Last Updated September 4, 2019
Security FAQ
Company
GetFeedback is the leading provider of customer experience surveys for the Salesforce ecosystem. Founded in 2013, GetFeedback’s mission is to build beautiful, easy-to-use software for companies that want to understand and improve customer experience.
Security
GetFeedback runs on the trusted Salesforce Heroku platform and on industry-leading cloud service provider Amazon Web Services (AWS) (Heroku itself also runs on AWS). We chose Heroku and AWS for a variety of reasons; trust, security, and reliability being top of mind. We also host our external analytics database on the Google Cloud Platform.
Heroku’s security policy is published here:
https://www.heroku.com/policy/security
AWS’s security policy is published here:
https://aws.amazon.com/security/
Google Cloud's security policy is published here:
https://cloud.google.com/security/
Where are your servers located?
GetFeedback runs in AWS’s main data center, located in Northern Virginia with our backup data center being located in Oregon. The external analytics database runs in Google Cloud's data centers in South Carolina, with our backups stored in Iowa.
What security certifications do you or your vendors have?
AWS and GCP facilities are accredited under:
- ISO 27001
- SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
- PCI Level 1
- FISMA Moderate
- Sarbanes-Oxley (SOX)
And others. More from AWS:
https://aws.amazon.com/compliance/pci-data-privacy-protection-hipaa-soc-fedramp-faqs/
Information about Google Cloud is published here:
https://cloud.google.com/security/compliance/
What security provisions and practices are in place at your data center(s)?
AWS data center facilities feature 24-hour manned security, biometric access control, video surveillance, and physical locks. All systems, networked devices, and circuits are constantly monitored.
What security monitoring do you offer?
Information about Heroku’s vulnerability assessment, reporting and management practices, as well as information on physical, network and data security, can be found on their security page:
https://www.heroku.com/policy/security
How is data backed up?
GetFeedback utilizes Heroku’s PG Backups to store a full backup daily. More here:
https://devcenter.heroku.com/articles/heroku-postgres-backups
GetFeedback also uses Google Cloud Platform for redundancy. GCP is configured to store a full backup daily as well.
Is our data encrypted?
All communications with and between GetFeedback servers is encrypted using industry-standard TLS/SSL.
All data is encrypted on-disk.
Does your company have an information security infrastructure and organization policy?
Yes. GetFeedback's information security policy can be requested once the customer has signed a Non-Disclosure Agreement.
Does your hiring process require a full background check?
Yes. All prospective employees are screened by a leading background checking service.
Does your company outsource any portion of your information security?
GetFeedback relies on industry-leading vendors like Heroku, Google, and Amazon to provide services like application hosting, corporate email security and corporate file security.
What controls are in place to protect my credit card information?
GetFeedback’s credit card processing vendor Stripe uses the latest TLS technology for secure transactions. Our vendor is certified as PCI Service Provider Level 1 and is compliant with card association security initiatives, like the Visa Cardholder Information Security and Compliance (CISP), MasterCard® (SDP), and Discovery Information Security and Compliance (DISC).
Credit card numbers are never stored on GetFeedback servers. They are routed directly to Stripe. More from Stripe here:
https://stripe.com/docs/security
Data privacy
GetFeedback’s Privacy Notice is here: https://getfeedback.com/privacy
The Heroku platform has certified that it adheres to the US-Swiss Safe Harbor Principles. The Heroku Privacy Policy is here:
https://www.heroku.com/policy/privacy
Google Cloud Platform privacy details are published here:
https://cloud.google.com/security/privacy/
Where is our data stored?
GetFeedback runs from AWS’s main data center located in Northern Virginia.
Who owns our data?
Your survey content is owned by you, and only you choose with whom to share your surveys. Survey responses are owned and managed by the survey creator.
Who has access to our data?
Only GetFeedback administrators and customer/technical support managers have access to your survey data. Our staff will not access your response data, grant access to third parties or otherwise disseminate your response data without your permission. If there is a request for support, or if you hire our consulting services, then the person assigned to the request may, with your permission, log into your account for the purpose of troubleshooting and correcting the reported issue or performing the requested task.
The policies and practices of GetFeedback, and of the Salesforce Heroku and Amazon Web Services platforms on which GetFeedback is hosted, are consistent with the objectives of the Health Insurance Portability and Accountability Act (HIPAA) with regard to data security and data privacy.
In the following limited situations, we may disclose information that we collect or that you provide to us:
- To our contractors, service providers and other third parties we use to support our business and who are obligated to keep personal information confidential and use it only for the purposes for which we disclose it to them.
- In an aggregated or anonymized format where no individual can be identified or linked to any part of the information.
- To comply with any court order, law or legal process, including responding to a governmental or regulatory request.
- To enforce our rights arising from any contracts entered into between you and us and for billing and collection.
- To a buyer or other successor in the event of a merger, sale or transfer of some or all of SurveyMonkey Inc. (successor-in-interest to GetFeedback Inc.) assets.
- For any other purpose disclosed by us when you provide the information.
- With your consent.
We only use information that we collect about or from survey takers, including any personal information, to:
- Improve our Services and resolve technical issues.
- Provide customer support.
- Fulfill any other purpose for which you provide it.
Do you guarantee full erasure of data?
Deleting your content may not immediately remove the content you have published from our systems, because of caching, backups, or other references to your account. GetFeedback guarantees full erasure of deleted data within 90 days of a written request.
What controls are in place to ensure that when another customer's data is compromised our data would not also be compromised?
Though of course not every possible type of malicious data access can be anticipated, GetFeedback’s application security architecture ensures segregation of customer data.
Availability/Reliability
What practices / controls are in place to maximize uptime?
GetFeedback runs in facilities powered by redundant power, each with UPS and backup generators. Heroku’s application deployment model minimizes the risk that changes to the GetFeedback application will disrupt service.
What is your uptime?
GetFeedback’s availability is consistently above 99.95% and is usually very close to 99.99%.
How do you communicate with customers when there is a problem with the application?
We tweet from @getfeedback, though this is rarely necessary. Customers can also visit http://status.getfeedback.com to subscribe to updates or check the GetFeedback platform status.
Heroku publishes their uptime here:
https://status.heroku.com/uptime
AWS publishes their status history here:
Google Cloud Platform publishes their uptime here:
https://status.cloud.google.com/
How is planned downtime scheduled?
Our deployment platform usually obviates the need for downtime when we make changes to GetFeedback. However, we will notify customers by email at least 24 hours in advance of any planned downtime.
Access control
What controls are in place to manage access to GetFeedback applications and infrastructure?
Internal access to GetFeedback servers is controlled by restricting traffic to a specific set of network IP addresses.
All access to GetFeedback is governed by access rights, authenticated by username and password.
Passwords are always encrypted, never stored as plain text.
Your GetFeedback administrator can provision more granular access privileges for your users, such as read/write access to a Salesforce integration.
What controls are in place to keep a customer’s data separate from other customers’?
GetFeedback’s application security architecture ensures segregation of customer data.
Does GetFeedback have any standard InfoSec questionnaires available?
GetFeedback can provide the CSA CAIQ v3.0.1 upon request after the customer has signed an NDA.
Last updated March 2019