Data Safety, Privacy & Security

Your site and user data are safe with WebMaxy. There are a number of steps we take to ensure you are the only person who can access your site data and that your users’ privacy is respected.

Data storage #

User and usage data that WebMaxy collects through its software is stored in North Virginia, on the Amazon Web Services infrastructure, us-east-1 data centers. Our application and database servers run inside an Amazon Virtual Private Cloud (VPC). Access to the VPC is limited to WebMaxy team members on a need-to-know basis. Data stores within the VPC are not directly exposed to the internet. Only systems with a direct technical need are exposed (e.g. frontend web servers, load balancers, and other systems, which directly serve customer traffic).

For exception-based logging, WebMaxy has designated sub-processors which are based outside of the EU. WebMaxy uses these designated sub-processors to provide reliable service to its users for infrastructure and application monitoring. The data they process is used solely by WebMaxy engineering team to operate and improve the software’s reliability. It is not queried or used for any other purposes.

Back to top

User privacy #

  • Site users are assigned a unique user identifier, UUID, so that WebMaxy can keep track of returning users without relying on any personal information, such as the IP address.
  • IP addresses of users are always suppressed before being stored using WebMaxy core featureset. We set the last octet of IPv4 addresses, all connections to WebMaxy are made via IPv4, to 0 to ensure the full IP address is never written to disk. For example, if a user’s IP address is 1.2.3.4, it will be stored as 1.2.3.0. The first three octets of the IP address are only used to determine the geographic location of the user.

IP Addresses can optionally be passed to WebMaxy as a User Attribute #

In the case of IP addresses passed to WebMaxy via the Identify API, IP addresses will be stored. They are subject to the same privacy requirements as any other personal information passed to WebMaxy. This includes requiring user consent, and for you to have accepted our Data Processing Agreement.

When collecting data with Recordings, WebMaxy automatically suppresses keystroke data on all input fields. In all cases, the data is suppressed client-side, the user’s browser, which means it never reaches our servers.

Data collection and transmission #

  • Firewalls are in place exposing only the necessary ports through the internet and between different servers. Intrusion protection system (IPS) software is in place as a second layer of security, which will block access as soon as any suspicious login activity is detected.
  • WebMaxy  transmits data from the user’s browser to our system using HTTPS.
  • The protocols and ciphers suite used to encrypt data in transit are available at the end of this article.

Back to top

Data access and authentication #

Only WebMaxy engineers who require such access to perform their job efficiently are given this type of access. Different engineers are given different access rights on different system components as well depending on what their job requires. Engineers who do have access, have their own credentials and these are only valid when used from specific IPs. SSH Key-Based authentication is used for server access. 

Data collected through WebMaxy is exclusively reserved for use by our users and customers. WebMaxy does not make use of the data collected in any form or way unless consent is officially given by an admin of the WebMaxy account, clearly outlining what the data will be used for.

Back to top

Data access and backup #

At WebMaxy we use Database replication to keep your data safe in the case of system failure. Full database backups are taken every day, stored on Amazon Cloud Storage (AWS S3), and kept for three days as an electronic copy. In case two or more database nodes would fail concurrently we would have to revert to a backup.

Data back up does not apply to User Recordings #

All Recording data is currently not backed up.

Back to top

Compliances, Certificates, and Audits #

WebMaxy utilizes Amazon Web Services (AWS) where our client data resides. Certifications and audit reports for AWS are:

WebMaxy has completed a self-assessment process (SAQ-A) that permits us to accept card-not-present payments by fully outsourcing all cardholder data functions to our PCI-DSS compliant third-party vendor, Braintree, with no electronic storage, processing or transmission of any cardholder data on WebMaxy’s infrastructure.

Back to top

WebMaxy Architecture & Security #

Data in transit is encrypted using the following protocols and ciphers:

SSL Protocols
TLSv1.2

SSL Ciphers

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

TLS_RSA_WITH_AES_128_GCM_SHA256

TLS_RSA_WITH_AES_256_GCM_SHA384

TLS_RSA_WITH_AES_128_CBC_SHA256

TLS_RSA_WITH_AES_256_CBC_SHA256

Updating your Privacy Policy for use with WebMaxy #

As a company based in the European Union, our technology and processes adhere to the strictest legal privacy requirements. In fact, we engaged a specialized law firm to assist us with the process of drafting a policy that is suitable for us, as well as for WebMaxy users around the world.

While we always recommend you seek legal advice within your territory, we suggest you review the provisions of our Privacy Policy and ensure your own policy mirrors the same principles we have included at https://support.webmaxy.com/support/privacy/.

Back to top

Copyright @ 2022 WebMaxy | All rights reserved.