Our Guarantee: Data Privacy and Security
Download PDF version.
User Names and Passwords
Sogolytics (formerly SoGoSurvey) provides each user in your organization with a unique, secure User ID and password that must be entered each time a user logs on. We follow the best practices in the industry for storing confidential data. Passwords are encrypted with SHA-256 Cryptographic Hash Algorithm in the database before they are saved, and a session “cookie” is issued to record this encrypted authentication information only for the duration of a specific session. The session “cookie” does not include either User ID or password of the user.
Our customers own all of their survey content and responses. Data may be exported from our system in any of the available formats at any point for external use.
Credit Card Security
Sogolytics does not store any credit card information. Credit card details are securely handled by the third party payment management system we use, a completely PCI DSS compliant organization.
All data is stored on servers located in the United States.
The security of your survey data is of utmost importance to us, as we know it is to you. We understand it needs to be confidential, accurate, and always available.
Sogolytics data is hosted in highly rated data centers, a standard that ensures 24/7 availability, redundancy, and operational sustainability.
Data Center Certification
We are hosted in Tier IV and Tier III data centers in the United States. This extremely stringent rating indicates 99.9% availability for our application users and survey takers.
Data Center Compliance
The data centers we use have been audited to meet SSAE 16, SAS 70, SOC 2, SOC 3, PCI DSS and HIPAA compliances.
Data Center Security
All data center operations are protected 24/7/365 by 6-level security.
Mobile App Security
We follow industry best standards to develop, deploy, authenticate, maintain and transit data. Any third party libraries used in the code is thoroughly tested before launch. Informed consent is taken from end-user before collecting or processing information. We do not seek access or auto-store information. User consent is only taken to provide services which absolutely requires device-permissions or enhance user experience.
Data Encryption in Transit and At Rest
All our communication is HTTPS - we encrypt data during transit using 256-bit encryption. We encrypt all customer data at rest.
We follow Minimum Security Baseline (MSB) for system hardening and use a strong firewall for data protection. We follow industry best practices, including ensuring unwanted services are disabled on the firewall, default passwords are changed upon installation, and the firmware version is up-to-date.
Access is permitted only to designated IT administrators, and from only specific IP addresses.
Survey Response Encryption
It is critical for us to guarantee that responses are kept completely secure. We use 256-bit SSL encryption during data transmission, thus ensuring secure transfer of confidential data.
We have an SLA of 99.9% uptime for our services.
Planned downtime is limited to a maximum total of 8 hours per year, allowing for the performance of regular maintenance. All users are informed of the date and time of this maintenance at least one week in advance.
We have failover in place for all critical hardware and software components, as well as for the entire site. An individual hardware mechanism is available as a failover for every component. We also have an offline failover system for complete failover in cold state when a daily backup copy is being restored.
Data Backup and Frequency
Backup documentation regarding how system, application, and data backups are performed is reviewed every 3 months. Further reviews are completed whenever new hardware or applications are added.
System Scans and Upkeep
Important patches and updates are installed periodically on all of our systems. All servers are reviewed at regular intervals to make sure they are up to date. Before any patch is uploaded on production servers, it is uploaded on a local environment where a specialized team of QA testers verify and certify that uploading the patch will have no adverse effect on any of the applications, systems, or components. The patch management server monitors the need for any critical patches, which are uploaded within three days, following ample testing. Additionally, our Microsoft subscription provides us with advice about relevant patches and updates which we regularly review and implement as needed.
We use third party scanning tools and maintain an in-house security team for regular audits.
We perform penetration system testing every six months and before every new release to eliminate any vulnerable areas in our network.
Personal Training and Access
We perform background screening on all employees, to the extent possible within local laws.
We provide all the essential security and technology use training for all employees.
We screen our service providers and they are bound by contract to confidentiality and security obligations if they deal with any user data.
Access controls to sensitive data in our databases, systems, and environments are set on a need-to-know / least privilege necessary basis.
We regularly maintain and monitor audit logs on all our services and systems.
Our engineers use the best coding practices and industry-standard secure guidelines which align with the OWASP Top 10. All development is done in-house.
We deploy code regularly when any bugs are noticed on the production environment.
Certification and Compliances
Sogolytics is ISO 27001 certified, offering you the highest level of assurance in our business processes and practices. The rigorous ISO 27001 certification process includes an intensive audit by an accredited third party to certify that Sogolytics operates in a professional manner, values security highly, and complies with this internationally recognized top-tier standard. This certification also provides additional clarity regarding evaluation of the quality, breadth, and strength of our organization’s security practices.
EU-U.S. Privacy Shield
Sogolytics LLC. (“Sogolytics”) participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework. Sogolytics is committed to subjecting all personal data received from European Union (EU) member countries, in reliance on the Privacy Shield Framework, to the Framework’s applicable Principles. To learn more about the Privacy Shield Framework, visit the U.S. Department of Commerce’s Privacy Shield List EU-U.S. Privacy Shield.
Swiss-U.S. Privacy Shield
Sogolytics complies with the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use and retention of personal data from Switzerland. Sogolytics has certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement. To learn more about the Safe Harbor program, and to view Sogolytics’s certification, please visit U.S. – Swiss Safe Harbor Framework.
Data Center Certifications and Compliances
SSAE 16, SAS 70, SOC 2, PCI DSS and HIPAA compliances.
In Case of a Security Breach
We have implemented substantial and elaborate security measures to protect your Information. Unique user names and passwords must be entered each time a person logs on. The site is hosted in a secure server environment that uses a firewall and other technology to prevent access from outside intruders. Internally, we use security logs, train our employees, and limit access to only essential personnel. When transmitting sensitive Information, we use encryption technology. All our technology and processes are not, however, guarantees of security. If we do notice a security breach, we will notify the affected users via email so that they can take preventive actions.
Sogolytics allows account administrators to create and manage sub-accounts and determine permission levels, eliminating risky password sharing, confusion and inefficiency, while maintaining data privacy. There will be times when sharing data with people inside and outside of your organization is essential to facilitating workflow; still, controlling access to sensitive information is the only way to ensure it is secure.
Please ensure that you use the enhanced security option when running all your surveys. Please keep your user name and password secret and let us know immediately if you suspect that our security has been breached by emailing us at firstname.lastname@example.org.
If you have any specific questions, please contact us at email@example.com.