Have questions? 0800 0937 822

SmartSurvey and GDPR

Data security has always been of paramount importance to SmartSurvey and GDPR coming into force on May 25th, 2018 didn’t change that. We’ve made this page to convey how we attained GDPR compliance and how we’ll maintain it in the future.

Secure processes and infrastructure

Our ISO27001 certification means that we have robust measures in place to secure our users’ data. It means staff trained in information security, a high level of infrastructure security, and a security-first culture.

Secure, UK-Based Data Storage

All the data collected on behalf of our users is kept in the UK in a secure data centre. All data is encrypted both in transmission and at rest.

Making it easy for user compliance

Our app makes it simple to comply with requests from data subjects for the exercising of their rights, such as erasure, restriction, rectification, or portability.

What is GDPR?

We have assumed that, if you’re on this page, you already know the basics of GDPR. If not, here’s a very quick primer. It stands for “General Data Protection Regulation”, which is the overall EU-wide legislation for data protection. All organisations that process the data of EU citizens must comply with it.

Responsibility for enforcement lies with national-level organisations, with which processing companies must register. In the UK, this is the Information Commissioner’s Office (ICO), who have a wealth of GDPR resources on their website (ico.org.uk).

Security Features:

  • Verified Email Sending with SPF and DKIM
  • SSL protected surveys
  • 3rd-party penetration tests carried out annually
  • Data encrypted in transit and at rest (TLS 1.2)
  • Password Policies to define complexity and expiration windows
  • Two-Factor Authentication via app or SMS
  • IP Whitelisting
  • Password protection of survey reports
  • Highly configurable permissions settings for team working. Default settings are the most secure / restrictive
  • Simple email opt-out for respondents
  • Anonymous responses if required
  • Data Retention policy means that deleted data is not retained.
  • Capacity for bespoke contracts and security documentation for large clients.
gdpr compliance

Are you GDPR Compliant?

Take our GDPR Compliance Checker quiz to see how prepared you are.

Take the quiz

Learn more about GDPR

gdpr compliant seal

Results of the GDPR readiness survey

We carried out a short survey to gather feedback on some of the most important aspects about what GDPR will mean for different organisations, and the results are in!

Find out more
gdpr blog article

Guide on creating GDPR compliant surveys

It is really easy to sign up and start collecting data, however, with the change in legislation means you need to know if the surveys you are sending out are GDPR compliant.

Find out more
gdpr templates hero image

GDPR Templates – for compliance with data collection

SmartSurvey can provide you with the tools, GDPR templates, and consultancy services you need to become fully compliant with GDPR.

Find out more

Frequently Asked Questions

  • What are the key documents that set out your GDPR Compliance?

    Taken together, our Terms of use and Privacy Policy & Statement make clear how we will treat your data and that of your respondents. For more technical information, we are working on an information security white paper that will explain the infrastructure, encryption, and other measures that are in place to protect data. This will be available on request.

  • What kinds of Data do you collect, and who controls it?

    Contact lists – Users can upload contact lists to SmartSurvey. At a minimum, this will contain email addresses, but may also have other information like names. Controlled by User

    The surveys themselves – Questions, layouts, images, branding, other hosted files in the file library. Controlled by User.

    Response data – this is entered by or gathered from respondents when responding to surveys or completing forms hosted on SmartSurvey. That can be of almost any type. Controlled by User.

    User data – information about account holders – email addresses, passwords, other information relating to those users. Controlled by SmartSurvey.

    Cookie data – Helps us to improve our website’s performance and your experience of using our website. Controlled by SmartSurvey.

  • Is my data encrypted?

    Yes, all data is encrypted both in transmission using TLS 1.2 and at rest using SQL Transparent Data Encryption (TDE).

  • Do I need to have consent to process personal data?

    Not always. There must be a lawful basis for processing, and consent is one of these, but it’s not the only one. Consent is often preferred because it’s the easiest to establish (the others require more in the way of justification), but it’s also the easiest to lose, as the subject can withdraw it at any time.

    You can find out more about the lawful bases for processing at the ICO: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/

  • How do I establish consent? Does it have to be a ticked box?

    While one of the simplest methods to establish consent is via a ticked box, it’s not the only method. If a survey was prefaced by a short statement making clear what the survey is, who is running it, what the purpose of the processing will be, and making clear that by submitting a response, they are consenting to the stated processing, this would be fine – the respondent can simply leave the survey without completing it if they don’t consent to processing.

    For more information on valid consent, please see: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/consent/

  • Where do you store data?

    Our servers are based in the UK. No one will access your data unless they have the credentials to access your account, you publish that data, or our staff for the purposes of providing you support or fixing a technical issue. Our staff are all UK based.

  • What is your data retention policy?

    As you are the data controllers for your surveys, you are responsible for setting the retention policies for your surveys. At the moment, deletion of surveys and their associated data has to be initiated manually, though we are working on features to automate this to an extent, if the user desires it. Once deleted, the survey will only exist on backups, which can persist for up to 30 days before it is fully erased.

  • Can Surveys be made anonymous?

    Yes, surveys can be set to be anonymised. This will mean that the IP address (and email address, for surveys distributed via email) of the respondent will not be recorded.

    For details on how to implement this, see the help guide: https://help.smartsurvey.co.uk/article/anonymous-responses

  • How do I comply with requests for Deletion, Rectification, Access and Portability?

    SmartSurvey allows you to find, edit, export, and delete specific responses for a survey. These features mean that all the rights conferred under GDPR can be complied with. For a full guide on how to do this, visit the knowledgebase

    https://help.smartsurvey.co.uk/article/GDPR-%E2%80%93-Complying-with-requests-from-respondents

  • How do I submit a request regarding data that has been collected about me?

    If you’re a respondent, you need to get in touch with the person or organisation who collected the data about you, because they are the data controllers.

    If you’re a user, raise a support ticket about your request and we’ll action it as quickly as we can.

  • How do I remove Personal Data from surveys I’ve done in the past?

    The simplest method is to delete any questions containing personal data from your account, or delete the survey outright. Once deleted, the survey and its data will only be retained for the length of the 21-day backup period, after which it will be erased.

    A fuller guide to doing this is on the knowledgebase: https://help.smartsurvey.co.uk/article/GDPR---Removing-Personal-Data-Responses-from-surveys

  • Do you have any sub-processors that could access my data?

    No. The only way that data collected via SmartSurvey would be accessed by a third party is as the result of user action, either manual exports, using the API to transfer data, or setting up a Zapier integration.

  • What about IP Address data?

    By default, SmartSurvey records the IP address of every respondent. This can be changed in the Survey Settings or in the Tracking Link Settings by activating anonymous surveys. The IP address is always transmitted to us as part of the process of making a connection across the internet, but with anonymous surveys activated, it is discarded before it can be observed. More information about IP address handling can be found on this guide:

    https://help.smartsurvey.co.uk/article/IP-Address-Tracking

  • What certifications do you hold that confirm your security?

    ISO27001 Certified

    Our ISO27001 certification means that we’ve had to demonstrate that our real-world approach to information security matches our claims. We are audited on an annual basis to prove that. While it doesn’t directly certify our GDPR compliance, it certifies the processes and procedures upon which we rely for compliance.

    The standard requires systematic examination of any risks to information security, with comprehensive policies to manage those risks put in place. By continuously updating our data security policies we ensure that we are a proactive organisation, not reactive one. Accredited certification to ISO27001 validates that we are following international information security best practices. This demonstrates to our customers worldwide that we take the security of their data very seriously. Certification to ISO27001 ensures that all our client’s information is kept secure and shows our ongoing commitment to delivering an exceptional service.

    Cyber Essentials Plus Certified

    We are Cyber Essentials Plus Certified. The Cyber Essentials scheme, has been designed to prevent the most prevalent forms of cyber-attacks. The Cyber Essentials Plus scheme provides a higher level of assurance, tested by a qualified and independent assessor who simulates basic hacking and phishing attacks and is now a minimum requirement for bidding for some government contracts.

  • What software security measures are in place?

    Access Control

    Respondents' access to surveys can be controlled by password and username protection. This feature ensures only a certain group of individuals chosen by you, the Administrator, are able to take the survey.

    Firewall

    Our firewall is set up as a separate machine that acts as a gateway for access to all other servers in our system. This firewall is designed to prevent hackers from entering the system and searching files and information. The firewall acts as a barrier so that we only have a single point of entry to our system, which is through the web browser. All of our internal databases and applications are shielded from any access outside the firewall.

    McAfee Secure

    SmartSurvey is tested and certified daily to pass the McAfee Secure Security Scan. To help address concerns about hacker access to confidential data, the "live" McAfee Secure mark appears only when a website meets the McAfee Secure standards.

    Data encryption

    During transit from client to server, data is encrypted with TLS. We use Microsoft SQL Server Transparent Data Encryption (TDE) to encrypt data at rest using AES encryption algorithm.

  • What Physical and Infrastructure measures are in place?

    Robust physical security

    Rackspace Limited is responsible for providing us with dedicated servers for hosting survey data and physically securing those servers. For more information on Rackspace’s physical security, please visit: https://www.rackspace.com/en-gb/information/legal/securitypractices

    Backups

    We store backups in a separate physical location.

    Testing

    Annual penetration testing or sooner if there is a significant change to the infrastructure.

    Monitoring

    We have monitoring tools in place to measure server and application performance ensuring the performance of all our devices (CPU, Memory, Disk Storage, etc.) and access to our website from different locations.

    Employees

    Only employees with certain privileges can access your data with your permission in order to provide you with support, for fixing technical issues or other services that you have expressly requested. All SmartSurvey employees have signed confidentiality provisions and are trained regularly on data protection and GDPR.

  • How else does SmartSurvey comply with GDPR?

    Processes personal data only in accordance to your instructions.

    SmartSurvey takes exceptional care in understanding how you want the data to be processed. Our DPO is always at hand to assist you with this. Our solutions both general and bespoke made always give you the control to process the data in a way which is GDPR compliant.

    Inform you where it believes that a breach of GDPR occurs from your instructions

    SmartSurvey’s DPO looks over how data is stored, transferred and is responsible for training the relevant staff. Where someone identifies or suspects a breach of GDPR, it is instantly escalated to our DPO who looks over the issue and communicates his findings to reach a solution which helps you comply.

    Delete or return all personal data at end of service

    SmartSurvey provides you access to all of your data through your account, this can be backed-up, rectified or deleted in accordance to your needs.

    Enable compliance audits and help you with them

    SmartSurvey takes a strong stance on helping its customers carry out compliance audits and help you comply from using our service.

    Notify data controllers of data breaches

    We have robust systems which alerts us when a data breach occurs. As soon as SmartSurvey discovers a data breach has occurred or even suspects a data breach, it will communicate this to you as soon as possible and will provide you all the details to help you comply with your GDPR breach notification responsibilities.

    Appoint a DPO when required under the Regulation.

    SmartSurvey has appointed a DPO and possesses a data protection team handling all aspects data protection and privacy – ranging from cyber security to legal compliance.

  • Do you need more information?

    For security related concerns, please contact: security@smartsurvey.co.uk

    For legal/data protection related questions, please contact: legal@smartsurvey.co.uk

Safe & Secure

Security is our most important feature
and we take it seriously


Security Features

Enable SSL encryption on any survey. Apply password protection and IP restriction on user accounts and survey responses.

ISO 27001 Certified

The highest possible standard for data security. An internationally recognised system for keeping information assets secure.

UK/EU Based Servers

All data is stored and backed up on UK/EU-based servers. You can rest assured your data never leaves the EU.

Data Protection Act

Fully compliant with EU Privacy Laws and registered under the Data Protection Act.


  • GDPR compliant
  • ISO 27001 security logo
  • G-Cloud supplier
  • Cyber essentials plus
  • MRS Company Partner
  • Information Commissioners Office
  • McAfee Secure site logo
  • DSS compliant

Get started and create your first survey

If you would like more information then please get in touch,
or you can call us on 0800 0937 822.

UK-based with safe and secure data storage

100% personal, one-to-one online service

Trusted by leading brands worldwide

GDPR compliant with data collection

Send us a message

Book Your Live Personalised Demonstration

Request a free live and personalised demonstration of SmartSurvey. One of our friendly team members will talk you through the software and answer any questions.