtime for the application.
Compliance
ISO 27001
GetWhy is compliant with the Information Security Management System ISO/IEC 27001 standard.
VSA
We have completed the Vendor Security Alliance (VSA) Core self-assessment questionnaire, contact us for a copy.
OWASP
The most recent penetration test reported no vulnerabilities on the OWASP Top 10.
SSL Labs score
“A+“ on their SSL Server test.
GDPR ready
GDPR is backed into our business processes, security policies and employee training. GDPR check is part of our risk assessment and internal audit. See our privacy policy.
