SmartSurvey & UK Data Storage: What You Need to Know about personal data we process on your behalf
At SmartSurvey, we believe in keeping things safe, secure, and transparent. That’s why we offer UK data storage as standard on all our plans, giving you peace of mind that your personal data is hosted in secure, UK-based data centres and protected by UK law.
You're in the right place if your organisation values privacy, compliance, and performance, especially within the UK jurisdiction.
Why UK Data Storage Matters
- Choosing a platform with UK data storage has real benefits:
- Your personal data stays under UK law - easier compliance with GDPR and other regulations.
- Stronger data security – reduced risk of exposure to international threats.
- Faster performance – local servers mean faster load times and a smoother user experience.
- More trust from respondents, especially in the public sector and regulated industries.
- Local, knowledgeable support – our UK-based team understands your needs and works in the same time zone, which means quick responses.
Why Customers Choose SmartSurvey Over US-Based Platforms
When it comes to data security, legal compliance, and peace of mind, SmartSurvey offers a level of assurance that many international platforms simply can’t match.
Here’s why UK organisations - including the NHS, Central and Local Government, and financial services trust us:
- 100% UK-Based Operations
- No US Ownership. We’re a fully UK-owned and operated business. That means your personal data is not subject to US surveillance laws like the CLOUD Act or FISA, which can compel US-based companies to share your personal data - even if it’s hosted in the UK or EU.
- UK Data Residency by Default. All customer personal data is stored and processed in secure UK data centres, under UK jurisdiction and data protection law.
UK-Based Support & Development Teams
- No International Transfers During Support
Our entire customer support team is UK-based. If we need to access your account to help resolve an issue, we do so from within the UK so your personal data won’t leave never leaves the country. - In-House Development Team
Our developers are also based in the UK, ensuring all platform maintenance and feature development happens within the UK jurisdiction. - Staff Vetting
All SmartSurvey employees, including support and engineering staff, are security vetted to the BS7858 standard, the UK benchmark for personnel screening in sensitive industries.
Independent Security Certifications
- Cyber Essentials Plus
Certified under the UK government’s Cyber Essentials Plus scheme, proving strong defences against common cyber threats - independently audited every year. - ISO/IEC 27001
Certified to the international standard for information security management, showing robust systems for protecting personal and sensitive data. - NHS Data Security & Protection Toolkit (DSPT)
Approved for use by NHS organisations, confirming that SmartSurvey meets healthcare-grade security and privacy standards. - FSQS Accredited
Fully accredited by the Financial Services Qualification System, which means we meet the due diligence and compliance requirements of UK banks and insurance companies.
Strong Independent Ratings
- SecurityScorecard: A Rating (98/100)
We’ve been independently assessed by SecurityScorecard, one of the industry’s leading cybersecurity rating platforms.
Our A rating (98/100) indicates excellent security hygiene across network security, application security, DNS health, and more - giving you confidence that your personal data is protected at every level.
Global Privacy Compliance
SmartSurvey meets the requirements of major international privacy regulations:
- GDPR – UK & EU data protection
- HIPAA – US healthcare data protection
- CCPA – California consumer privacy
These compliance frameworks are built into our platform and operations, giving you flexibility to serve users across sectors and regions while maintaining your legal obligations.
Summary: Trust, Transparency, and UK Assurance
Choosing SmartSurvey means choosing:
- Local compliance
- Reduced data risk
- Faster and more relevant support
- No hidden data transfers
- A team that understands UK regulations inside and out
If UK data residency and security compliance are priorities for your organisation, we’re the safe, supported choice.
Understanding how personal data is stored and processed across the SmartSurvey platform
Now that you’ve seen how our UK-first approach, security accreditations, and legal protections set us apart, it’s also important to understand how this plays out across the platform.
While your core survey data always remains securely stored in the UK, some optional tools and advanced configurations - such as AI, integrations, APIs, and webhooks may involve different ways personal data is processed, depending on how they’re set up.
To clarify this, we’ve created a simple overview of how each feature handles your personal data: what stays in the UK, what might involve external processing, and who controls those choices. This will help you make informed decisions based on your organisation’s compliance needs.
SmartSurvey Personal Data Residency summary table
AI Features: Optional, Secure, and UK-First
Our AI tools, like Auto-Categorisation and Advanced Sentiment Analysis, help you get deeper insights while keeping your personal data safe.
- AI tools process personal data in UK-based Microsoft data centres.
- Personal data usually never leaves the UK.
- In rare cases, Microsoft might reroute personal data (e.g., due to a legal request or major failure).
- AI tools are optional and can be turned off at any time.
Integrations with Third-Party Tools (via integration.app)
SmartSurvey uses integration.app to help you connect your surveys with tools like Salesforce, Teams, and more.
- Trigger only – Personal data stays in the UK.
- Push/Pull integrations – personal data may be processed outside the UK depending on where connected tools are hosted.
APIs: Ideal for Two-Way Personal Data Requests and Complex Automation
💡 Tip: If maintaining UK-only personal data storage is essential, design your API setup to avoid sending or receiving personal data or ensure any connected systems are UK-hosted or compliant with UK data laws.
SmartSurvey’s API allows you to build powerful, automated workflows that connect survey activity with other tools and systems. How personal data is handled depends entirely on how you use the API.
Here are the two common API use cases:
1. Trigger-Only API Calls
These simply trigger an action within SmartSurvey or another system (e.g. send a survey when an event occurs).
No customer data is transferred; everything stays within SmartSurvey’s UK infrastructure.
2. Push/Pull Data Operations
These involve sending (pushing) or retrieving (pulling) personal or response data between SmartSurvey and another system.
If the external system is hosted outside the UK, this may involve personal data leaving UK jurisdiction.
Webhooks: Great for Sending Personal Data from SmartSurvey to Another Platform
💡 Tip: To maintain UK-only personal data storage, configure your webhooks to send only minimal, non-personal data or ensure the receiving system is hosted in the UK or meets UK data protection standards.
Webhooks let SmartSurvey notify your systems in real time when certain events happen, like when someone completes a survey. How much personal data is transferred depends entirely on how the webhook is configured.
Here are the two most common ways webhooks are used:
1. Notification-Only Webhooks
These send a simple event update (e.g. “survey completed”) without including any survey responses or personal information.
When set up this way, no personal data leaves SmartSurvey’s UK-based infrastructure.
2. Data-Sending Webhooks
These send survey responses or personal data to another system for further processing. In this case, the personal data is transferred and may be stored or processed outside the UK, depending on where the receiving system is hosted.
Email & SMS Services: UK-Based and Secure
We use UK providers for all built-in email and SMS features:
- Email (Vultr): Hosted entirely in the UK.
- SMS (FireText): Also UK-based.
💡 Tip: Sending SMS messages internationally means personal data will be processed by telecom carriers in the destination country. To minimise the risk of personal data being handled outside the UK, consider filtering recipients to UK-only numbers using the +44 country code.
Need UK-Only Compliance? We’ll Help You Get There
If your organisation requires strict UK-only personal data residency, we can help. From disabling AI features to offering guidance on the best way to configure your APIs and integrations, we’ll support you every step of the way.
Talk to our UK-based team – we’re here to help you collect feedback securely and compliantly.