Cues.ai is part of TWENTY THOUSAND LEAGUES Ltd. This security statement will explain how we keep our infrastructure safe and reliable.
"End user" refers to public user of cues.ai application hosted on a customer's website.
"Customer" refers to customer of cues.ai.
- The core functionality of cues.ai to display overlays is designed so we do not collect or store information on our servers in relation to how end users have navigated or interacted with a customer's website running the cues.ai application. This data is non-identifiable and is only stored within local storage on the end user's device.
- Cues.ai authorises access to its systems that store or process end user and customer data, based on the principle of least privilege (PoLP).
- By default, cues.ai does not collect any personally identifiable information about end users.
- When additional lead capture functionality is utilised to collect personal information via native forms served within cues.ai – end user's submitted data is encrypted at rest with 256 bit encryption and stored in databases based in the United Kingdom.
- Any personally identifiable information or website interaction data captured and/or used by cues.ai is not shared between cues.ai customers.
- Data connections to third party services such as Zapier authenticate using OAuth2 and all communications are over HTTPS using 4096-bit RSA keys.
- Analytical reporting is supplied via customer's Google Analytics account, thus subject to Google's privacy terms, which can be found here.
- The end user's usage data recorded on cues.ai customer's websites persists indefinitely on the user's device.
- Data captured via forms is stored for up to 90 days after expiry of lead capture form, and can be deleted upon request.
- Data at rest captured via native cues forms is encrypted with 256-bit encryption and stored within databases located within the United Kingdom.
- Web server logs, which as standard contain a log of end user's IP addresses alongside the public file requested from our servers, are stored for 15 days and then permanently deleted.
- Cues.ai runs in the cloud and does not manage its own routers, load balancers, DNS servers, or physical servers.
- The cues.ai servers leverage firewall protection within a secure VPN.
- The majority of cues.ai services are hosted on Digital Ocean and Amazon AWS infrastructure, both of which are based in the United Kingdom
- Digital Ocean and Amazon AWS operate with best-in-class security processes. You can read about this for Digital Ocean here and Amazon AWS here.
- Servers are backed up daily and the backups are encrypted.
- All cues.ai web application communications are made over HTTPS with certificates RSA-signed using 4096-bit RSA keys.
- No public SSH is allowed and staff access to servers is based on PoLP.
- Cues.ai infrastructure aims to achieve a 99.9% uptime. In the event of an outage, cues.ai fails gracefully and does not impact customer website performance.
- Cues.ai new employees and/or internal transfers are required to go through an official recruiting process, during which their qualifications and experience are checked to ensure that they are competent and capable of fulfilling their responsibilities.
- Access to infrastructure, repositories and code review tools are removed from terminated employees within 24 hours.
- Cues.ai has formal guidelines for passwords used to access admin tools. Raw passwords are not stored on servers and are hashed with an algorithm that uses 256 bit encryption.
- Employee access to admin systems where customer data such as configuration files related to the operation of the cues.ai application can be viewed or edited is highly restricted, operating to the PoLP.
How to contact us
If you have any questions about this security statement, please do not hesitate to contact us below:
Email us at: firstname.lastname@example.org
Call us: +44 (0)20 8050 1284
Or write to us at: 67 Church Road, Hove BN3 2BD