SmartSurvey Security & Data Protection

Working in partnership is key to keeping your data secure.

Protecting your account

You have an important role to play in keeping your account secure, which if you’re on a team plan also includes the security of your sub-users’ accounts.

As a SmartSurvey user and Data Controller, you’re responsible for the survey data you generate, which will often include personal data.

It is important that you always protect your account and not share your password or account with others.

Consider the scenario of an organisation using shared accounts, which runs the risk of data being lost or stolen, either through mistakes or the actions of disgruntled employees. With no clear audit trail about who has had access to the data and at what specific times, such a lack of oversight is likely to be viewed harshly by data protection authorities when they’re assessing fines for a data breach.

It’s also important to note that shared accounts run the risk of a single user resetting the password, which leads to all other users of that shared account being locked out.

Account security features for you to use

To ensure that only the named user can access the SmartSurvey account, we provide a range of security features available on different plans.

Two-factor authentication

Users with paid accounts (not our Basic plan) can enable two-factor authentication on their account using a third-party app, such as Google Authenticator.

On our Enterprise plans users can also activate two-factor authentication via SMS.

Set password policies

Master users of Enterprise Plus accounts can create password policies that all sub-user accounts must comply to. Password policies define the level of complexity, mandatory elements and expiry windows for passwords.

IP restriction

Enterprise Team and Enterprise Plus accounts benefit from the option to restrict access to SmartSurvey to specific IP addresses only.

Team accounts

For organisations with multiple users who need access to create, distribute and analyse surveys, we offer team accounts. On team accounts, multiple users can be allocated a licence to access their own SmartSurvey account, as part of the Organisation account.

As mentioned above, we do not permit or advise user accounts to be shared by multiple users, as this not only breaches our terms, but also exposes the account to a greater risk of data breach, and non-compliance with GDPR obligations.

Single sign on

Single Sign On (SSO) links SmartSurvey to your organisation’s internal user directory, which means your users only require their organisation’s user credentials to log into SmartSurvey. This makes it much easier than remembering multiple passwords and is more secure, as the user will be named and linked internally.

For the organisation, they can clearly see within their user directory which users have access to SmartSurvey. They can also make changes to access without logging into SmartSurvey.

To sign up to SmartSurvey, a user can also log in and set up an account directly, if they’ve been given permission centrally.

SSO is available as an add-on on our Enterprise Plus accounts and is commonly used within SME’s and large organisations.

User permissions

Our user permissions are based on survey access and therefore master users and sub-users on team accounts can assign different permissions to other users:

Design: update pages/questions/options and all other design settings
Settings: update survey settings
Collect: switch the survey online/offline and distribute via various methods
Results: view results of the survey
Clear: clear or delete survey responses
Copy: copy the survey design

Shared account notification

To support users in ensuring their accounts are secure and only accessible by themselves, our notification system will notify the user if a second user has logged into SmartSurvey, using their user credentials at the same time as them.

This allows the user to find out who else is using their credentials and to ensure that each user has their own user licence.

The notification will show once, each time a new login occurs using the same credentials as the user currently logged in.

Session timeouts

An active session has a duration of 2 hours after non-activity. After this point, your users will need to log in again. This helps to protect your account from access via an unattended workstation.


How we protect your data

We make every effort to ensure that all information provided is maintained in a secure environment.

We have robust processes in place across our systems and people, to ensure the correct behaviours and approaches are always followed, and ensure your data remains safe and secure.

Data protection

ISO27001 certified

We are certified and fully compliant with ISO27001, an internationally recognised standard for information security management systems.

The standard requires systematic examination of any risks to information security, and demonstration of comprehensive policies put in place to manage those risks.

HIPAA compliant

We offer our Enterprise customers HIPAA compliant surveys and have the appropriate physical, organisational and technical safeguards in place to keep identifiable health information secure. We also offer the opportunity to enter into a Business Associate contract with us for the purposes of HIPAA compliance.

NHS Digital

NHS Data Security and Protection Toolkit – SmartSurvey is registered on the NHS DSPT database and complies with the requirements set by the toolkit.
All organisations that have access to NHS patient data and systems must sign up to the toolkit to provide assurance that they are practising good data security and that personal information is handled correctly. Our NHS DSPT organisation code is ‘8K376’.

Cyber Security

Cyber Essentials Plus logo

Cyber Essentials Plus

Developed by the UK Government, the Cyber Essentials scheme has been designed to prevent the most prevalent forms of cyber attacks.

The Cyber Essentials Plus scheme provides a higher level of assurance, tested by a qualified and independent assessor who simulates basic hacking and phishing attacks and is now a minimum requirement for bidding for some government contracts.

Mcafee secure logo.

McAfee secure

SmartSurvey is tested and certified daily to pass the McAfee Secure Security Scan. To help address concerns about hacker access to confidential data, the “live” McAfee Secure mark appears only when a website meets the McAfee Secure standards.

Research indicates sites remotely scanned for known vulnerabilities on a daily basis, such as those earning McAfee Secure certification, can prevent over 99% of hacker crime.

Survey security

We provide various options to ensure that the right respondents are responding to your survey and their responses are safe.

  • All survey web pages are SSL encrypted by default
  • Users on paid accounts can require a password to access a survey
  • For an additional level of security, a username and password can be required for survey respondents to access the survey
  • Shared survey results summary can require a password to access
  • Users on Enterprise and above can restrict a survey to only be accessible from specific IP addresses.

Contacting us securely

Our customer support team follow a strict process to verify they are speaking to the registered account holder.


GDPR & data management

Data security has always been of paramount importance to us and GDPR coming into force on May 25th, 2018 didn’t change that.

What is GDPR?

The General Data Protection Regulation (GDPR) is an EU law, with mandatory rules for how organisations and companies must use personal data in a way that is friendly and demonstrates integrity.

Personal data means any information which, directly or indirectly could identify a living person.

Name, Phone Number and Address are clear examples of personally identifiable information. However, you can also identify a person by their interests, purchases, health and online behaviour, as well as information like their IP address and operating system, depending on your data sample.

Processing data means collecting, structuring, organising, using, storing, sharing, disclosing, erasing and the destruction of data. Each organisation with employees and customers must ensure that the personal data it uses, fulfils the requirements of the GDPR.

5 reasons GDPR compliance for data collection is important

  1. Penalties for breaching GDPR can result in strict fines.
  2. To prevent reputational harm to your brand.
  3. To take advantage of cost savings when collecting data from new markets.
  4. Generate value from stored data by removing old records.
  5. Streamline data protection rules to avoid room for error.

Consequences of not being GDPR compliant

Penalties for non-compliance with GDPR, will be applicable to both data controllers and processors and will depend on certain factors including:

  • Duration of the infringement
  • Quantity of the data subjects affected
  • Level of impact

For serious violation of the regulations, businesses could face penalty fines of up to 20 million euros or 4% of global turnover, whichever is higher.

Visit the ICO website for further updates and an overview of the General Data Protection Regulation (GDPR).

Types of data users

GDPR defines three main groups in relation to data processing. Due to the nature of our relationship with customers and their respondents, here is a short overview of which groups various people fall into:

SmartSurvey

  • We are the Data Controller for data specifically about our customers. This refers to your contact information, payment information and other data that is held by us, so that we can provide you with the service we do.
  • We then act as a Data Processor for the data that our customers collect from their respondents.

SmartSurvey customers

  • SmartSurvey customers are Data Subjects for the data they supply about themselves in relation to their account and the delivery of the service.
  • SmartSurvey customers are Data Controllers for the data they collect from and about their respondents.

Survey respondents

  • Respondents are Data Subjects.

Types of data

We collect various types of data. Outlined below is a summary of these types of data and who controls it:

User data: Information about account holders – email addresses, passwords, other information relating to those users. Controlled by SmartSurvey.

The surveys themselves: Questions (can be stored in a library), layouts, images, branding, other hosted files in the file library. Controlled by User.

Contact lists (optional): Users can optionally upload contact lists to SmartSurvey. At a minimum, this will contain email addresses, but may also have other information like names. Controlled by User.

Response data: This is entered by respondents when responding to surveys or completing forms hosted on SmartSurvey. That can be of almost any type. Controlled by User.

Cookie data: Helps us to improve website and app performance and your experience of using our website. Controlled by SmartSurvey.

For more information read our privacy policy.

All collected response data is solely controlled by the user. SmartSurvey does not access it for any purpose, except in the circumstances of account support with the permission of the account holder or for security purposes. All collected data can be deleted by the user, via our response clearing tool by deleting individually or in bulk.

Further reading

Results of the GDPR readiness survey

We carried out a short survey to gather feedback on some of the most important aspects about what GDPR will mean for different organisations, and the results are in!

Guide on creating GDPR compliant surveys

It is really easy to sign up and start collecting data, however, with the change in legislation means you need to know if the surveys you are sending out are GDPR compliant.

GDPR templates – for compliance with data collection

SmartSurvey can provide you with the tools, GDPR templates, and consultancy services you need to become fully compliant with GDPR.

Frequently asked questions about GDPR

What should I know about consent?

A request for consent must be given in simple to understand plain language and it must be in an easily accessible form, with the purpose of data processing attached to that consent. Consent has to be distinguishable from other matters such as using the service and must be freely given and be easy to withdraw, as simple as it was for a customer to give it.

What do we mean by the Personal Data Definition?

Personal data means any information relating to an identified or identifiable natural person. This will include unique identifiers, including IP addresses and cookies (where they are used to uniquely identify the device). This makes cookie use subject to the same consent requirements.

What is right to access?

The person, whose data you are collecting, has the right to obtain confirmation of whether personal data concerning them is being processed, where it is being processed and for what purposes. This must be provided free of charge unless the request is repetitive, excessive or unfounded.

What do we mean by the right to be forgotten?

The data subject can insist that the controller erase all personal data about them and stop the processing of it by third parties. The controller can object based on if there is public interest in the availability of the data.

What is a breach notification?

Breach Notification must be sent to the Information Commissioners Office (ICO) and must be done within 72 hours of becoming aware of the breach. The data subject must also be notified without undue delay if it is likely to result in a risk to their rights and freedoms.

What is privacy by design?

Data controllers must implement appropriate technical and organisational measures to meet GDPR requirements. What we mean by this, is that they should hold and process only data that is absolutely necessary for the completion of duties, and limit access to personal data to those doing the processing.

What is data portability?

The new regulation will give individuals the right to transfer their data from one controller to another. So, organisations, on request, must be able to deliver a person’s data in a suitable format. Data collected via online surveys is immediately compliant with the data portability rule, as it can be provided instantly without needing any further handling.

Do I need a data protection officer (DPO)?

You will be required to appoint a DPO – who can either be a contractor, new hire or a member of the organisation’s staff. It is important to note that not all organisations are obliged to have a DPO, more information can be found on the ICO’s website.

What key documents set out our GDPR compliance at SmartSurvey?

Taken together, our Terms of use and Privacy Policy & Statement make clear how we will treat your data and that of your respondents. For more technical information, we are working on an information security white paper that will explain the infrastructure, encryption and other measures that are in place to protect data. This will be available on request.

What kinds of data do we collect and who controls it?

For more information, please see our Privacy Policy. Broadly, these are:

Contact lists: Users can upload contact lists to SmartSurvey. At a minimum, this will contain email addresses, but may also have other information like names. Controlled by User.

The surveys themselves: Questions, layouts, images, branding, other hosted files in the file library. Controlled by User.

Response data: this is entered by or gathered from respondents when responding to surveys or completing forms hosted on SmartSurvey. That can be of almost any type. Controlled by User.

User data: information about account holders – email addresses, passwords, other information relating to those users. Controlled by SmartSurvey.

Cookie data: Helps us to improve our website’s performance and your experience of using our website. Controlled by SmartSurvey.

Is my data encrypted?

Yes, all data is encrypted both in transmission using TLS 1.2 and at rest using SQL Transparent Data Encryption (TDE).

Do I need to have consent to process personal data?

Not always. There must be a lawful basis for processing, and consent is one of these, but it’s not the only one.

Visit the ICO for more guidance on the lawful bases for processing.

How do I establish consent? Does it have to be a ticked box?

While one of the simplest methods to establish consent is via a ticked box, it’s not the only method. If a survey was prefaced by a short statement making clear what the survey is, who is running it, what the purpose of the processing will be, and making clear that by submitting a response, they are consenting to the stated processing, this would be fine – the respondent can simply leave the survey without completing it if they don’t consent to processing.

Visit the ICO for more information on valid consent.

Where do we store data?

Our servers are based in the UK. No one will access your data unless they have the credentials to access your account, you publish that data, or our staff for the purposes of providing you support or fixing a technical issue. Our staff are all UK based.

What is our data retention policy?

As you are the data controllers for your surveys, you are responsible for setting the retention policies for your surveys. At the moment, deletion of surveys and their associated data has to be initiated manually, though we are working on features to automate this to an extent, if the user desires it. Once deleted, the survey will only exist on backups, which can persist for up to 30 days before it is fully erased.

Can Surveys be made anonymous?

Yes, surveys can be set to be anonymised. This will mean that the IP address (and email address for surveys distributed via email) of the respondent will not be recorded.

For details on how to implement this, see the help guide.

How do I comply with requests for Deletion, Rectification, Access and Portability?

SmartSurvey allows you to find, edit, export and delete specific responses for a survey. These features mean that all the rights conferred under GDPR can be complied with. For a full guide on how to do this, visit the knowledgebase:

How do I submit a request regarding data that has been collected about me?

If you’re a respondent, you need to get in touch with the person or organisation who collected the data about you, because they are the data controllers.

If you’re a user, raise a support ticket about your request and we’ll action it as quickly as we can.

How do I remove Personal Data from surveys I’ve done in the past?

The simplest method is to delete any questions containing personal data from your account, or delete the survey outright. Once deleted, the survey and its data will only be retained for the length of the 30-day backup period, after which it will be erased.

For a full guide to doing this, visit the knowledgebase:

What about IP Address data?

By default, SmartSurvey records the IP address of every respondent. This can be changed in the Survey Settings or in the Tracking Link Settings by activating anonymous surveys. The IP address is always transmitted to us as part of the process of making a connection across the internet, but with anonymous surveys activated, it is discarded before it can be observed. Read our help guide for more information about IP address handling.

What certifications do we hold that confirm your security?

ISO27001 Certified
Our ISO27001 certification means that we’ve had to demonstrate that our real-world approach to information security matches our claims. We are audited on an annual basis to prove that. While it doesn’t directly certify our GDPR compliance, it certifies the processes and procedures upon which we rely for compliance.

The standard requires systematic examination of any risks to information security, with comprehensive policies to manage those risks put in place. By continuously updating our data security policies we ensure that we are a proactive organisation, not reactive one. Accredited certification to ISO27001 validates that we are following international information security best practices. This demonstrates to our customers worldwide that we take the security of their data very seriously. Certification to ISO27001 ensures that all our client’s information is kept secure and shows our ongoing commitment to delivering an exceptional service.

Cyber Essentials Plus Certified
We are Cyber Essentials Plus Certified. The Cyber Essentials scheme has been designed to prevent the most prevalent forms of cyber-attacks. The Cyber Essentials Plus scheme provides a higher level of assurance, tested by a qualified and independent assessor who simulates basic hacking and phishing attacks and is now a minimum requirement for bidding for some government contracts.

What software security measures are in place?

Access Control
Respondents’ access to surveys can be controlled by password and username protection. This feature ensures only a certain group of individuals chosen by you, the Administrator, are able to take the survey.

Firewall
Our firewall is set up as a separate machine that acts as a gateway for access to all other servers in our system. This firewall is designed to prevent hackers from entering the system and searching files and information. The firewall acts as a barrier so that we only have a single point of entry to our system, which is through the web browser. All of our internal databases and applications are shielded from any access outside the firewall.

McAfee Secure
SmartSurvey is tested and certified daily to pass the McAfee Secure Security Scan. To help address concerns about hacker access to confidential data, the “live” McAfee Secure mark appears only when a website meets the McAfee Secure standards.

Data encryption
During transit from client to server, data is encrypted with TLS. We use Microsoft SQL Server Transparent Data Encryption (TDE) to encrypt data at rest using AES encryption algorithm.

What Physical and Infrastructure measures are in place?

Robust physical security
UKFast is responsible for providing us with dedicated servers for hosting survey data and physically securing those servers. For more information visit UKFast’s physical security page.

Backups
We store backups in a separate physical location.

Testing
Annual penetration testing or sooner if there is a significant change to the infrastructure.

Monitoring
We have monitoring tools in place to measure server and application performance ensuring the performance of all our devices (CPU, Memory, Disk Storage, etc.) and access to our website from different locations.

Employees
Only employees with certain privileges can access your data with your permission in order to provide you with support, for fixing technical issues or other services that you have expressly requested. All our employees have signed confidentiality provisions and are trained regularly on data protection and GDPR.

How else do we comply with GDPR?

Processes personal data only in accordance to your instructions
We take exceptional care in understanding how you want the data to be processed. Our DPO is always at hand to assist you with this. Our solutions both general and bespoke made always give you the control to process the data in a way which is GDPR compliant.

Inform you where we believe that a breach of GDPR occurs from your instructions
Our DPO looks over how data is stored, transferred and is responsible for training the relevant staff. Where someone identifies or suspects a breach of GDPR, it is instantly escalated to our DPO who looks over the issue and communicates his findings to reach a solution which helps you comply.

Delete or return all personal data at end of service
We provide you access to all of your data through your account, this can be backed-up, rectified or deleted in accordance to your needs.

Enable compliance audits and help you with them
We take a strong stance on helping our customers carry out compliance audits and help you comply from using our service.

Notify data controllers of data breaches
We have robust systems which alerts us when a data breach occurs. As soon as we discover a data breach has occurred or even suspect a data breach, we will communicate this to you as soon as possible and will provide you all the details to help you comply with your GDPR breach notification responsibilities.

Appoint a DPO when required under the Regulation
We have appointed a DPO and possess a data protection team handling all aspects data protection and privacy – ranging from cyber security to legal compliance.


Security updates

SmartSurvey launches SSO support

With Single Sign On, the number of surfaces vulnerable to attack is hugely reduced, as you only need to have one set of credentials, with everything accessible via a single log in.

HTTPS activation for all surveys

From March 1st 2021, we will be starting the process of ensuring all SmartSurvey surveys use secure browsing by switching all live surveys to HTTPS.

SmartSurvey secures Cyber Essentials PLUS

We’ve extended our Cyber Essentials PLUS accreditation for the fifth year in a row, putting us in the highest bracket of UK firms in terms of the cyber security assurances we offer customers.

Do you need more information?

For security related concerns, please contact: security@smartsurvey.co.uk
For legal/data protection related questions, please contact: legal@smartsurvey.co.uk


Risk Ledger

If you’re an Enterprise Plus customer and a Risk Ledger account holder, you can request to connect with SmartSurvey as part of your infosec questionnaire completion process.

Sign Up for Free to use this Template

Use this template