Our Guarantee: Data Privacy and Security

Download PDF version.

User Security

User Names and Passwords

Sogolytics (formerly SoGoSurvey) provides each user in your organization with a unique, secure User ID and password that must be entered each time a user logs on. We follow the best practices in the industry for storing confidential data. Passwords are encrypted with SHA-256 Cryptographic Hash Algorithm in the database before they are saved, and a session “cookie” is issued to record this encrypted authentication information only for the duration of a specific session. The session “cookie” does not include either User ID or password of the user.

Privacy

We have a comprehensive privacy policy that provides a very transparent view of how we handle your data, including how we use your data, who we share it with, and how long we retain it.

Data Ownership

Our customers own all of their survey content and responses. Data may be exported from our system in any of the available formats at any point for external use.

Credit Card Security

Sogolytics does not store any credit card information. Credit card details are securely handled by the third party payment management system we use, a completely PCI DSS compliant organization.

Data Residency

All data is stored on servers located in the United States.

Closed Accounts

Our Privacy Policy provides all the details of how we handle data for Cancelled / Expired accounts.

Data Security

Commitment

The security of your survey data is of utmost importance to us, as we know it is to you. We understand it needs to be confidential, accurate, and always available.

Hosting

Sogolytics data is hosted in highly rated data centers, a standard that ensures 24/7 availability, redundancy, and operational sustainability.

Data Center Certification

We are hosted in Tier IV and Tier III data centers in the United States. This extremely stringent rating indicates 99.9% availability for our application users and survey takers.

Data Center Compliance

The data centers we use have been audited to meet SSAE 16, SAS 70, SOC 2, SOC 3, PCI DSS and HIPAA compliances.

Data Center Security

All data center operations are protected 24/7/365 by 6-level security.

Mobile App Security

We follow industry best standards to develop, deploy, authenticate, maintain and transit data. Any third party libraries used in the code is thoroughly tested before launch. Informed consent is taken from end-user before collecting or processing information. We do not seek access or auto-store information. User consent is only taken to provide services which absolutely requires device-permissions or enhance user experience.

Data Encryption in Transit and At Rest

All our communication is HTTPS - we encrypt data during transit using 256-bit encryption. We encrypt all customer data at rest.

GDPR Compliance

Sogolytics is GDPR compliant. For more details about Sogolytics and GDPR, click here. If you have additional questions about GDPR compliance, please write to support1@sogolytics.com

Network Security

Firewalls

We follow Minimum Security Baseline (MSB) for system hardening and use a strong firewall for data protection. We follow industry best practices, including ensuring unwanted services are disabled on the firewall, default passwords are changed upon installation, and the firmware version is up-to-date.

Access Management

Access is permitted only to designated IT administrators, and from only specific IP addresses.

Survey Response Encryption

It is critical for us to guarantee that responses are kept completely secure. We use 256-bit SSL encryption during data transmission, thus ensuring secure transfer of confidential data.

System Reliability

System Uptime

We have an SLA of 99.9% uptime for our services.

Planned Maintenance

Planned downtime is limited to a maximum total of 8 hours per year, allowing for the performance of regular maintenance. All users are informed of the date and time of this maintenance at least one week in advance.

Failover Configuration

We have failover in place for all critical hardware and software components, as well as for the entire site. An individual hardware mechanism is available as a failover for every component. We also have an offline failover system for complete failover in cold state when a daily backup copy is being restored.

Data Backup and Frequency

Due to constant changes to the data, we perform backups at different frequencies. These include daily, weekly, and monthly backups. Transaction and incremental backups are performed on a regular basis. On a monthly basis, a regular recovery testing plan is carried out to ensure backups and restoration processes run smoothly. Please refer to our Privacy Policy for more details.

Documentation

Backup documentation regarding how system, application, and data backups are performed is reviewed every 3 months. Further reviews are completed whenever new hardware or applications are added.

System Scans and Upkeep

System Patching

Important patches and updates are installed periodically on all of our systems. All servers are reviewed at regular intervals to make sure they are up to date. Before any patch is uploaded on production servers, it is uploaded on a local environment where a specialized team of QA testers verify and certify that uploading the patch will have no adverse effect on any of the applications, systems, or components. The patch management server monitors the need for any critical patches, which are uploaded within three days, following ample testing. Additionally, our Microsoft subscription provides us with advice about relevant patches and updates which we regularly review and implement as needed.

Scans

We use third party scanning tools and maintain an in-house security team for regular audits.

Penetration Testing

We perform penetration system testing every six months and before every new release to eliminate any vulnerable areas in our network.

Personal Training and Access

Employee Screening

We perform background screening on all employees, to the extent possible within local laws.

Training

We provide all the essential security and technology use training for all employees.

Service Providers

We screen our service providers and they are bound by contract to confidentiality and security obligations if they deal with any user data.

Administrative Access

Access controls to sensitive data in our databases, systems, and environments are set on a need-to-know / least privilege necessary basis.

Audit Logging

We regularly maintain and monitor audit logs on all our services and systems.

Development Practices

Coding Practices

Our engineers use the best coding practices and industry-standard secure guidelines which align with the OWASP Top 10. All development is done in-house.

Deployment

We deploy code regularly when any bugs are noticed on the production environment.

Certification and Compliances

ISO 27001

Sogolytics is ISO 27001 certified, offering you the highest level of assurance in our business processes and practices. The rigorous ISO 27001 certification process includes an intensive audit by an accredited third party to certify that Sogolytics operates in a professional manner, values security highly, and complies with this internationally recognized top-tier standard. This certification also provides additional clarity regarding evaluation of the quality, breadth, and strength of our organization’s security practices.

EU-U.S. Privacy Shield

Sogolytics LLC. (“Sogolytics”) participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework. Sogolytics is committed to subjecting all personal data received from European Union (EU) member countries, in reliance on the Privacy Shield Framework, to the Framework’s applicable Principles. To learn more about the Privacy Shield Framework, visit the U.S. Department of Commerce’s Privacy Shield List EU-U.S. Privacy Shield.

Swiss-U.S. Privacy Shield

Sogolytics complies with the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use and retention of personal data from Switzerland. Sogolytics has certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement. To learn more about the Safe Harbor program, and to view Sogolytics’s certification, please visit U.S. – Swiss Safe Harbor Framework.

Data Center Certifications and Compliances

SSAE 16, SAS 70, SOC 2, PCI DSS and HIPAA compliances.

In Case of a Security Breach

We have implemented substantial and elaborate security measures to protect your Information. Unique user names and passwords must be entered each time a person logs on. The site is hosted in a secure server environment that uses a firewall and other technology to prevent access from outside intruders. Internally, we use security logs, train our employees, and limit access to only essential personnel. When transmitting sensitive Information, we use encryption technology. All our technology and processes are not, however, guarantees of security. If we do notice a security breach, we will notify the affected users via email so that they can take preventive actions.

User Responsibilities

Sogolytics allows account administrators to create and manage sub-accounts and determine permission levels, eliminating risky password sharing, confusion and inefficiency, while maintaining data privacy. There will be times when sharing data with people inside and outside of your organization is essential to facilitating workflow; still, controlling access to sensitive information is the only way to ensure it is secure.

Please ensure that you use the enhanced security option when running all your surveys. Please keep your user name and password secret and let us know immediately if you suspect that our security has been breached by emailing us at privacy@sogolytics.com.

If you have any specific questions, please contact us at support1@sogolytics.com.

Client

Company Size

Industries

Customer Since

Read more

Typical Rave Review

Description