Security FAQ


GetFeedback is the leading provider of customer experience surveys for the Salesforce ecosystem. Founded in 2013, GetFeedback’s mission is to build beautiful, easy-to-use software for companies that want to understand and improve customer experience.

GetFeedback is part of Campaign Monitor, a well-established leader in email marketing, with more than 200 employees worldwide, and 150,000 paying customers.


GetFeedback runs entirely on the trusted Salesforce Heroku platform and on industry-leading cloud service provider Amazon Web Services (AWS) (Heroku itself also runs on AWS). We chose Heroku and AWS for a variety of reasons; trust, security, and reliability being top of mind.

Heroku’s security policy is published here:

AWS’s security policy is published here:

Where are your servers located?

GetFeedback runs in AWS’s main data center, located in Northern Virginia with our backup data center being located in Oregon.

What security certifications do you or your vendors have?

AWS facilities are accredited under:

  • ISO 27001
  • SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
  • PCI Level 1
  • FISMA Moderate
  • Sarbanes-Oxley (SOX)

And others. More from AWS:

What security provisions and practices are in place at your data center(s)?

AWS data center facilities feature 24-hour manned security, biometric access control, video surveillance, and physical locks. All systems, networked devices, and circuits are constantly monitored.

What security monitoring do you offer?

Information about Heroku’s vulnerability assessment, reporting and management practices, as well as information on physical, network and data security, can be found on their security page:

How is data backed up?

GetFeedback utilizes Heroku’s PG Backups to store a full backup daily. More here:

Is our data encrypted?

All communications with and between GetFeedback servers is encrypted using industry-standard TLS/SSL.

All data is encrypted on-disk.

Does your company have an information security infrastructure and organization policy?

Yes. You can review it here:

Does your hiring process require a full background check?

Yes. All prospective employees are screened by a leading background checking service.

Does your company have a program in place to periodically test security controls?

GetFeedback is currently developing a program to periodically test security controls. This page will be updated as the program develops.

Does your company outsource any portion of your information security?

GetFeedback relies on industry-leading vendors like Heroku, Google, Amazon and Dropbox to provide services like application hosting, corporate email security and corporate file security.

What controls are in place to protect my credit card information?

GetFeedback’s credit card processing vendor Stripe uses the latest TLS technology for secure transactions. Our vendor is certified as PCI Service Provider Level 1 and is compliant with card association security initiatives, like the Visa Cardholder Information Security and Compliance (CISP), MasterCard® (SDP), and Discovery Information Security and Compliance (DISC).

Credit card numbers are never stored on GetFeedback servers. They are routed directly to Stripe. More from Stripe here:

Data privacy

GetFeedback’s Privacy Policy is here:

The Heroku platform has certified that it adheres to the US-Swiss Safe Harbor Principles. The Heroku Privacy Policy is here:

Where is our data stored?

GetFeedback runs from AWS’s main data center located in Northern Virginia.

Who owns our data?

Your survey content is owned by you, and only you choose with whom to share your surveys. Survey responses are owned and managed by the survey creator.

Who has access to our data?

Only GetFeedback administrators and customer/technical support managers have access to your survey data. Our staff will not access your response data, grant access to third parties or otherwise disseminate your response data without your permission. If there is a request for support, or if you hire our consulting services, then the person assigned to the request may, with your permission, log into your account for the purpose of troubleshooting and correcting the reported issue or performing the requested task.

The policies and practices of GetFeedback, and of the Salesforce Heroku and Amazon Web Services platforms on which GetFeedback is hosted, are consistent with the objectives of the Health Insurance Portability and Accountability Act (HIPAA) with regard to data security and data privacy.

In the following limited situations, we may disclose information that we collect or that you provide to us:

  • To our contractors, service providers and other third parties we use to support our business and who are obligated to keep personal information confidential and use it only for the purposes for which we disclose it to them.
  • In an aggregated or anonymized format where no individual can be identified or linked to any part of the information.
  • To comply with any court order, law or legal process, including responding to a governmental or regulatory request.
  • To enforce our rights arising from any contracts entered into between you and us and for billing and collection.
  • To a buyer or other successor in the event of a merger, sale or transfer of some or all of GetFeedback, Inc.’s assets.
  • For any other purpose disclosed by us when you provide the information.
  • With your consent.

We only use information that we collect about or from survey takers, including any personal information, to:

  • Improve our Services and resolve technical issues.
  • Provide customer support.
  • Fulfill any other purpose for which you provide it.

Do you guarantee full erasure of data?

Deleting your content may not immediately remove the content you have published from our systems, because of caching, backups, or other references to your account. GetFeedback guarantees full erasure of deleted data within 90 days of a written request.

What controls are in place to ensure that when another customer's data is compromised our data would not also be compromised?

Though of course not every possible type of malicious data access can be anticipated, GetFeedback’s application security architecture ensures segregation of customer data.


What practices / controls are in place to maximize uptime?

GetFeedback runs in facilities powered by redundant power, each with UPS and backup generators. Heroku’s application deployment model minimizes the risk that changes to the GetFeedback application will disrupt service.

What is your uptime?

GetFeedback’s availability is consistently above 99.95% and is usually very close to 99.99%.

How do you communicate with customers when there is a problem with the application?

We tweet from @getfeedback, though this is rarely necessary.

Heroku publishes their uptime here:

AWS publishes their status history here:

How is planned downtime scheduled?

Our deployment platform usually obviates the need for downtime when we make changes to GetFeedback. However, we will notify customers by email at least 24 hours in advance of any planned downtime.

Access control

What controls are in place to manage access to GetFeedback applications and infrastructure?

Internal access to GetFeedback servers is controlled by restricting traffic to a specific set of network IP addresses.

All access to GetFeedback is governed by access rights, authenticated by username and password.

Passwords are always encrypted, never stored as plain text.

Your GetFeedback administrator can provision more granular access privileges for your users, such as read/write access to a Salesforce integration.

What controls are in place to keep a customer’s data separate from other customers’?

GetFeedback’s application security architecture ensures segregation of customer data.

Last updated October 2016