As an omnichannel experience management platform, SurveySparrow strongly believes in the power of better experiences and enables businesses of all sizes and industries to refine their customer, employee & product experiences using a single system.
Considering that SurveySparrow enables a range of mission-critical, and sensitive use cases for our customers, we consider privacy and data protection as the core functions of our platform and new feature development.We hold ourselves to the highest security standards without compromise.
Put forth by the American Institute of Certified Public Accountants (AICPA), SOC 2 Type II is a comprehensive reporting framework that defines and outlines criteria to manage customer data based on five “trust service principles” - processing integrity, availability, privacy, security, and confidentiality. SOC2 ensures secure managing of data entrusted by SurveySparrow’s customers to protect their privacy and interests.
ISO/IEC 27001:2022, an internationally recognised standard for implementing Information Security Management System (ISMS) ensuring confidentiality, integrity & availability of information within the organisation.
HIPAA is a federal legislation that provides data privacy & security provisions for safeguarding Personal Health Information (PHI) held or transmitted by Covered Entity/Business Associates.
GDPR is the stringent European Union (EU) data protection law that sets standards for organisations to collect, process, or store information on EU individuals/ Data Subjects.
Experience the power of seamless integration with SurveySparrow. Our certification with Microsoft 365 assures that we meet the highest standards of security, compliance, and compatibility, providing you with a reliable and efficient platform to build and distribute surveys.
CCPA is a landmark legislation that enhances data privacy rights of California Residents & giving control over the personal data collected, processed and/or disclosed by the businesses.
Cyber Essentials certification demonstrates our commitment to robust cybersecurity practices by meeting a UK government-backed standard for protecting systems and data against common online threats. SurveySparrow’s systems have been independently audited by an assessor approved by IASME to ensure that the required security controls have been successfully implemented across the organisation and its networks
SurveySparrow manages the security of its application and customers data. However, provisioning and access management of individual account is at the discretion of individual account owners.
Changes to the application, web content, infrastructure and deployment processes are documented as part of an internal change control process. The security review makes it mandatory that each version should be compliant with the company's internal ISMS policies.
Our product collects limited information about customers - name, phone number and email address - which are retained for account creation. For payment purposes, billing details such as name, phone number, billing address and credit card details are requested and retained by SurveySparrow's PCI compliant payment processor.
Data at rest is encrypted using AES-256 bit standards (key strength - 1024) with the keys being managed by AWS Key Management Service. Data in transit is encrypted using secure TLS Cryptographic Protocols.
Application logs are maintained for a year. Backup of customers data is carried out in two ways:
SurveySparrow's development center in Cochin is under 24x7 protection by Government security, at both premises level and floor level to ensure that only authorized individuals have access to the building and the SurveySparrow office. Barriers and guards secure the building's premises. The floor level is equipped with security guards and biometric readers to authorize the entry of individuals. Employees are granted office access only after authorization using government-issued IDs. Critical locations in the office are available only to authorized individuals.
Documents of high importance are stored in cabinets that are only accessible to authorized individuals. The office is well equipped with surveillance cameras and their footage is monitored periodically by authorized individuals. Fire alarms and water sprinklers are set up to detect and alleviate damage in the unlikely event of a fire.
The management team present at the premises conducts regular fire drills to educate employees about emergency evacuation procedures. A policy has been put in place to approve and regulate visitor access to the building. The office is well equipped with a 24x7 power supply, which is backed up by an alternate power supply system to ensure smooth operation in the unlikely event of a power failure.
SurveySparrow hosts its application and data in industry-leading Amazon Web Services, whose data centers have been thoroughly tested for availability, security and business continuity.
All of SurveySparrow's products are hosted on Amazon Web Services. The infrastructure for application servers and databases is managed and maintained by the cloud service provider. At SurveySparrow, we employ a multifaceted approach to application security, to ensure that every process from engineering to deployment, including quality assurance and architecture adheres to our highest standards of safety.
In this section, network security is discussed in detail from the development center's perspective and the network where the application is hosted.
SurveySparrow's office network where updates are developed, deployed, monitored and managed is secured by antivirus software and industry-grade firewalls, to provide active alerts in the event of a threat or incident and to protect internal information systems from intrusion. Firewall logs are stored and reviewed at regular intervals. Access to the production environment is via SSH and remote access is possible only through the office network. Audit logs are generated for each remote user session and reviewed. Also, access to production systems is always through a multi-factor authentication mechanism.
SurveySparrow is hosted on AWS, with security managed by Amazon. The infrastructure is monitored 24x7 by our DevOps and Security teams for stability, intrusions and spam using a dedicated alert system. End-to-end penetration tests and vulnerability assessments are performed every three months. SurveySparrow has an in-built spam protection system for businesses that use it, while the DevOps team oversees and blocks individual accounts and IP addresses which attempt to access the SurveySparrow application.
SurveySparrow understands that formal procedures, controls and well-defined responsibilities need to be in place to ensure continued data security and integrity. The company has transparent change management processes, fallback mechanisms and logging and monitoring procedures which have been put in place as part of its operational security instructions. An information security committee is present to oversee and approve organization-wide security policies.
Operational security begins right from recruiting an engineer to training and auditing their work products. We perform standard background verification checks (including verification of academic records) on all new employees. Each employee is provided with extensive training about the information security policies of the company and is required to sign that they have read and understood the company's security-related policies. Company-wide confidential information is accessible only to select authorized SurveySparrow employees.
It is imperative that employees report any observed suspicious activities or threats. The HR team takes disciplinary action against employees who violate organizational security policies. Security incidents, such as breaches and potential vulnerabilities, can be reported by customers via [email protected].
SurveySparrow maintains a database of all information systems used by employees for development purposes in an internal service desk, aided by automated probing software that helps in tracking changes to these systems and their configurations. Only authorized and licensed software products are installed by employees. No third parties or contractors manage software or information facilities, and no development activity is outsourced. All employee information systems are authorized by the management before they are installed or put to use.
We employ an external security consultant to perform penetration tests in order to test the resilience of the hosted application. This is always conducted in an architecturally equivalent duplicate of the system with no actual customer data present. The production system is never subject to such tests. Should an individual attempt such a test in the production environment, it will be detected as an interference, and the source IP will be blocked. An alert will then be raised to the DevOps and Security teams who shall rectify the issue.
The company has a privacy notice, approved by an internal legal counsel, publicly available at https://surveysparrow.com/legal/privacy-policy. The payment gateway used by SurveySparrow is PCI compliant.
If you believe you've discovered a security-related issue, please report the issue at [email protected]. Please feel free to reach out at the same address to clarify any queries
