User Names and Passwords
SoGoSurvey provides each user in your organization with a unique, secure user name and password that must be entered each time a user logs on. We follow the best practices in the industry for storing confidential data. Passwords are encrypted in the database before they are saved, and a session “cookie” is issued to record this encrypted authentication information only for the duration of a specific session. The session “cookie” does not include either the user name or password of the user.
Account administrators own the survey content and responses. Data may be exported from our system in any of the available formats at any point for external use.
Credit Card Security
We do not store any credit card information. Credit card details are securely handled by the third party payment management system we use, a completely PCI DSS compliant organization.
All data is stored on servers located in the United States.
Following account expiry, data is securely stored for one year, in case you restore your SoGoSurvey account. After a year the data is completely erased.
The security of your survey data is of utmost importance to us, as we know it is to you. We understand it needs to be confidential, accurate, and always available.
SoGoSurvey data is hosted in multiple highly rated data centers, a standard that ensures 24/7 availability, redundancy, and operational sustainability.
Data Center Certification
Our hosting data centers are Tier III certified. This extremely stringent rating indicates availability over 99.982%.
Data Center Compliance
The data centers we use have been audited to meet SSAE 16, SAS 70, SOC 2, SOC 3, PCI DDS and HIPAA compliances.
Data Center Security
All data center operations are protected 24/7/365 by 6-level security.
Data Encryption at Rest
We use file-based encryption for data at rest, ensuring all sensitive files are compressed and encrypted.
Your SoGoSurvey.com transactions and data are protected with an SSL Certificate from GoDaddy.com, which includes 256-bit encryption — the strongest level of data encryption available. SSL (Secure Socket Protocol) is the most advanced technology for Internet security available today.
SoGoSurvey is set to be fully GDPR compliant by the end of May 2018. In general, GDPR is a regulation that requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states.
Right to Access
In compliance with GDPR guidelines, SoGoSurvey guarantees users the right to request and receive information regarding whether their personal data has been processed, where, and for what purpose. Further, SoGoSurvey will provide active users with an electronic copy of user research data, free of charge.
Right to be Forgotten
SoGoSurvey complies with the right to be forgotten, entitling users to have their data completely deleted and ensuring no third parties will process the data.
Types of Data Protected by GDPR
GDPR protects data including basic identity information like name, address, and ID numbers; web data such as location, IP address, cookie data, and RFID tags; health and genetic data; biometric data; racial or ethnic data; political opinions; and sexual orientation.
We use Cisco Firewall and follow Minimum Security Baseline (MSB) for system hardening. Our firewalls are configured such that only select ports are accessible from any source IP address. We make sure the Firewall firmware is the latest stable version. Unwanted services are disabled on the firewall and default passwords are changed upon installation.
Access is permitted only to designated IT administrators, and from only specific IP addresses. Additionally, Syslog Configuration is set up on a dedicated server and is audited regularly every week, as well as additionally by request.
Survey Response Encryption
Especially when you are ensuring survey participants that their data is treated confidentially, it’s critical for us to guarantee that responses are kept completely secure. The SSL feature enables you to encrypt data during transmission, aiding in the secure transfer of confidential data.
We are proud to confirm a 100% uptime. Further, we have a 99.982% uptime SLA from our Data Center.
Planned downtime is limited to a maximum of 30 minutes every month, allowing for the performance of regular maintenance. All users are informed of the date and time of this maintenance at least one week in advance.
We have failover in place for all critical hardware and software components, as well as for the entire site. An individual hardware mechanism is available as a failover for every component. We also have an offline failover system for complete failover in cold state when a daily backup copy is being restored.
Data Backup and Frequency
Due to constant changes to the data, we perform backups at different frequencies. These include daily, weekly, and monthly backups. To provide added protection to emergency components, we complete transaction backups daily every 30 minutes. On a monthly basis, a regular recovery testing plan is carried out to ensure backups and restoration processes run smoothly.
Backup documentation regarding how system, application, and data backups are performed is reviewed every 3 months. Further reviews are completed whenever new hardware or applications are added.
System Scans and Upkeep
Important patches and updates are installed periodically on all of our systems. All servers are reviewed at regular intervals to make sure they are up to date. Before any patch is uploaded on production servers, it is uploaded on a local environment where a specialized team of QA testers verify and certify that uploading the patch will have no adverse affect on any of the applications, systems, or components. The patch management server monitors the need for any critical patches, which are uploaded within three days, following ample testing. Additionally, our Microsoft subscription provides us with advice about relevant patches and updates which we regularly review and implement as needed.
We use McAfee Vulnerability scan, Nessus, Nmap and Zenmap third party scanning tools. We also maintain an in-house security team.
We perform penetration system testing every three months and before every new release to eliminate any vulnerable areas in our network. Initial testing and fixes are carried out by internal personnel and are later audited by external sources. The most recent penetration test was completed in December 2017 with a successful result.
Personnel Training and Access
We perform background screening on all employees, to the extent possible within local laws.
We provide all the essential security and technology use training for all employees.
We screen our service providers and they are bound by contract to confidentiality and security obligations if they deal with any user data.
Access controls to sensitive data in our databases, systems, and environments are set on a need-to-know / least privilege necessary basis.
We regularly maintain and monitor audit logs on all our services and systems.
Our engineers use the best coding practices and industry-standard secure guidelines which align with the OWASP Top 10. All development is done in-house and is never outsourced.
We deploy code regularly when any bugs are noticed on the production environment.
Compliance and Certifications
EU-U.S. Privacy Shield
SoGoSurvey LLC. (“SoGoSurvey”) participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework. SoGoSurvey is committed to subjecting all personal data received from European Union (EU) member countries, in reliance on the Privacy Shield Framework, to the Framework’s applicable Principles. To learn more about the Privacy Shield Framework, visit the U.S. Department of Commerce’s Privacy Shield List EU-U.S. Privacy Shield.
U.S. – Swiss Safe Harbor Framework
SoGoSurvey complies with the U.S. – Swiss Safe Harbor Framework as set forth by the U.S. Department of Commerce regarding the collection, use and retention of personal data from Switzerland. SoGoSurvey has certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement. To learn more about the Safe Harbor program, and to view SoGoSurvey’s certification, please visit U.S. – Swiss Safe Harbor Framework.
In Case of a Security Breach
We have implemented substantial and elaborate security measures to protect your Information. Unique user names and passwords must be entered each time a person logs on. The site is hosted in a secure server environment that uses a firewall and other technology to prevent access from outside intruders. Internally, we use security logs, train our employees, and limit access to only essential personnel. When transmitting sensitive Information, we use encryption technology. All our technology and processes are not, however, guarantees of security. If we do notice a security breach, we will notify the affected users via email so that they can take preventive actions.
SoGoSurvey allows account administrators to create and manage sub-accounts and determine permission levels, eliminating risky password sharing, confusion and inefficiency, while maintaining data privacy. There will be times when sharing data with people inside and outside of your organization is essential to facilitating workflow; still, controlling access to sensitive information is the only way to ensure it is secure.
Please ensure that you use the enhanced security option when running all your surveys. Please keep your user name and password secret and let us know immediately if you suspect that our security has been breached by emailing us at email@example.com.
If you are interested, a more detailed security document is available for your review. Please send your request and any specific questions to us at firstname.lastname@example.org.
Important Notice: We are working on meeting and in many cases exceeding the GDPR requirements for data privacy and we will be in compliance by May 25, 2018.