Sticktail
Information Security & Policies

Company & contact information

Valsplat B.V.
Prins Hendrikkade 21E
1012TL Amsterdam
The Netherlands

If you need to contact a data privacy officer, please use the contact information above.

Information that is collected

The Sticktail platform allows you to share all kinds of research related information. This includes but is not limited to: research questions/research scope, participant requirements, research location(s), gathered insights, screenshots.

The platform also allows you to share contact information of people who are responsible for conducting research within your organisation. Of those people we can store their first and last name, function within the organisation, email address and telephone number. The platform does not store any personal information of research participants.

Despite that Sticktail hosts all data entered by you, all data will always belong to you. We will never sell or by purpose make accessible the data entered by you to any third party as well as we will never use them for the benefit of our own business.

Information deletion/anonymization policy

At this moment there is no automated deletion/anonymization policy. When deleting your account, your data will be deleted from our servers manually as soon as possible.

Data protection notification & compliance

All employees working on Sticktail have a keep secret duty clause in their contract. This prevents them of sharing information (research insights, other files, ..) with other people. The keep secret duty clause also prevents them from sharing this kind of information after contract termination.

Our developers have access to all data you store on the Sticktail platform, but the keep secret duty clause does not allow them to disclose any (sensitive) information that might be in there. Also, the information is only accessed when required for support/debugging.

Physical security

Sticktail is externally hosted on Amazon Web Services (AWS). AWS is ISO 27001 compliant and the application runs entirely within the European availability zones (eu-central - Germany and eu-west - Ireland).

Application security

Sticktail is custom written software. It’s written in Python 3 and uses the Django framework. We also use PostgreSQL for database, Elasticsearch for search and Redis for key/value storage. We only use industry best practices and patterns to make sure we develop secure software.

We protect access to our backend services (PostgreSQL, Elasticsearch, Redis) via ACL and firewalls. Both the database and file storage is located on AES256 encrypted volumes. Backups are also encrypted.

All our code is managed via Git DVCS and hosted privately on Github (also best practice). As there are only 2 developers working on this project, all code is pretty much reviewed by everyone. There is no chance unreviewed code makes it to the production environment. Only developers actively working on the project are able to deploy code to production.

Access to servers is restricted to our developers and IT person. Access is granted via public key, no passwords are used. Only our developers have access to the database and file storage contents directly.

We don’t currently run any external vulnerability scanning tools, but are happy to at the request of a client (costs may apply). We don’t have a formal process for ensuring compliance with security standards, but all servers are updated on a weekly basis (critical updates are installed as soon as updates are made available by our vendors). We’re not as big as Google :-).

Usage security

All contents on sticktailapp.com (except for our public marketing website) are protected with a username and password. This prevents unauthorized access to your files. The account owner is responsible for making sure strong passwords are used within your account and is also responsible for deleting inactive accounts.

Authors of an insight can explicitly enable a ‘public shareable link’. In that case, contents, images and files attached to that specific insight are available without logging in. At this time, we do not track who opens these links.

All information transmitted between users and our servers is sent over TLS 1.2 encrypted HTTPS.