Product Overview
Aurelius is a platform that helps you gather customer research data, analyze it, capture insights and have all that knowledge in one central, searchable place.
With Aurelius, you can take notes, transcribe audio and video recordings, tag data and use our AI features to help you find patterns and themes. You can create Key Insights of what you learned with attached supporting notes, data, documents. Aurelius allows you to organize, search and share all of your research data in one place.
All data entered into Aurelius is user-driven. This means that we do not collect any research notes, data, recordings or documents on your behalf - a user of Aurelius must enter any data into our system either manually or by setting up an integration to do so automatically.
General Security Practices
Access to servers, code, and third-party tools are secured with two-factor authentication. We also use strong, randomly-generated passwords that are not re-used.
All users for any internal system are given the lowest level of access by default, which will still allow that role to complete its job function. Access to those systems is reviewed and managed regularly, especially with any personnel change. Only our CTO and CEO have access to systems with customer data; employees and/or contractors are never given access to production environments or systems that contain customer data or sensitive information. Any and all access is reviewed and granted by the CEO or CTO.
We automatically and manually scan for vulnerabilities to alert us of security issues. Updates are rapidly prioritized and patches released based on severity.
Production data is separated from test, QA and local development instances.
All employees or contractors sign an NDA before beginning any work with Aurelius.
Personally identifiable information (PII) and Protected Health Information (PHI)
Aurelius only collects PII from users of Aurelius: their name, email address and IP address.
Aurelius does not collect PII or PHI from your customers or research participants. Any such PII from those people is solely your responsibility and only entered into our system if you as a user do so. All users of Aurelius must obtain appropriate consent from their customers before gathering PII in any research session and especially before entering it into Aurelius.
How to use Aurelius without entering PII or PHI
Obtain proper consent when doing any customer or user research
Redact all sensitive information that could contain PII or PHI before entering it into Aurelius
Instruct your research participants to use a code name or color to refer to themselves instead of using their real name
Avoid asking questions that may require them to share PII or PHI.
Security and Privacy Policy
We have a security policy written and reviewed by management on an annual basis. Our security policy is based on SOC 2 standards and we are currently pursuing SOC 2 type 2 certification.
The policy covers:
Security Incident Reporting
Mobile Device Use
Remote Access
Acceptable/Unacceptable Use
Email
Access Control
Asset Management
Business Continuity & Disaster Recovery
Cryptography
Data Management
Human Resources
Incident Response
Operational Security
Physical Security
Risk Management
Secure Development
Third Party management
Compliance with laws and regulations
We make any of this policy documentation available for review upon request to customers in our Enterprise plan.
Feel free to review our public Security Policy and Privacy Policy.
Personnel security
We have formally documented processes and procedures for security and awareness training. All employees undergo training on a yearly basis which includes device security, password and 2FA management, physical security, malware protection, network security, incident reports and acceptable use.
All access to systems are granted based on the principle of least privilege and we remove access when no longer needed.
Any third party contractors sign an NDA before beginning work with Aurelius. No third party contractors are ever given access to customer data, production environments or sensitive information.
Data, Storage and Servers
Aurelius uses third parties in Google Cloud Platform (US locations) and MongoDB Atlas to host and store the application and customer data.
We conduct vulnerability scans regularly and prioritize and patch vulnerabilities according to our policy. Critical vulnerabilities are placed in highest priority and remediated as quickly as possible.
Additionally, we are subscribed to reputable mailing lists of new security issues to keep informed and be proactive in addressing possible security issues.
All data is encrypted with AES-256 encryption at rest and SSL TLS 1.2 or higher in transit.
Customer data is logically separated and environments are physically separated.
Data is backed up daily, hourly, weekly and monthly and retained for up to one year.
Logging
All user actions including any data creation within Aurelius (e.g. login/logoffs, account changes, admin actions, invites/removals, etc.) are logged and regularly reviewed in order to perform necessary audits.
Penetration Testing
We conduct penetration testing on an annual basis and can provide the redacted results of these tests for our Enterprise customers.
Single Sign On (SSO)
Aurelius supports SSO via SAML 2.0. Any user with Admin access can configure this on the Settings page.
User Roles and Permissions
Users of Aurelius manage new users, roles and access on their Settings page. Here are all the current roles and permissions available (please note that some of these capabilities are only available in our Enterprise plan):
Admin: Admins have full access to Aurelius and all the data in your account workspace. Admins can invite new users, promote and demote Admins and delete users. Admins also have access to all pages, allowing data management globally across the account.
Team Member: Team Members have read, write, view and delete access to all projects and data in your Aurelius workspace, unless they have been limited only to certain projects or areas by an Admin.
Read Only: Read Only users have only view access to that which they’ve been invited to.
Project Specific access: Team Members and Read Only users can be invited with access only to projects granted by an Admin. They would not have access to global pages such as the Universal Search, Collections, etc. Upon sign in, these users only see the list of projects they’ve been granted access to.
Private Projects: Private Projects are by default only visible to the creator and any Admin(s) on your team. You can then invite specific team members to a private project. Those invited users to a private project will inherit the same access level as their Aurelius account access (Team Member or Read Only). You can also mark private projects as public, allowing access to any users who would typically have access to all projects.
External Share by Link: You can share project Reports and global Collections to any email address as read-only and they do not require an account. Once invited, they’ll receive an email with the link generated to view the Report or Collection. When they click this link, they must verify their email address before gaining read only access.
Insurance
Aurelius carries policies for general liability, cyber liability, tech errors and omissions, workers compensation and employer liability and auto liability. We can make these certificates available upon request for our Enterprise customers.
Compliance with your additional security requests
If you have additional questions or security needs specific to your organization, please reach out, we may be able to accommodate you.
Additional Questions
To learn more, see our Service Agreement, Privacy Policy or Terms of Use.
For additional questions, please reach out to us at contact@aureliuslab.com