Safety statement
LAST UPDATED: August 10, 2022
This security statement applies to the products, services, websites and apps offered by the Provider and their affiliates (collectively, the “Provider”), except where otherwise stated. We refer to the Supplier's products, services, websites and apps collectively as the "Services" in this statement.
The provider values the trust our customers place in us by allowing us to manage their data. We take the responsibility of protecting and securing your information seriously, and we strive to be completely transparent about the security practices described below. Our privacy policy also describes how we handle your data.
Physical security
The supplier's information systems and technical infrastructure are located in world-class data centres. Physical security controls in these data centers include 24/7 monitoring, cameras, visitor logs, access restrictions and everything you would expect from a high security data processing facility.
Compliance
The supplier has implemented governance, risk management and compliance methods that are in accordance with the most recognized global frameworks for information security.
Access control
Access to the Supplier's technology resources is only permitted via secure connection (eg VPN and SSH) and requires multi-factor authentication. Our password policy for production departments requires the use of passwords that are complex, have an expiry date, lock the user out if entered incorrectly and cannot be used again. The provider provides access on an as-needed basis based on the principle of least privilege, reviews permissions quarterly and revokes access immediately upon employee termination.
Security Policies
The provider maintains and reviews its information security policies regularly and ensures that they are updated at least once a year. Employees must agree to the policies each year and undergo training appropriate to their job function. The training is designed to comply with all specifications and regulations that apply to the Supplier.
Personal
The supplier performs background checks upon employment (as permitted or facilitated by applicable laws and countries). In addition, the Supplier communicates its information security policies to all employees (who must accept them), requires new employees to sign confidentiality agreements and continuously provides privacy and security training.
Permanent security personnel
The supplier has its own organisation, which focuses on software, cloud network and system security. This team is also responsible for safety compliance, education and response to adverse events.
Vulnerability management and penetration testing
The supplier maintains a documented program for vulnerability management, which includes regular review, identification and remediation of security vulnerabilities on servers, workstations, network equipment and software. All networks, including test and production environments, are regularly scanned by trusted third-party vendors. Important updates are installed on servers as a priority, and all other updates are installed as needed.
We also perform regular internal and external penetration tests and remediate according to the severity of the findings.
Encryption
The provider encrypts all data while stored in our data centers with AES 256-based encryption. In addition, the Supplier encrypts all data in transit with (i) RSA with certificates based on 2048-bit key length generated by a public certification authority, for communications with entities outside the Supplier's data centers, and (ii) RSA 256 certificates generated via an internal certification authority for all data in the data center.
Development
Our development team uses techniques and best practices for secure coding, which are focused around the OWASP Top Ten. Developers are formally trained in secure web development upon employment and annually.
The development, test and production environments are separate. All changes are quality assured and logged for results and audit purposes and legal purposes before distribution in the production environment.
Resource management
The supplier has a resource management policy that includes the identification, classification, storage and disposal of information and resources. The company's devices are equipped with full hard disk encryption and up-to-date anti-virus software. Only company units are granted access to corporate and production networks.
Handling of unwanted incidents
The supplier has a process for responding to adverse events which includes initial feedback, investigations, notification of customers (not less than what is required by law), public communication and remediation. This process is regularly reviewed and tested every two years.
Security breach notification
No matter how secure the methods we use, no method of transmission over the Internet and electronic storage is completely secure. We cannot guarantee absolute security. If the Supplier discovers a security breach, however, we notify affected users so that they can take the necessary protective measures. Our breach notification procedures are consistent with our obligations under the laws and regulations of various countries, state and federal laws and regulations, and any industry rules or standards that are relevant to us. We are committed to ensuring that our customers are well informed about all relevant aspects of the security of their account, and to providing customers with all the necessary information to enable them to comply with all their reporting obligations under legislation.
Management of business continuity
Backups are encrypted and stored in the production environment to preserve confidentiality and integrity. The provider uses a backup strategy to ensure minimal downtime and minimal data loss. The Business Continuity Plan (BCP) is regularly tested and updated to ensure that it is effective in the event of a crisis situation.
Your responsibility
You also have a responsibility to safeguard the security of your data by securing your account with sufficiently complex passwords and storing them securely. You must also ensure that the security of your own systems is sufficient. We provide TLS to ensure the transmission of survey responses, but it is your responsibility to ensure that surveys are configured to use this feature where appropriate. For more information on how to secure your surveys, visit our Help Center.
Logging and monitoring
Application and infrastructure systems log information to a centrally managed log store for troubleshooting, security assessments and analysis by personnel approved by the Supplier. Logs are stored in accordance with legislation. We make sure to provide customers with reasonable assistance and access to logs in the event a security incident affects their account.