Snap Surveys treats the confidentiality, integrity and availability of the information entrusted to it by its customers as a priority, and accordingly has a robust and comprehensive security program in place. This security program is under constant review and the measures set out below will therefore evolve over time as additional controls are implemented or existing controls modified as Snap Surveys considers necessary in the light of changing standards and technological developments.
Snap Surveys has a comprehensive Privacy Policy which describes how we capture and use the personal information and data we gather about visitors to our website and users of our services. This can be accessed here: https://www.snapsurveys.com/survey-software/privacy-policy-uk/
ISO 27001
Snap Surveys is certified to ISO 27001, the international standard for best practice in information security management systems, and consequently has in place a comprehensive set of information security policies and supporting procedures.
Snap Surveys will only use hosting providers who are certified to ISO 27001. Those hosting providers may also have Tier IV facilities, SSAE-16 and ISAE 3402 compliance, SOC II reports or PCI DSS compliance.
Hosting Providers
Snap Surveys has systems hosted at ANS Group and Microsoft Azure:
- ANS Group data security information can be accessed here: https://www.ans.co.uk/data-centres/
- Microsoft Azure infrastructure information can be accessed here: https://docs.microsoft.com/en-us/azure/security/fundamentals/infrastructure
Security Policies
Snap Surveys maintains, reviews and constantly seeks to improve a comprehensive set of security policies and supporting procedures designed to identify and mitigate data security risks.
A comprehensive system of rolling internal audits and annual external audits monitors both compliance with, and the suitability of, those policies and procedures.
Personnel
Snap Surveys has in place a comprehensive set of pre employment checks and screenings which includes employment references, identity and address verification, and financial and criminal records checks.
During employment all staff are contractually bound to confidentiality and data protection clauses.
Information security training is available to all staff and:
- Is given as part of a structured induction program
- Is given as part of an ongoing training program
- Is supplemented by additional security awareness messages
Access Control
Access rights to systems are restricted to authorised personnel. Authorisation is granted based on job functions and roles, with all access being on a minimum requirements basis.
Authorisations are regularly reviewed and are amended as necessary in relation to changed circumstances such as new requirements, changed job functions or roles, or promotions and departures.
System access controls include authentication via passwords and documented processes.
Logical separation is used by the data centre hosting providers to ensure Snap Surveys’ systems are kept separate from that of third parties.
Data centre hosting providers will only be given access to the Snap Surveys’ systems they are hosting to the extent reasonably necessary to enable them to deliver the required level of service. They will apply at least the same technical and organisational security measures to safeguard Snap Surveys’ systems as Snap Surveys do themselves.
Network Security
Our data centre hosting providers use the following to mitigate the impact of individual component failure:
- at least industry standard redundant network architecture
- at least industry standard secure network architecture
- redundant IP network connections with multiple independent connections to internet access providers
Physical Security
Our data centre hosting providers have the following physical security measures in place:
- physical access controls at the perimeter to prevent unauthorised access to the site
- physical access controls to buildings to prevent unauthorised access to data centre buildings
- N+1 uninterruptable power supply and HVAC systems and backup power generators
- advanced fire suppression systems
Data Transmission
Snap Surveys will maintain commercially reasonable technical safeguards to protect information during transmission over the internet, which will include encryption using HTTPS and TLS or similar technologies.
Snap Surveys will maintain a secure portal for use in securely transferring data between Snap Surveys and customers.
Application Security
Our applications are protected by:
- firewalls and router technology
- secure HTTPS and TLS transport over public networks
- the use of best development practices and secure coding methodologies which align with OWASP
- the latest security updates and patches being applied in a timely fashion
- permanent malware scanning
- vulnerability scanning carried out on a daily basis
- backups being taken daily
- third party penetration tests being carried out at least annually
Product Security
We enable customers to manage access to their accounts using unique usernames and passwords, with optional questionnaire login ID / password. Password credentials are never stored in human readable format, only by secure one way hash.
All communications with Snap Surveys’ systems over public networks are encrypted using industry standard HTTPS and TLS.
Data Portability
Snap Surveys enables customers to download or export their data from our systems in multiple formats for use as additional backup or for use in other applications.
Monitoring
Snap Surveys’ systems are constantly monitored by Snap Surveys’ staff and our security team is on call to respond to alerts.
Data centre facilities are constantly monitored by hosting provider staff with immediate escalation for any downtime.
Snap Surveys maintains a publicly available system status webpage which includes system availability details, scheduled maintenance and an incident history.
Incident Response
Snap Surveys has in place incident management, business continuity and disaster recovery plans. These are all maintained, tested and reviewed on a regular basis.
In the unlikely event of a data security event that affects customers, this will be communicated in accordance with those plans.
Last updated August 2024
For the previous version of our security measures, please click here.