Secure and compliant by design
European data residency, GDPR-native architecture, ISO 27001 & SOC 2 Type II certification in progress (Q4 2026) — with a Trust Center available 24/7. Built so security and procurement teams can say yes with confidence.
EU Hosted
Data residency in Europe
ISO 27001
Q4 2026Certification in progress · Q4 2026
SOC 2 Type II
Q4 2026Certification in progress · Q4 2026
GDPR Native
EU data protection by design
Certifications & frameworks
Four layers of independently verified security and compliance — each with a clear, non-marketing explanation of what it actually means.
EU Data Residency
Hosted in Europe — always
All customer data is stored and processed on European servers. Data-residency as standard, not an add-on. A meaningful differentiator for European enterprises subject to data-localization requirements.
ISO 27001
In progress · Q4 2026Security management system
International standard for Information Security Management Systems (ISMS). Independent certification against 114 Annex A controls — covering risk management, access control, incident response, and operational security.
SOC 2 Type II
In progress · Q4 2026Controls audited over time
Unlike a point-in-time attestation, SOC 2 Type II covers controls operating effectively over an audit period. Covers the Trust Service Criteria: security, availability, and confidentiality. ~70% control overlap with ISO 27001.
GDPR
EU data protection — built in
EU Regulation 2016/679 governs how personal data is collected, stored, and processed. Usedge is GDPR-native: lawful basis, consent management, data-subject rights (access, rectification, erasure, portability) — all supported in the product.
Security documentation, available 24/7
Procurement and security teams should not have to chase anyone for a document. The Usedge Trust Center is a self-serve hub where you can access certifications, policies, sub-processor lists, and security questionnaire responses at any time — no NDAs required for the public view.
Available without login · Extended documentation on request
What's inside
Current certifications
ISO 27001 & SOC 2 Type II — certifications in progress, Q4 2026
Privacy policy & DPA
Data Processing Agreement ready to countersign
Sub-processor list
Full list of third-party processors, kept up to date
Security documentation
Penetration test summaries, security questionnaire responses
Security controls you can point to
Every layer of the stack — data, identity, access, and AI — is covered by controls that are independently audited and documented in the Trust Center.
Encryption in transit & at rest
TLS 1.3 for all data in transit. AES-256 encryption for data at rest. Encryption keys managed with rotation.
SSO / SAML
Enterprise identity provider support via SAML 2.0 and OIDC. Centralise access management through your existing IdP.
Role-based access control
Granular permissions scoped by workspace, project, and team. Principle of least privilege enforced by default.
Complete audit logs
Immutable access and change logs for every action in the platform — who accessed what, when, and from where.
Sub-processor transparency
Full list of third-party sub-processors published in the Trust Center and kept current. Notified on changes.
Backup & availability
Automated daily backups with point-in-time recovery. High-availability architecture with defined RTO/RPO targets.
Responsible disclosure
A published vulnerability disclosure program. Security researchers can report issues through a defined channel.
AI governance
Customer data is not used to train external AI models. Agent access is scoped, governed, and auditable — actions logged like any other user.
Run research on real people — lawfully
Usedge is built for teams who handle participant personal data at scale. Consent, traceability, access governance, and data-subject rights are first-class features — not compliance checkboxes.
Consent management
Capture, record, and store participant consent per study. Consent versions are timestamped, tied to each participant, and auditable. Withdrawal of consent is supported at any time.
Full traceability
Every participant's data, highlights, and research contributions are traceable to their source study or session. An audit trail logs every access and change — who, when, and what.
Panel governance
Participant PII is scoped by role. Researchers see what their permissions allow. Panel admins control who can access which participant records — and every access is logged.
Consent & audit trail — participant lifecycle
15 Nov 2024
Consent given
Lawful basis recorded. Consent version and timestamp stored.
22 Nov 2024
Session run
Data collected against consented scope. Session linked to participant.
01 Dec 2024
Data accessed
Access event logged in audit trail with user, timestamp, action.
10 Jan 2025
Erasure request received
Article 17 right-to-erasure request logged and actioned within 30 days.
10 Jan 2025
Personal data removed
PII deleted. Research contributions anonymized and preserved.
Delete the person. Keep the evidence.
Usedge makes a distinction most platforms miss — and it matters for research teams who need both GDPR compliance and durable institutional knowledge.
Anonymization
Permanently removes all personal identifiers so re-identification is no longer reasonably possible — while keeping research contributions intact. Highlights, insights, and session data remain usable, de-identified. This is genuine anonymization — not pseudonymization (replacing a user ID is not enough under GDPR guidance).
Deletion — Right to Erasure (Art. 17)
On a data-subject erasure request or consent withdrawal, Usedge fully removes the participant's personal data from the platform. All associated research contributions are removed with it — a complete data removal for when anonymization alone is insufficient.
The standout capability
“Delete all personal data for a participant — but keep all their highlights and contributions in the research library.” Research value preserved. Privacy honored. Both, at once.
Before — participant record
Sophie M.
After — de-identified, research preserved
[Redacted]
Email: —
Personal identifiers removed. Research contributions preserved, de-identified.
Automated lifecycle, data-subject rights built in
Data does not linger indefinitely. Retention policies are configured per study, lifecycle transitions are automated, and all four GDPR data-subject rights are handled directly in the platform.
Data lifecycle — four phases
Collection
Lawful basis and consent recorded at the point of capture. Retention period set per study.
Active use
Data accessible only to authorised roles. Access logged. Retention countdown active.
Retention review
Automatic flag when retention period approaches. Admin prompted to extend, archive, or delete.
End of life
Data deleted or anonymized per the configured policy. Deletion logged for compliance audit.
GDPR data-subject rights — all handled in-platform
Access (Art. 15)
Data subjects can request a full export of all personal data held about them.
Rectification (Art. 16)
Incorrect personal data can be corrected on request, with an audit trail of the change.
Erasure (Art. 17)
Right to be forgotten. Personal data fully deleted on request — or research contributions anonymized and preserved.
Portability (Art. 20)
Data export in a structured, machine-readable format — ready to transfer to another controller.
Security and compliance, by design
EU-hosted, GDPR-native, and ISO 27001 & SOC 2 Type II certification in progress (Q4 2026) — with documentation available in the Trust Center, 24/7.