Survey result data

• We provide a service to run surveys of various types and gather respondent data from those. We also provide this data in real-time via a simple HTTPS API. The service is designed from the ground up to allow a client immediate access to the collected data - which also allows the data to be used to direct the rest of a survey; for example, if a respondent chose item X then now ask them question Y and so on.

  As such the following applies: We do not strictly offer data retention or long term store after a project is finished - per our terms and conditions. That said, we do have ability to make data available for an extended period by prior arrangement and on the understanding we are not responsible for the well being of the data. It is the clients data and responsibility once the data has been retrieved or after the project finishes (whichever comes first).

• Data is stored on highly available replicated clusters. The clusters are backed up every 6 hours on a rolling schedule that keeps a weeks worth of backups at a time with longer term snapshots as additional last resort measures (we keep one from every week for a secondary rolling period).

• Data is stored on a cluster of our operational choosing. Data can also be stored in a cluster that is region specific if the client needs and requests this ahead of time. (current regions are Germany / EU and US more can be added for the cost of the boxes and maintenance for a year)

Client assets (product images and so on)

• Client assets are stored in a combination of our own custom CDN network and a distributed set of highly available DBs for the associated meta data.

• As with survey result data we have the ability to restrict such data to certain pre-agreed regions and sub sets of our network per a clients requirements. For example to restrict assets and meta data to only be held within the US.

• Unless a client states upfront such a need then all assets will be distributed throughout our entire infrastructure to aid speed and resilience.

Survey setup and configuration data

• This will again be stored on one or more of our DB clusters.

Security

Our infrastructure is firewalled, virus scanned on an ongoing basis, uses internally encrypted communications, is highly redundant and process isolated. All communications from the world to us is secured VIA HTTPS / WSS (secure websockets). 

We use industry standard cloud providers such as Microsoft, Amazon, Digital Ocean.

Our code builds are automated and subject to check and daily feedback by senior engineering staff. Code audits and total openness of all development essentially means we have an effective internal audit.

We do not give out more detailed information about our infrastructure and security beyond the overall picture as stated here — This is to mitigate potential attack vectors.

Staff security

All staff are required to sign confidentiality contracts and maintain their development machines in an acceptable fashion with regards to the security of company information and property. 

Very few staff have direct access to client data. This is restricted to senior staff CTO, CEO level unless absolutely needed to help a client.

Compliance

We are compliant with the EU law regarding PII, we have contracts in place which also extends this to Canada and the US. We are happy to aid in any further contractual needs of other regions.

We are NOT yet registered under the UK Data Protection Act as, to put it simply, we do not need to be. Our existing contracts at an EU level supersede this need unless we handle PII as defined in UK law and thus far we do NOT.