Security Standards

Attention Insight is an attention analytics platform that is used by hundreds of companies, agencies, and solopreneurs to optimize designs, boost conversion rates, and validate early-stage concepts. We are an EU company and follow the best standards to ensure Security, Data, and Customers protection. We take our customers and their users’ data very seriously. Attention Insight takes full responsibility for all data that are processed through the platform and our plugins. Our data is fully encrypted, managed, and stored by SOC-compliant vendor Google Cloud.

Security

All data handled and processed through the Attention Insight platform is fully secured against unauthorized access. Only authorized limited Attention Insight personnel are allowed to access such data and are required to authenticate themselves whenever such data is accessed. We have also taken robust measures to prevent unauthorized access, theft, and manipulation of data. Access reviews are done upon onboarding and offboarding as well as routinely once every quarter.

Data encryption

We use encryption standards AES-256 for data at rest. We use TLS 1.3 for data in transit (Qualys SSL Labs gives us A+ rating)

All our authentication keys are securely hashed, and we employ GCP tools for the management of production secrets.

All customer-uploaded files are encrypted in storage and have no direct public access. Access to each file is through fine-grained authentication.

Product security

Account Access is controlled, and SSO integration for enterprise customers can be set up. Transparent and fine-grained control over user access. Multi-Factor Authentication (MFA) can be provided for an additional layer of security. User management can be done by the customer super users on the platform. Any user can be added or removed from the platform.

Customers can set up how long any uploaded data is stored in the platform and then automatically removed.

Network and application security

We use CloudFlare to manage our external networks and mitigate any network attacks. We have implemented Identity Aware Proxies for our internal services access with whitelisted IP control.

We regularly update our application and third-party library to ensure the latest security bug fixes.

We perform periodical automatic vulnerability scanning of our application.

Additional features

Attention Insight platform does not require any installation on Customer-side websites, servers or infrastructure. We do not collect any data on behalf of customers. All data (images/video) is uploaded directly to the platform or via API by the Customer.

All credit card payments made to Attention Insight go through Stripe. Details about their security setup and PCI compliance can be found on Stripe’s security page.

The development and testing environments are fully separated and isolated from the production environment.

Automatic testing is implemented on all application levels: frontend, backend, and internal services in CI / CD process.

Incident Response

At Attention Insight, we take any potential security incident very seriously. We have established a comprehensive Incident Response protocol designed to rapidly detect, contain, and resolve any security events, ensuring that any impact on our customers is minimized.

Our Incident Response Process Includes:

Identification:
Our systems are continuously monitored through advanced automated tools and periodic manual reviews. If any unusual activity or anomaly is detected, our dedicated security team initiates a thorough investigation immediately.
Containment:
Once an incident is confirmed, we promptly isolate affected systems and implement measures to prevent further spread. This containment step is crucial to minimize potential damage.
Eradication:
We work swiftly to eliminate the root cause of the incident. This includes removing any malicious components, patching vulnerabilities, and taking steps to ensure that similar incidents cannot recur.
Recovery:
Our team restores systems and services to normal operation as quickly and securely as possible. We verify that all affected components are secure and that all data integrity is maintained during the recovery process.
Post-Incident Analysis:
After an incident is resolved, we conduct a comprehensive review to understand what occurred, evaluate the effectiveness of our response, and implement any necessary improvements. This continuous learning process helps us enhance our security measures over time.

Always Here to Help:
Our Incident Response team is available 24/7. If you suspect any security issues or observe unusual activity, please contact us immediately. You can reach us through Intercom or by emailing [email protected]. We are committed to transparent and timely communication throughout the incident management process.

Employee & Operational Security

At Attention Insight, we believe that robust security begins with a strong foundation in employee and operational practices. Our comprehensive approach ensures that every team member is equipped and empowered to safeguard our systems and your data.

Employee Security

Rigorous Hiring and Background Checks:
Every prospective employee undergoes a thorough vetting process, including background checks and reference verifications, to ensure they meet our strict security standards.
Mandatory Security Training:
All employees participate in regular security awareness and best practices training. This includes training on data protection, phishing prevention, and secure data handling to keep our team informed about emerging threats.
Confidentiality and Compliance Agreements:
Each team member signs confidentiality agreements and is contractually bound to adhere to our internal security policies, ensuring that sensitive information is protected at all times.
Access Management:
Access to customer data and internal systems is granted on a strict need-to-know basis, enforced through role-based access controls and multi-factor authentication. Regular reviews ensure that permissions are up-to-date and limited only to those who require them for their work.

2FA is mandatory on all internal/external services for all employees.

Operational Security

Environment Segregation:
We maintain a strict separation between our development, testing, and production environments. This minimizes the risk of accidental data exposure and ensures that sensitive customer data is handled only within secure, controlled environments.
Continuous Monitoring and Auditing:
Our operational systems are continuously monitored using advanced tools to detect and respond to any unusual activity. Regular internal audits and security assessments help us identify and address potential vulnerabilities proactively.
Secure Development Practices:
Security is integrated throughout our development lifecycle—from design and coding to testing and deployment. Regular code reviews, automated testing, and vulnerability scans help ensure our platform remains secure against evolving threats.

Third-Party Vendor Oversight:
All third-party vendors and service providers are rigorously evaluated for compliance with our security standards. We require vendors to adhere to similar stringent security practices, ensuring end-to-end protection throughout our supply chain.

Availability

The Attention Insight platform architecture was built to ensure maximum accessibility and uptime. Our Website, Platform and API are separated in our production server, and redundant failover servers are set in place. Auto-scale is turned on in case of increased load, or resource demand. All of our data is synced in real-time with multiple backups on a daily basis.

Availability can be checked at https://status.attentioninsight.com/

With Enterprise customers and API users, we can sign Service Level Agreements (SLAs) if needed.

Backups

We perform daily backups of all application data and configuration in multiple locations. We ensure every instance is fully encrypted and secured and older backups are automatically removed.

Failover and Disaster Recovery

Our infrastructure and data are spread across different GCP availability zones and will continue to work should any one of those data centers fail.
Virtual Private Cloud, all of our servers are within our own virtual private cloud (VPC) with network access control lists (ACLs).
Permissions are controlled and Authentication is required and logged.
Access to customer data is limited to authorized employees who require it for their job, ticketing regarding access to data is tracked and monitored.
Incident Response, Attention Insight implements a protocol for handling security events which includes escalation procedures according to a Risk Metric.

GDPR Compliance

As the GDPR provides the golden standard when it comes to Data Protection, Customers and Prospects can request our DPA which covers the mechanisms and measures implemented by Attention Insight to reflect the Eight User Rights reflected within the EU’s GDPR framework. Please find below the flow regarding Data Deletion if you’d like to manually do it, feel free to reach out to the Attention Insight team if you’d like this to be done via the team.

Subscription cancelation steps:

Login in the platform, and click on the Profile icon.
Click the Subscriptions item.
Go to the bottom of the Current Subscription page and click “cancel my subscription”

Account deletion steps:

Login in the platform, and click on the Profile icon.
Click My Profile
Delete Account
Confirm the deletion by entering DELETE

The account is marked for deletion and is scheduled for the deletion process on the same day. Deletion removes related data deletion from databases and uploaded files from storage. A deleted account cannot be recovered.

Additionally any user can set up an interval for how long to keep uploaded data (design images, video). Can choose from 1 day, 1 week, 1 month, 3 months, 6 months, 1 year, or do not delete. Delete is done automatically.

SOC2 Compliance

SOC 2 standard is based on five “trust service principles”: security, availability, processing integrity, confidentiality, and privacy. In Attention Insight we are doing our best to follow and implement these principles:

Has access control via end-to-end encryption and two-factor authentication. You can learn more about the technologies used to ensure data security in a report issued by a reputable, independent auditor.
Uses network and application firewalls
Has intrusion-detection mechanisms in place
Uses performance monitoring tools
Uses disaster recovery tools
Has security incident handling procedures in place
Uses quality assurance and process monitoring procedures

Current and potential customers of Attention Insight can now be sure about its data protection mechanisms quality and in case they have any questions, can contact us at [email protected].

HIPAA Compliance

Attention Insight ensures HIPAA compliance to demonstrate its commitment to providing the highest security standards for customers and potential prospects in the health industry. When clients opt to utilize the Attention Insight tool for attention analytics with Protected Health Information (PHI), they can trust in our adherence to the Health Insurance Portability and Accountability Act (HIPAA). This legislation establishes the benchmark for safeguarding sensitive patient data. Companies handling PHI are mandated to implement and adhere to robust physical, network, and procedural security measures. Covered entities, encompassing those involved in healthcare treatment, payment, and operations, as well as business associates with access to patient information and support roles, must meet HIPAA compliance requirements.

It is important to note that Attention Insight does not inherently work with PHI. However, for our customers who store and process PHI, we want to reassure them that our application strictly adheres to the HIPAA framework, providing a secure environment for handling sensitive health information.

Contact

To report any issues or request more information, please drop us an email at [email protected]