Security & Privacy

Trust is our #1 value at Ultimate, and that means we take privacy and security seriously. Our policies have been structured to ensure the highest level of confidentiality and integrity when processing your data.


Security built-in

We’re proud to be a SOC2 type-2 compliant company. This means our risk management, governance, and handling of data meets one of the highest global standards.

Our security model operates with controls based on industry best practices. And as part of our SOC2 compliance, Ultimate’s security program is monitored and regularly reviewed by our security, privacy, and management teams — so you can be sure that your data is in safe hands.


Privacy by design

At Ultimate, we believe privacy is more than a list of policies or some boxes to tick. From the beginning Ultimate’s powerful virtual agent platform has been built with our customers’ privacy in mind.

As a global company, we’re committed to compliance with privacy laws around the world — with the EU’s GDPR legislation setting the bar for building privacy into the foundations of our product.

Privacy FAQs

We hope to answers any questions on privacy that you might have. If you can’t find what you’re looking for on this page, please get in touch.

Email our security and privacy team.


Is Ultimate GDPR compliant?

We have taken a number of steps to ensure GDPR compliance.

This includes:

  • Making sure all of the required terms are in place when we process data for our customers (this is set out in our DPA)
  • Having a robust security program (we publish details of our security measures for full transparency)
  • Regular reviews and record keeping to ensure the proper management of personal data
  • Building a platform that supports privacy by design
  • Maintaining procedures for handling any possible personal data breach
  • Regular training for all staff on our privacy and security programs
  • Having a DPO in place to monitor and advise us on our ongoing compliance

Is Ultimate a controller or a processor?

The GDPR names two different roles when it comes to who is involved with personal data — controllers and processors.

The controller decides how to process the personal data it holds and for what purpose. A processor acts on behalf of the controller to process the data it is given, only on the basis of what they are told to do. This is usually set out in a written contract.

Ultimate is the data controller of personal data associated with our customers’ employees (such as usernames and named contacts, but not our customer’s chat visitors or their own end-customers).

For personal data provided to us through the platform, the customer is the data controller. Ultimate is the data processor. We only process data on the basis of our DPA that we agree with our customers.

Does Ultimate offer a DPA?

Yes we do. All of our customers are able to enter into a DPA with us.

Our DPA covers all of the main terms needed under the GDPR. It also describes our processes when it comes to telling you about changes or breaches (if they happen).

We understand that customers may have their own DPAs, but we do ask that our DPA is used. We are not trying to be difficult by taking this approach, it is just that our DPA describes the processes we have in place for the benefit of all of our customers.

Who has access to our data?

Various teams within Ultimate may have access to your data (whether we are a controller or a processor). This access depends on the nature of their job role and the task being performed to provide a service to you.

Where we are a controller, your data may be shared with third parties that provide us with tools that we use in the usual course of business. This is set out in more detail in our Privacy Policy.

Customers must manage their own users and what these users can access in their Ultimate account. See more details on managing users.

Acting as a processor, like many SaaS providers we do rely on third party sub-processors to enable us to provide our services. See the full list of these sub-processors (with further information).

Where does Ultimate store data?

Customer account data is stored in Google Cloud data centers within the EU. Google Cloud maintains multiple certifications for its data centers, including ISO 27001 compliance, PCI Certification, and SOC reports.

Does Ultimate use sub-processors?

Yes. See the full list of the third party sub-processors (with further details of the processing involved).

Does Ultimate transfer personal data abroad?

Ultimate is located in the EU and all customer account data is stored within the EU. We do not transfer any account data outside of the EU.

Some of our staff might be located outside of the EU and have access to personal data within your account. In these cases, we rely on lawful transfer mechanisms allowed by the GDPR. This includes the decision made by the European Commission deeming the UK as having adequate measures to protect any personal data coming from the EU.

Has Ultimate considered the Schrems II decision?

In July 2020, the Court of Justice of the European Union ruled that the previous EU-US Privacy Shield was no longer valid. It also raised questions about whether Standard Contractual Clauses (SCCs) alone were effective to cover transfers of data to non-EU countries — particularly the USA.

This has led to further, deeper reviews of transfers of data where this data may be accessed by companies in the USA. Guidance states that extra measures are needed in these cases, especially where the country that data is being sent to has little or no controls to protect the rights of EU citizens.

At Ultimate, we are very aware of the controls needed to address these concerns. As set out above, data is stored within the EU and we do not transfer data outside of the EU.

We are aware that some of the third parties that we use to provide our services are EU-based companies of a US-based parent company. To ease any concerns, we have taken extra steps to make sure that any further access by these third parties is restricted.

To ensure the security of the data we store or transmit, encryption is used. The keys used for this are always managed by us and are completely within our control. More details are in our security measures. In line with guidance from the EDPB, this is deemed to be an effective control when using the SCCs.

Does Ultimate allow government access to customer data?

No. Ultimate does not allow any government authority or agency free access to any customer data that we hold.

To date, we have never received a request of this nature. If we were to ever receive a request, any response would be limited to what is needed by law.

A response would only be provided after a thorough review by our Privacy and Legal teams, to make sure the request was valid. We would always aim to get the request directed to the relevant customer. We would also do our best to notify you before giving a response, unless the law prevented us from doing so.

How long does Ultimate hold personal data?

As a processor, we hold personal data for the duration of your contract with us. Any personal data within your account is deleted at the end of the contract.

Does Ultimate have a DPO?

Yes we do. Our DPO is privacy expert Michael Panienka, an outside lawyer based in Germany who gives us advice on and helps us review our privacy program.

What type of events and user actions in the dashboard get logged by Ultimate?

  • Changes to bot content (intent and reply creation, deletion, edits)
  • User creation (creator and creation date)
  • Latest update to the user (date and author of the change)
  • Last login

    Any other user behaviour — logins, page visits etc. — is only logged anonymized. This is to understand performance of our features and is not tied to users.

Who has access to the data logged by Ultimate?

Users of the Dashboard can see changes made to their bot’s content by accessing the change logs in the dashboard.

Within Ultimate access to this data is only granted to those who need it for their work, including engineers, account managers, etc.

Technical measures



We use multifactor authentication for administrative access to systems with more highly classified data. Where possible and appropriate, we use private keys for authentication. To connect with administrative access to production servers, our team is required to connect using both an SSH key and a one-time password associated with a device-specific token.

Where passwords are used, multifactor authentication is enabled. The passwords themselves are required to be complex: auto-generated to ensure uniqueness, longer than 12 characters, and not consisting of a single dictionary word, among other requirements.

Ultimate allows personnel to use an approved password manager. Password managers generate, store, and enter unique and complex passwords. Use of a password manager helps avoid password reuse, phishing, and other behaviors that can reduce security.

Data and media disposal

Customer data is removed immediately upon deletion or message retention expiration. Backups are destroyed within 14 days. We follow industry standards and advanced techniques for data destruction.

Ultimate defines policies and standards requiring media be properly sanitized once it is no longer in use. Our hosting provider GCP is responsible for ensuring removal of data from disks before they are re-purposed.

Disaster recovery and business continuity

Ultimate utilizes the services provided by our hosting provider Google Cloud Computing (GCP) to operate the whole base infrastructure of our production environment. The distinct locations within the GCP network ensure protection from loss of connectivity, power, and other possible location specific events.

Full backups are stored in the GCP cloud in a highly redundant and available storage solution. Backups are created multiple times a day.

We maintain disaster recovery and business continuity plans, providing our processes and procedures to follow in the event of a disaster. These plans are updated as needed and at a least annually.

Encryption at rest

Data at rest in our production network is encrypted using AES256 encryption. This applies to all types of data at rest within our systems — relational databases, file stores, database backups, etc.

Ultimate stores encryption keys in a secure server on a segregated network with very limited access. Keys are never stored on the local filesystem, but are delivered at process start time and retained only in memory while in use.

Encryption in transit

Ultimate transmits data over public networks using strong encryption. We support the latest recommended secure cipher suites to encrypt all traffic in transit, including use of TLS 1.2 protocols, AES256 encryption, and SHA2 signatures, as supported by the clients.

We also monitor the changing cryptographic landscape and upgrade the cipher suite choices as the landscape changes, while balancing the need for compatibility with older clients.


We are committed to making Ultimate a highly-available service that you can count on. Our infrastructure runs on systems that are fault tolerant, for failures of individual servers or entire data centers. Our Platform team tests disaster-recovery measures regularly and staffs an on-call team to quickly resolve any problems.

Network security

Ultimate divides its systems into separate networks to better protect more sensitive data. Systems supporting testing and development activities are hosted in a separate network from systems supporting our production application. Customer data submitted into our services is only permitted to exist in our production network, its most tightly controlled network. Administrative access to systems within the production network is limited to those engineers with a specific business need.

Network access to Ultimate’s production environment from open, public networks (the internet) is restricted. Only a small number of production servers are accessible from the internet. Only those network protocols essential for delivery of service to its users are open at our perimeter. Changes to Ultimate’s production network configuration are restricted to authorized personnel.

Penetration testing

We engage independent entities to conduct regular application-level and infrastructure-level penetration tests. Results of these tests are shared with management. We then review and prioritize the reported findings and track them to resolution.

Secure hosting

The Ultimate service is hosted in Google Cloud Platform (GCP) data centers maintained by industry-leading service providers. Data center providers offer state-of-the-art physical protection for the servers and related infrastructure that comprise the operating environment. These service providers are responsible for restricting physical access to Ultimate’s systems to authorized personnel.

Our hosting environment maintains multiple certifications for its data centers, including ISO 27001 compliance, FedRAMP authorization, PCI Certification, and SOC reports. For more information about their certification and compliance, please visit the GCP Security website and GCP Compliance website.

Workstation security

All workstations are pre-configured for employees to meet our standards. The default configuration includes disk encryption, anti-virus, strong passwords, and locking when idle. Employees are not permitted to download customer data from production systems to their local workstations.

Organizational measures


Access controls

We adhere to the principle of least privilege. Our teams are only authorized to access data they are required to handle in order to fulfill their current job responsibilities.

All systems require users to authenticate, and users are granted user specific credentials. Systems access for all employees are reviewed at least quarterly to ensure the correct level of access.

Audits and regular reviews

The core of our security program is to prevent unauthorized access to customer data. We take extensive measures to ensure we identify and mitigate risks, implement best practices, and evaluate how we can do better.

As part of our SOC2 certification, we regularly review our policies and controls. These are audited at regular intervals by a third party to ensure ongoing certification and compliance.

Personnel security

Personnel practices apply to all members of the Ultimate workforce: regular employees and independent contractors who have direct access to Ultimate’s internal information systems, and/or unescorted access to Ultimate’s office space. All workers are required to understand and follow internal policies and standards.

Before gaining initial access to systems, all workers must agree to confidentiality terms, pass a background screening, and attend security training. This training covers privacy and security topics, including device security, acceptable use, preventing malware, physical security, data privacy, account management, and incident reporting. Upon termination of work at Ultimate, all access to Ultimate’s systems is removed immediately.

Policies and standards

We maintain a set of policies, standards, procedures, and guidelines (“security documents”) that govern our activities. These security documents help ensure that our customers can rely on our workers to behave ethically, and for our service to operate securely. Security documents include, but are not limited to:

  • Fair, ethical, and legal standards of business conduct
  • Acceptable uses of information systems
  • Planning for business continuity and disaster recovery
  • Classification of security incidents
  • Control of changes
  • Security development life cycle process
  • Description, schedule, and requirements for retention of security records

We update these documents as needed and at least annually to ensure they are accurate.

Responding to security incidents

We maintain policies and procedures (also known as runbooks) for responding to potential security incidents. Ultimate defines the types of events that must be managed via our incident response process. Incidents are classified by severity and response procedures are tested and updated at least annually.

Secure development

We use a secure development life cycle process to assess the security risk of each development project. During the design phase each project is assessed and classified utilizing OWASP 10 as High, Medium, or Low risk. Based on the risk classification, a set of requirements must be met before the project can be released to production.

Staff training

During their tenure, all workers are required to complete a refresh of privacy and security training at least annually. They are also required to acknowledge that they’ve read and will follow information security policies at least annually.

Workers are required to report security and privacy issues to appropriate internal teams. Workers are informed that failure to comply with acknowledged policies may result in consequences, up to and including termination.

Version control

All code is stored in a version-controlled repository with changes subject to peer review and continuous integration testing. Defects found in this process must be remediated prior to deployment.

Still have questions?

Our security and privacy team will be happy to answer them.