Security & Compliance

Your Data,
Protected by Default

Enterprise-grade encryption, GDPR-aligned practices, and zero data sharing. Security is built in, not bolted on.

AES-256 Encryption

All survey data is encrypted at rest and in transit using AES-256, the same encryption standard used by financial institutions and government agencies. Your respondents' answers are protected from the moment they submit.

Secure Authentication

Industry-standard authentication with hashed passwords, secure session management, and optional OAuth via Google and Microsoft. Rate-limited login to prevent brute force attacks.

GDPR Compliance

GDPR-aligned data handling is built into every plan. We process data lawfully, collect only what's needed, and give respondents control over their information.

Zero Data Sharing

Your respondents' data is never sold, shared with third parties, or used for advertising. Data belongs to you and your organization exclusively.

Content Security Policy

Strict CSP headers with nonce-based script execution prevent cross-site scripting (XSS) and injection attacks. HSTS enforced for all connections.

Compliance Standards

SOC 2 Aligned

Our infrastructure and processes are designed to meet SOC 2 Trust Service Criteria for security, availability, and confidentiality.

ISO 27001 Practices

We follow ISO 27001 information security management practices, including risk assessment, access controls, and incident response procedures.

GDPR Data Handling

Data minimization, purpose limitation, and lawful processing built into every feature. Respondent data is processed only as necessary.

OWASP Top 10 Protection

Application-layer defenses against injection, broken authentication, XSS, and other OWASP Top 10 vulnerability categories.

Infrastructure Security

TLS 1.2+ for all connections

HSTS enforced (365 days)

Rate limiting on all endpoints

CSP nonce-based scripts

Anti-forgery token validation

Parameterized database queries

Why Enterprise-Grade Security Matters for Surveys

Surveys collect some of the most sensitive data in your organization: employee satisfaction scores, customer health metrics, patient feedback, and financial opinions. A breach of survey data can be as damaging as a breach of your CRM or HR system, yet many teams treat survey security as an afterthought. SurveyFill is designed so that you never have to think about it—every security control is on by default, on every plan, with no configuration required.

For organizations subject to regulatory requirements, the details matter. SOC 2 Trust Service Criteria demand that you can demonstrate how data is encrypted, who has access, and what happens when an incident occurs. ISO 27001 requires a formal information security management system with documented risk assessments and controls. SurveyFill's architecture is built around these frameworks, so when your auditors ask about survey data handling, you have answers ready.

Security also means protecting data from internal misuse. Role-based access control ensures that team members only see the surveys and responses they are authorized to view. Every action—login, data export, survey edit, member invitation—is logged with user attribution and timestamps. These audit trails are available to organization owners and can be exported for compliance reporting.

Frequently Asked Questions

Is SurveyFill SOC 2 certified?

Our infrastructure and processes are aligned with SOC 2 Trust Service Criteria. We follow SOC 2 controls for security, availability, and confidentiality across our platform.

Where is survey data stored?

Data is stored in encrypted databases with AES-256 encryption at rest. All connections use TLS 1.2 or higher for encryption in transit.

Can I delete respondent data on request?

Yes. GDPR-compliant data deletion is built in. Organization owners can delete individual responses or entire surveys, and the data is permanently removed from all backups within the retention period.

Does SurveyFill share data with third parties?

No. We never sell, share, or use your respondents' data for advertising or any purpose other than operating the service you purchased. Data belongs to your organization exclusively.