UNITO IS TRUSTED BY

How Secure is Unito?

Security and privacy are core to everything we do, and our customers trust us to do everything we can to keep their data safe. Here’s why.

Product security

Unito exists to shape the flow of work, that means your most important work is flowing through multiple tools. We take the security of that work very seriously. Here's what we're doing to keep your data safe.

Customer data

We never store the data in your work items. Here's a breakdown of how we process tool data:

  • Work item data: We sync information between tools by computing checksums of field data. Only these checksums are stored, not your actual data.
  • Data flow: We hash any changed task into its checksum, compare it to the stored checksum, enabling change detection and syncing without storing any of your data. Once we’ve confirmed a change, we will request the task information from one side and immediately replicate it to the other. The data lives shortly in system memory, but is never stored.
  • User data: We store the name and email of each active user to accurately sync them across tools. This data is stored in our environment and deleted upon request at the end of the contract.
  • Payment information: Your payment information is never stored on our servers but forwarded to our third party: Stripe. Visit Stripe’s security webpage for more details.
  • File data: We never store file data (i.e. attachments). For non-streaming attachments we only sync the attachment link, not the attachment itself. If using our attachment streaming feature, we still don't store anything, but we do access it transiently in memory, as we are streaming it to you. Read more on how we sync file attachments.
  • Encryption: While in transit between tools, data is encrypted through HTTPS with TLS 1.2. Data at rest is encrypted with strong algorithms at least as good as AES 256.
  • Visit this page to learn more about how Unito manages personal data.

Authentication

Simplicity, without compromise on security. You can sign up with an email and password or with the OAuth2 protocol. Each tool account must go through the OAuth2 protocol before being added to a Unito workspace.

High availability

Here's what we're doing to ensure high availability:

  • Regular performance benchmarking
  • Production monitoring and alerts
  • On-call engineer rotation
  • Fast and continuous deployment
  • Industry standard cloud-based security compliance

Permissions

Unito workspaces with Company and Enterprise plans have one or more administrators. These administrators can control permissions for every other member, giving them complete control over the security of your workflows.

Application security and infrastructure

Logging and monitoring

Logging and monitoring

Unito's infrastructure is constantly monitored by our engineers with technologies such as AWS Cloudwatch, AWS GuardDuty to identify cybersecurity events, detect threats and ensure the effectiveness of our protective measures.

Alerts are triggered for unexpected security events, allowing that our engineers can respond promptly.

Encryption

Encryption

Transport Level Security (TLS) version 2 is used to encrypt data in transit. Unito maintains an “A+” rating on Qualys SSL labs tests.

AES 256 is used to encrypt data at rest.

Incident response

Incident response

We use on-call engineer rotation and a fast, robust escalation process to guarantee prompt reaction to any security event.

Hosting and storage

Hosting and storage

Unito is hosted in Amazon Web Services (AWS) data centers located in the USA.

Penetration testing

Penetration testing

We don't take our security for granted. An external penetration test is performed at least once a year.

Compliance

We comply with PCI DSS requirements. The self-assessment questionnaire (SAQ) is available upon request. Contact your sales representative with any questions.
We have completed the CAIQ self-assessment questionnaire from the Cloud Security Alliance. It is available upon request. Contact your sales representative with any questions.
Our latest penetration test reported no vulnerabilities on the OWASP top 10.

SOC 2

We are continuously improving our security internal processes, and are actively working towards obtaining a SOC 2 Type II certification. The SOC 2 (System and Organization Controls) Type II report is a globally-recognized security measure that rates a service provider's compliance with security, availability, and confidentiality best practices. More information on SOC 2 reports can be found here.

Privacy

Unito complies with:

  • The General Data Protection Regulation (GDPR), which came into effect in May 2018 and applies to the personal data of the European residents.
  • The California Consumer Privacy Act (CCPA), which came into effect in January 2020 and applies to the personal data of California residents.
  • The Canadian privacy law.

See our privacy policy for more information. Contact us if you have any questions.

Other security features

Security is everyone’s business at Unito. We ensure that all our employees are properly trained and enabled to keep our clients security and privacy at the core of their work. We also have a comprehensive software development process that puts security and privacy at the center of its processes.

Employee training

All our employees attend an annual cybersecurity and security awareness training session.

Confidentiality

All employees and contractors sign a confidentiality agreement before working with Unito.

Background checks

We perform background and reference checks on new hires to the extent permitted by local privacy legislation.

Need more information?

If you have any security related questions or would like a deeper risk assessment, our security team is here to help.