Security and Compliance
We know your co-creation plans and insights are extremely important to you and your business, and we take protecting those plans seriously. We’ve created this page as a resource with documents and mappings for compliance support when formal certifications or attestations may be required.
The Vurvey infrastructure is architected to be a secure and high-performance SaaS environment and provides a scalable place for companies to co-create together with their customers. In addition to the security provided by the Vurvey hosting environment, there are additional security measures built into the platform itself including:
- Single sign-on (SSO)
- Two-factor authentication (2FA)
- Sophisticated user permissions
- Activity stream (for audits)
- History of all changes (for audits)
- Passcodes to secure surveys and presentations
- Data encryption at rest
Encryption and Access
Vurvey encrypts communication between customers, creators, and our data centers through strong encryption. Every login and in-app page in Vurvey are secured through SSL. All data is encrypted at rest using AES-256 encryption. In addition, we employ a dedicated network service and firewall to block unauthorized access.
In addition to encryption, we enforce access controls for all employees. Vurvey employees are not able to access customer or creator data, unless specifically authorized to do so for support.
The Vurvey cloud infrastructure is housed in Google data centers. This level of data center security allows Vurvey to be compliant with the highest industry standards.
- ISO/IEC 27001: ISO 27001 provides the requirements for an information security management system (ISMS), specifies a set of best practices, and details the security controls that can help manage information risks. [View the report here]
- ISO/IEC 27017:2015: ISO 27017:2015 provides guidelines for information security controls applicable to the provision and use of cloud services. [View the report here]
- ISO/IEC 27018: ISO 27018 focuses on privacy and security controls for public-cloud service providers that process personally identifiable information (PII). [View the report here]
- SOC 3: The SOC report has been developed based on the Auditing Standards Board of the American Institute of Certified Public Accountants’ (AICPA) Trust Service Criteria (TSC). The SOC 3 is a public report of internal controls over security, availability, processing integrity, and confidentiality. [View the report here]
- CSA Star: CSA Level 1 is the CSA’s Security, Trust and Assurance Registry Program (CSA STAR) is designed to help customers assess and select a cloud service provider. This CSA STAR Level 1 – Customer Assessment Initiative Questionnaire (CAIQ) is a self-assessment that evaluates a cloud provider against CSA’s Cloud Control Matrix. [View the assessment here]
EU-U.S. Privacy Shield
Vurvey complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union to the United States. More information about EU-U.S. Privacy Shield Framework is available here.
General Data Protection Regulation (GDPR)
Vurvey complies with the General Data Protection Regulation regarding processing of personal data of people in the European Union. More information about GDPR is available here.
California Consumer Privacy Act
Vurvey is compliant with the CPRA and CCPA by building robust privacy and security protections into our services and contracts. The California Privacy Rights Act (CPRA) is a data privacy law that amends and expands upon the California Consumer Privacy Act (CCPA). You can find more information about the CCPA on the California Office of the Attorney General’s website.
Secure Data Centers
The Vurvey cloud infrastructure is housed in highly secure, distributed data centers, which use state of the art electronic surveillance and multi-factor access control systems. Data centers are staffed 24 hours a day by trained security guards, and access is authorized strictly on a least privileged basis.
Environmental systems in the data centers are designed to be redundant and minimize unforeseen disruptions and all personnel must be screened when leaving areas that contain customer data.
If you have additional questions about our security and compliance policies, please email [email protected]