Security at Unique AG - Whitepaper

ORGANIZATIONAL SECURITY

Unique’s security organization, led by our Chief Information Security Officer (CISO), is responsible for the implementation and management of our Information Security Management System (ISMS). The goal of the security organization is to ensure that our customers’ data is adequately protected, and risks are minimised.

Unique’s Operational Security Manager supports the CISO by heading operational security efforts across development teams, providers, and service partners. They focus on security architecture, product security, DevSecOps (integrating security into development and operations lifecycle), incidence detection and response as well as compliance.

Unique’s security organization regularly reviews risks, redefines security goals and continuously improves the ISMS adopting it to changing conditions.

PRODUCT SECURITY

The goal of Unique’s product security efforts is to prevent unauthorized access to customer data. Unique chose Microsoft Azure™ as a platform and partnered with them through co-sell agreements. All data stored by Unique service is hosted on Microsoft Azure™ cloud in Switzerland.

Secure by design

Unique’s product organization is working with a secure software development lifecycle (SSDLC) that integrates security efforts into all product development activities.

By implementing this SSDLC the product organization strives to identify and minimize all risk as early as possible and to catch all vulnerabilities before the product reaches production systems.

Encryption

Data in transit: All data transmitted between the Unique service and Unique clients is encrypted using at least TLS 1.2 protocol.

Data at rest: All media data stored by the Unique service, in particular the recorded video and audio data, is encrypted at rest using FIPS 140-2 compliant AES256 encryption standard leveraging Microsoft Azure™ storage encryption for data at rest.

All customer data stored by Unique service in our database is encrypted at rest. Unique uses logical data separation to separate data originating from different customers.

Data availability

Unique’s databases run automatic backups to ensure rapid restauration of data when needed.

Network security

Unique uses physical data separation between production and testing environments.

Public network access to Unique’s production and testing environments is restricted making only the necessary services accessible from the internet.

Unique logs and monitors all system calls and has alerting implemented for security relevant events.

Access control

Unique minimizes the risk of data exposure by adhering to the least-privilege principle using role-based access control (RBAC) for employees that need access to privileged systems or services. All access automatically expires and needs to be renewed at given intervals.

Unique enforces two factor authentication (2FA) for access to privileged systems or services and for data center operations.

Unique requires employees to use a password manager approved and provided by Unique. Employees must generate complex and unique passwords for every service and use two factor authentication integrated in the password manager wherever possible.

Monitoring, logging, and alerting

Unique monitors all services and has alerting implemented for security relevant events.

Data retention and disposal

Unique hard deletes customer data immediately upon deletion by the user.

Unique hard deletes all customer data after termination of contract. This includes all data stored in Unique’s database and all media data stored on Unique’s media storage.

Unique’s backups of customer data are destroyed within 30 days after contract ends.

Unique’s production logs have a retention period of 90 days and any logs relating to a customer will be gone latest 90 days after contract ends.

Disaster recovery

Unique’s database and media files are distributed in our providers infrastructure across separate physical locations to protect the services from location specific failures.

Service providers

Unique uses service providers to efficiently offer our service to our customers. Unique has established agreements with our service providers to adhere to the confidentiality commitments we have given to our customers. Unique regularly reviews the service providers’ controls.

External validation

Unique is continuously improving the effectiveness or our security controls. Unique has an internal audit process as well as ISO 27001 and ISO 9001 certifications, which can be downloaded from the website or requested directly.

Unique regularly schedules pen-tests against our product and infrastructure. Findings are added to Unique’s risk register, triaged, and remediated according to their severity. Customers are encouraged to perform their own security control assessments or pen-tests on Unique’s environment but must contact Unique before doing so.

Asking for Consent to Record with Unique

Why to Ask ?

As a SaaS service provider, it's important for us to follow the General Data Protection Regulation (GDPR) and manage its impact on user data privacy. GDPR is a set of data protection laws that govern the processing of personal data of individuals in the European Union (EU) and the European Economic Area (EEA). GDPR requires that any personal data you collect, process or store should be done with the explicit consent of the individual. Therefore, you should always make sure that you ask for permission to record.

What does asking for consent mean?

According to GDPR, consent is defined as "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her."

How to Ask when using Unique?

• Make it an option with no pressure on the prospect or client and be open about the benefits for the client.

• It must be clear to your users what you're asking for, why you need it, how you'll use it, and how long you'll keep it

• Consent must be specific, informed, and unambiguous, so your users must clearly understand what they're agreeing to.

Examples of how to ask:

• “Is it okay for you if I record this call? This way I can send you a better follow-up summary and next steps”

• “Is it okay for you If I record this call? We use recordings for learning purposes which means we can provide our customers a better service”

   

Other ways on how recorded data could be used:

• Note-taking for requirements collection

• Internal coaching

• Product Feedback

• Conversation Analysis

• Internal Documentation

When to ask?​

• It depends on your internal process, role, and context:

Online Recording:

• For the majority of the client calls, you would always ask for consent upfront, you can do it verbally before you start recording

• You can ask for permission via email, prior to starting the online meeting Unique has developed consent pages for Outlook and Google Calendar users.

• For Prospecting calls, where there is a risk of damaging the initial client conversation, you can inform the client that the call by outlining the purpose of recording and then giving users the option to delete the recording.

On-Site Recording with Unique's mobile app:

• For Sales People who are focused on prospecting or having initial meetings with clients they haven't met before, it might be worthwhile to ask after the initial relationship has been established with the client (i.e. after the small talk)

• For the clients with whom you have an existing relationship, you could set the expectations upfront via email or telephone conversation.

What happens with your client's data after Recording with Unique?

Can the recording be deleted?

• Yes, we have a hard delete option and any recording can be permanently deleted from Unique's Swiss-based Data Centre

   

How long the recording will be stored in your Unique app?

• It is to be defined by every organization individually and depends on the purpose of the recording.

• As an example, if the recording is used for internal coaching or better documentation then it may make sense to keep it in the database for as long as the client is working with us.

• If the recording is used to share feedback internally, it might make sense to delete it after the feedback has been shared.

How recorded data could be used:

• Note-taking for requirements collection

• Internal coaching

• Product Feedback

• Conversation Analysis

• Internal Documentation

More info regarding Data Protection and Security at Unique?

• Unique Data Privacy: Privacy Policy

• Unique Security Measures: https://help.unique.app/en/articles/6405003-security-at-unique-ag-whitepaper

How to reset your password for Microsoft SSO users

If you forgot your Unique password as a Microsoft SSO user follow these steps:

Step 1: Go to : www.unique.app

Step 2: Login with your Microsoft account by clicking on “Sign in with Microsoft”

Step 3: Click on your name in the top right corner and then “Settings” :

Step 4: Save the password!

For non SSO users, reach out to our support team via the help on unique.app