User Ids and Passwords
SoGoSurvey provides each user in your organization with a unique, secure user id and password that must be entered each time a user logs on. We follow the best practices in the industry for storing confidential data. Passwords are encrypted in the database before they are saved, and a session “cookie” is issued to record this encrypted authentication information only for the duration of a specific session. The session “cookie” does not include either user id or password of the user.
Our customers own all of their survey content and responses. Data may be exported from our system in any of the available formats at any point for external use.
Credit Card Security
We do not store any credit card information. Credit card details are securely handled by the third party payment management system we use, a completely PCI DSS compliant organization.
All data is stored on servers located in the United States.
Following account expiry, data is securely stored for one year, in case you restore your SoGoSurvey account. After a year the data is completely erased.
The security of your survey data is of utmost importance to us, as we know it is to you. We understand it needs to be confidential, accurate, and always available.
SoGoSurvey data is hosted in highly rated data centers, a standard that ensures 24/7 availability, redundancy, and operational sustainability.
Data Center Certification
Our hosting data centers are SOC 2 Tier III certified. This extremely stringent rating indicates 99.9%.availability for our application users and survey takers.
Data Center Compliance
The data centers we use have been audited to meet SSAE 16, SAS 70, SOC 2, SOC 3, PCI DSS and HIPAA compliances.
Data Center Security
All data center operations are protected 24/7/365 by 6-level security.
Mobile App Security
We follow industry best standards to develop, deploy, authenticate, maintain and transit data. Any third party libraries used in the code is thoroughly tested before launch. Informed consent is taken from end-user before collecting or processing information. We do not seek access or auto-store information. User consent is only taken to provide services which absolutely requires device-permissions or enhance user experience.
Data Encryption in Transit
All our communication is HTTPS - we encrypt data during transit using 256-bit encryption.
SoGoSurvey is GDPR compliant. For more details about SoGoSurvey and GDPR click here. If you have additional questions about GDPR compliance, please write to firstname.lastname@example.org
We follow Minimum Security Baseline (MSB) for system hardening and use a strong firewall for data protection. We follow industry best practices, including ensuring unwanted services are disabled on the firewall, default passwords are changed upon installation, and the firmware version is up-to-date.
Access is permitted only to designated IT administrators, and from only specific IP addresses.
Survey Response Encryption
Especially when you are ensuring survey participants that their data is treated confidentially, it’s critical for us to guarantee that responses are kept completely secure. The SSL feature enables you to encrypt data during transmission, aiding in the secure transfer of confidential data.
We have an SLA of 99.9% uptime for our services.
Planned downtime is limited to a maximum total of 8 hours per year, allowing for the performance of regular maintenance. All users are informed of the date and time of this maintenance at least one week in advance.
We have failover in place for all critical hardware and software components, as well as for the entire site. An individual hardware mechanism is available as a failover for every component. We also have an offline failover system for complete failover in cold state when a daily backup copy is being restored.
Data Backup and Frequency
Due to constant changes to the data, we perform backups at different frequencies. These include daily, weekly, and monthly backups. Transaction and incremental backups are performed on a regular basis. On a monthly basis, a regular recovery testing plan is carried out to ensure backups and restoration processes run smoothly.
Backup documentation regarding how system, application, and data backups are performed is reviewed every 3 months. Further reviews are completed whenever new hardware or applications are added.
System Scans and Upkeep
Important patches and updates are installed periodically on all of our systems. All servers are reviewed at regular intervals to make sure they are up to date. Before any patch is uploaded on production servers, it is uploaded on a local environment where a specialized team of QA testers verify and certify that uploading the patch will have no adverse affect on any of the applications, systems, or components. The patch management server monitors the need for any critical patches, which are uploaded within three days, following ample testing. Additionally, our Microsoft subscription provides us with advice about relevant patches and updates which we regularly review and implement as needed.
We use Nessus, Nmap and Zenmap third party scanning tools. We also maintain an in-house security team.
We perform penetration system testing every six months and before every new release to eliminate any vulnerable areas in our network. Initial testing and fixes are carried out by internal personnel and are later audited by external sources.
Personnel Training and Access
We perform background screening on all employees, to the extent possible within local laws.
We provide all the essential security and technology use training for all employees.
We screen our service providers and they are bound by contract to confidentiality and security obligations if they deal with any user data.
Access controls to sensitive data in our databases, systems, and environments are set on a need-to-know / least privilege necessary basis.
We regularly maintain and monitor audit logs on all our services and systems.
Our engineers use the best coding practices and industry-standard secure guidelines which align with the OWASP Top 10. All development is done in-house and is never outsourced.
We deploy code regularly when any bugs are noticed on the production environment.
Compliance and Certifications
EU-U.S. Privacy Shield
SoGoSurvey LLC. (“SoGoSurvey”) participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework. SoGoSurvey is committed to subjecting all personal data received from European Union (EU) member countries, in reliance on the Privacy Shield Framework, to the Framework’s applicable Principles. To learn more about the Privacy Shield Framework, visit the U.S. Department of Commerce’s Privacy Shield List EU-U.S. Privacy Shield.
U.S. – Swiss Safe Harbor Framework
SoGoSurvey complies with the U.S. – Swiss Safe Harbor Framework as set forth by the U.S. Department of Commerce regarding the collection, use and retention of personal data from Switzerland. SoGoSurvey has certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement. To learn more about the Safe Harbor program, and to view SoGoSurvey’s certification, please visit U.S. – Swiss Safe Harbor Framework.
ISO 27001 Certified
SoGoSurvey is ISO 27001 certified, offering you the highest level of assurance in our business processes and practices. The rigorous ISO 27001 certification process includes an intensive audit by an accredited third party to certify that SoGoSurvey operates in a professional manner, values security highly, and complies with this internationally recognized top-tier standard. This certification also provides additional clarity regarding evaluation of the quality, breadth, and strength of our organization’s security practices.
In Case of a Security Breach
We have implemented substantial and elaborate security measures to protect your Information. Unique user ids and passwords must be entered each time a person logs on. The site is hosted in a secure server environment that uses a firewall and other technology to prevent access from outside intruders. Internally, we use security logs, train our employees, and limit access to only essential personnel. When transmitting sensitive Information, we use encryption technology. All our technology and processes are not, however, guarantees of security. If we do notice a security breach, we will notify the affected users via email so that they can take preventive actions.
SoGoSurvey allows account administrators to create and manage sub-accounts and determine permission levels, eliminating risky password sharing, confusion and inefficiency, while maintaining data privacy. There will be times when sharing data with people inside and outside of your organization is essential to facilitating workflow; still, controlling access to sensitive information is the only way to ensure it is secure.
Please ensure that you use the enhanced security option when running all your surveys. Please keep your user id and password secret and let us know immediately if you suspect that our security has been breached by emailing us at email@example.com.
If you have any specific questions, please contact us at firstname.lastname@example.org.