Security FAQ

Security and Legal information all in one place

Agnieszka avatar
Written by Agnieszka
Updated over a week ago

At Survicate, we have implemented security measures and policies to make sure your data is stored in the best manner.

In this article, you'll learn:

  • what data we store;

  • if we use cookies;

  • what legal documents and programs are available;

  • how to transfer ownership or delete your account.

💡Read on to find answers to the most frequently asked questions about security.

How to change ownership

1. To change the organization owner, please go to Organization Settings > General and, under Organization owner, please click Transfer ownership.

2. In the pop-up window, you can select the new owner. You can choose only the person that is a teammate in your organization.

If you want to transfer ownership to someone who doesn't have an account, you need to send an invitation in order to add a new teammate to your organization.

3. You will need to confirm you're authorized to transfer account ownership by entering the code we sent to your email address.

Please note that to change the organization name or transfer ownership, you need to be the owner of the organization. If the current organization owner has left the company or is unable to reassign ownership, please reach out to us on chat 👉.

How to delete an account

To delete your account, please reach us at with the email you've used to register for the account or strike up a chat conversation, and we'll delete your account.

If you are the account owner, by deleting your account, you acknowledge that all the surveys and answers stored in your account will also be deleted.

Custom agreements

Statement of Work, Custom Data Processing Agreement, and Service Level Agreement can be signed on the Enterprise/Scale plan.

Please visit our Pricing page for more information.

What respondent data we process

Scope of data related to respondents processed by the Survicate:

1. Visitor (Respondent) UUID,
2. Visitor (Respondent) attributes passed using traits or survey URLs,
3. IP,
4. browser language,
5. email address in link surveys (sending through client’s e-mail),
6. operating system version, device type,

whereby, in the scope of Visitor (Respondent) UUID and Visitor (Respondent) attributes passed using traits or survey URLs, the data is stored in Local Storage.

A separate category is the data included in the answers to the survey questions. A wide variety of data can be found here, depending on the questions asked in the surveys. Survicate does not read/analyze the answers to surveys’ questions unless technical problem-solving.

Survicate does not use cookies placed on the respondent's device, nor does it initiate their installation. Survicate does not create/use any cookies for the purpose of targeting, showing, or marketing activities nor completing surveys purposes.

Survicate delivers surveys by identifying the general geographic location of users from their IP addresses. This method does not gather exact GPS coordinates but rather estimates the location based on the IP. This location data is not stored; it's processed in real-time solely to enhance the technical delivery of surveys using a Content Delivery Network (CDN). A CDN helps in distributing the content more quickly and reliably by using servers closest to the user's inferred location.

Respondents’ IP can be used to provide our service in a secure manner. Our infrastructure processes IP of survey respondents. IP addresses are automatically monitored to prevent the infrastructure from being vulnerable to e.g., DDoS attacks.

Where we store data

Survicate is hosted on the AWS cloud in Ireland.

You can read more about Infrastructure security in this article.

AWS report (SOC reports for your AWS compliance program)

ℹ️ AWS Compliance Programs such as ISO 27001 or SOC 2 ensure the security of our infrastructure.

Do we use cookies

Survicate does not use respondent cookies when storing information about respondents for the purpose of providing services. All data we need to communicate with our database is stored within Local Storage and Session Storage of an active browser.

We use Local Storage to store:
- Visitor (Respondent) UUID
- Survey status (displayed and answered surveys)
- Tags
- Survey responses given by specific respondents queued to be sent to Survicate (deleted after the answer is sent)

- You may pass to Survicate visitor (respondent) attributes using JavaScript, SDK, or as a part of the survey URL you share with the respondent.

Be noted that visitor (respondent) attributes are optional, and you decide what and if any additional data is stored.
Attributes passed to Survicate with SDK may not be stored in Local Storage.

Please note that we do use cookies on These functional, performance, and targeting cookies may be visible in your browser as you test your surveys, but they're only there because you're our user and you've visited our website. Your respondents are not served these cookies.

Do you need consent from your respondents to collect and store their data

Data processing does have some kind of interference in the sphere of privacy, very small and insignificant, but it does.

It works the same for mobile applications and websites.

The small interference mentioned above is mostly related to the IP, which according to court jurisdictions among EU might be, in some occurrences, perceived as personal data. This means that the processing of IP is an interference in the sphere of privacy and be treated as personal data processing.

The legal basis for data processing in relation to IP may be consent or another legal basis (e.g. legitimate interest, performance of a contract).

It's up to you to decide if you should add a disclaimer or ask for consent from your respondents to collect and store their data or base processing on legitimate interest.

Do we share data with any third parties

No, we do not.

In this article, you can read who can access your survey results.

Do we allow the TLS protocol

We allow only the TLS protocol at version 1.2 or higher to ensure the security and integrity of our communications. We do not permit the use of older versions such as TLS 1.1 and 1.0.

In the event of a breach of Survicate, how will incident handling and informing of clients be done

You can report security incidents to the email address:

If we obtain information or learn that account data has been disclosed and thus your control over them has been violated, we will inform you without undue delay and, where feasible, not later than 36 hours after having become aware of it.

If you find out that unauthorized access to account data has taken place, please contact us in accordance with the point above.

In the event of an occurrence or incident involving account data, We will ask you to give us a consent to inspect your account, view full log history and provide information to relevant authorized bodies that request such data.

In the event of a personal data breach concerning data processed by the Survicate, we will assist you:

(a) in notifying the personal data breach to the competent supervisory authority/ies;

(b) in obtaining the following information:

(i) the nature of the personal data including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

(ii) the likely consequences of the personal data breach;

(iii) the measures taken or proposed to be taken to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

In the event that the Survicate account has been compromised, what are the steps needed to be taken by users?

1. Inform Survicate at the email address about the suspected compromise and ask for their assistance.

2. Change your password. Make sure you choose a strong and unique password that is not easily guessable.

3. Enable two-factor authentication. This will add an extra layer of security to your account and make it more difficult for hackers to gain access.

4. Scan your device for malware. Run a malware scan on your device to check for any malicious software that may have been installed without your knowledge. Remove any threats that are detected.

5. Monitor your accounts: Keep a close eye on all of your accounts, not just your Survicate account, to ensure that there is no unusual activity. This includes your email, social media, and financial accounts.

Do you do regular checks for security vulnerabilities? And, if yes, how regularly?

Yes, we conduct regular checks for security vulnerabilities. Our infrastructure, hosted on the AWS cloud in Ireland, is equipped with vulnerability scanners that rigorously analyze our system for potential security weaknesses. These scanners are an integral part of our proactive security measures, enabling us to identify and address vulnerabilities effectively.

Survicate follows a systematic approach for these checks, ensuring they are performed periodically. Once vulnerabilities are identified, we prioritize and patch them according to a well-defined prioritization system. This system allows us to address the most critical vulnerabilities promptly while effectively managing less critical issues in a timely manner.

Our commitment to regular vulnerability assessments and timely responses is part of our ongoing effort to maintain the highest standards of security and protect our systems and data against evolving cyber threats.

Do you do regular stress testing/penetration tests of your existing IT systems?

Yes, Survicate conducts regular stress testing and penetration tests of our IT systems. These tests are an essential part of our cybersecurity strategy and are carried out at least once a year. By doing so, we ensure that our systems are robust and can withstand potential security threats.

Regular penetration testing helps us identify and rectify vulnerabilities in our IT infrastructure, thus enhancing the overall security and reliability of our systems. This proactive approach is crucial in maintaining the integrity and performance of our services, especially considering the evolving nature of cyber threats. Our commitment to conducting these tests annually demonstrates our dedication to safeguarding our systems and the data they handle.

Do you have emergency drills?

Emergency response is an integral part of an organization's broader disaster recovery and business continuity strategies. Survicate conducts tests under the business continuity testing plan, taking into account various scenarios to ensure resilience and prompt recovery in the event of unforeseen disruptions.

Do you have measures against DDoS attacks in place?

Yes, as a SaaS provider utilizing AWS infrastructure, we have measures in place to protect against DDoS attacks. AWS provides a range of tools and services designed to mitigate and manage the risks associated with DDoS attacks. These include:

  1. automatic inline mitigation that minimizes application downtime and latency

  2. elastic load balancing

  3. scalable and highly available DNS web service

  4. monitoring and logging capabilities to detect and analyze anomalies in traffic patterns

Are your recovery processes set up in a way, so that they do not put critical information in an outdated state?

Backups of critical data are performed frequently. The frequency of these backups is aligned with the rate at which the data changes, minimizing the risk of restoring outdated information.

Additionally, we employ techniques that capture the state of data at various points in time. This approach aids in restoring the most recent and relevant version of the data

Learn more

Check our Legal & Security section to learn about Survicate's Application security, Infrastructure security, to find our policies, and many more.

Did this answer your question?