Unmind takes the security of our user data incredibly seriously.

We…

  • encrypt all data in transit using TLS
  • encrypt cuser data at rest using AES-256
  • perform regular security audits
  • rely on Amazon Web Services to ensure that our infrastructure is scalable and kept up to date with security patches
  • We also monitor an incoming security email address (security@unmind.io) for urgent notices and security threats so that we can respond to them within 24 hours.

My userId is visible, should I be worried?

In order to send data to us there needs to be a unique identifier. All services operate similarly—Google Analytics, Segment, Hubspot, Intercom, etc. Sometimes it’s called an API key, application token, and so on. In our case, it is the userId.

For the storing of your data, this key must be exposed.

What if someone uses my userId maliciously?

If you suspect that your userId is being used maliciously, please contact us so we can change the keys for you as soon as possible.

What should I whitelist?

You can whitelist the following controls we load:

  • api.unmind.com
  • chat.unmind.com
  • cdn.unmind.com

Do you run certified audits?

We currently do not.

Do you run independent security audits?

We’re currently formulating a plan to work with NCC Group UK for our independent audits every 12 months.

Do you run background checks on employees with access to data?

Yes.

Where is your source code hosted?

On Bitbucket.

How long is data stored?

Indefinitely in Amazon s3, but it’s not stored or accessible anywhere else.

For corporate customers, we can set custom data retention policies.

What level of encrypted connections do you support?

In general, we try to use the most updated versions set up as part of the ELB security policy.

Is a documented data breach notification process in place?

Yes. If we find there is a data breach, we will immediately alert all affected customers via email once the breach has been patched. At that time, we will also reset any passwords or sensitive credentials which may have been leaked as part of the breach.

Is a documented data retention/disposal policy in place?

Unless otherwise specified, we keep customer data indefinitely. It’s possible to ask for expirations as part of our enterprise plans. 

Are Disaster Recovery Plans / Business Continuity Plans updated and tested at least annually?

We’re currently formulating our disaster recovery plan. That being said, we make twice daily backups of our database, replicate our servers across multiple availability zones and keep snapshots of the data in multiple s3 buckets.

Did this answer your question?