Security Statement

Updated 21/06/2021

Security Statement

Cues.ai is part of TWENTY THOUSAND LEAGUES Ltd. This security statement will explain how we keep our infrastructure safe and reliable.

"End user" refers to a public user of the cues.ai application hosted on a customer's website.

"Customer" refers to customer of cues.ai.

Data security

  • The core functionality of cues.ai to display overlays is designed so we do not collect or store information on our servers in relation to how end users have navigated or interacted with a customer's website running the cues.ai application. This data is non-identifiable and is only stored within local storage on the end user's device.
  • Cues.ai authorises access to its systems that store or process end user and customer data, based on the principle of least privilege (PoLP).
  • By default, the cues.ai application itself does not collect any personally identifiable information about end users.
  • When additional lead capture functionality is utilised to collect personal information via native forms served within cues.ai – end user's submitted data is encrypted at rest with 256 bit encryption and stored in databases based in the United Kingdom.
  • Lead capture data cannot be sent to the cues.ai servers without the additional lead capture tracking script – this is a premium feature and is not a prerequisite to the core functionality of cues.ai.
  • Any personally identifiable information or website interaction data captured and/or used by cues.ai is not shared between cues.ai customers.
  • Data connections to third party services such as Zapier authenticate using OAuth2 and all communications are over HTTPS using 4096-bit RSA keys.
  • Analytical reporting is supplied via customer's Google Analytics account, thus subject to Google's privacy terms, which can be found here.

Data retention

  • The end user's usage data recorded on cues.ai customer's websites persists indefinitely on the user's device.
  • Standard web server logs, which include the user's IP and browser user agent information, are stored for 15 days and are then permanently deleted.
  • Data captured via forms is stored for up to 90 days after expiry of lead capture form.
  • Data captured via forms can be deleted in bulk. Individual records can be accessed by a systems administrator and deleted on request.
  • Data at rest captured via native cues forms is encrypted with 256-bit encryption and stored within databases located within the United Kingdom.
  • Web server logs, which as standard contain a log of end user's IP addresses alongside the public file requested from our servers, are stored for 15 days and then permanently deleted.

Infrastructure

  • Cues.ai runs in the cloud and does not manage its own routers, load balancers, DNS servers, or physical servers.
  • The cues.ai servers leverage firewall protection within a secure VPN.
  • The majority of cues.ai services are hosted on Digital Ocean and Amazon AWS infrastructure, both of which are based in the United Kingdom
  • Digital Ocean and Amazon AWS operate with best-in-class security processes. You can read about this for Digital Ocean here and Amazon AWS here.
  • Servers are backed up daily and the backups are encrypted.
  • All cues.ai web application communications are made over HTTPS with certificates RSA-signed using 4096-bit RSA keys.
  • No public SSH is allowed and staff access to servers is based on PoLP.
  • Cues.ai infrastructure aims to achieve a 99.9% uptime. In the event of an outage, cues.ai fails gracefully and does not impact customer website performance.

Organisational security

  • Cues.ai new employees and/or internal transfers are required to go through an official recruiting process, during which their qualifications and experience are checked to ensure that they are competent and capable of fulfilling their responsibilities.
  • Access to infrastructure, repositories and code review tools are removed from terminated employees within 24 hours.
  • Cues.ai has formal guidelines for passwords used to access admin tools. Raw passwords are not stored on servers and are hashed with an algorithm that uses 256 bit encryption.
  • 2 Factor Authentication is used on all admin platforms.
  • Employee access to admin systems where customer data such as configuration files related to the operation of the cues.ai application can be viewed or edited is highly restricted, operating to the PoLP.

How to contact us

If you have any questions about this security statement, please do not hesitate to contact us below:

Email us at: enquiries@twentythousandleagues.co.uk

Call us: +44 (0)20 8050 1284

Or write to us at: 30 Brunswick Rd, Shoreham-by-Sea BN43 5WB

Ready to dive in?
Start your trial today.

30 day trials available

Get started
Cues.ai is a product by TWENTY THOUSAND LEAGUES LTD.
© 2023 TWENTY THOUSAND LEAGUES LTD