As a user research application, we recognize the importance of excellent security practices. We are a small team, but work hard to adhere to best-practice security processes. This help section covers our security practices and policies.


Our backend server is hosted with Heroku, which is built on top of Amazon Web Services (AWS).

Amazon's data centre ops have been accredited under:

  • PCI Level 1

  • SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)

  • ISO 27001

  • FISMA Moderate

  • Sarbanes-Oxley (SOX)

You can find more information about Heroku's security practices here, and AWS security practices here.

Passwords and authentication

At sign-up, all user passwords are hashed using bcrypt before being stored.

Upon logging in, users are provided an authentication token, which is generated using JSON Web Token (JWT). This is valid for 4 days. All further interaction with the application is done by providing an authorization header using this token.

Physical security

As a cloud-based Software-as-a-Service provider we do not have our own physical data centres. All of our data storage is hosted via Amazon Web Services. You can see the AWS physical access policy here.

Data retention and backups

Data is frequently and regularly backed up in line with our Back-up Policy.

Users with Admin-permissions can control how long data associated with your Ribbon account is retained for using the Data Retention Settings in your account. For more information about how to use this setting, see our documentation.

Payment information security

To support subscribing to Ribbon plans, we've partnered with Stripe, a PCI Service Provider Level 1 certified and well-respected payments processor. When none of your credit card data is stored by Ribbon. You can learn more about Stripe's security practices here.

Did this answer your question?