Data Security
SurveySparrow manages the security of its application and customers' data. However, provisioning and access management of individual account is at the discretion of individual account owners.
Changes to the application, web content, infrastructure and deployment processes are documented as part of an internal change control process. The security review makes it mandatory that each version should be compliant with the company's internal ISMS policies.
Our product collects limited information about customers - name, phone number and email address - which are retained for account creation. For payment purposes, billing details such as name, phone number, billing address and credit card details are requested and retained by SurveySparrow's PCI compliant payment processor.
Data at rest is encrypted using AES-256 bit standards (key strength - 1024) with the keys being managed by AWS Key Management Service. Data in transit is encrypted using secure TLS Cryptographic Protocols.
Application logs are maintained for a year. Backup of customers' data is carried out in two ways:
Data backup is continuously maintained in different data centers to support a system failover if it occurs in the primary data center. If an unlikely catastrophe were to occur in one of the data centers, businesses would lose only five minutes of data.
Data is backed up to persistent storage every day and retained for the last seven days. Different environments are used for development and testing purposes. System access is strictly managed, based on the principles of need to know the basis appropriate to the information classification, with Segregation of Duties built-in, and reviewed quarterly.
Physical Security
SurveySparrow's development center in Cochin is under 24x7 protection by Government security, at both premises level and floor level to ensure that only authorized individuals have access to the building and the SurveySparrow office. Barriers and guards secure the building's premises. The floor level is equipped with security guards and biometric readers to authorize the entry of individuals. Employees are granted office access only after authorization using government-issued IDs. Critical locations in the office are available only to authorized individuals.
Documents of high importance are stored in cabinets that are only accessible to authorized individuals.
The office is well equipped with surveillance cameras and their footage is monitored periodically by authorized individuals. Fire alarms and water sprinklers are set up to detect and alleviate damage in the unlikely event of a fire.
The management team present at the premises conducts regular fire drills to educate employees about emergency evacuation procedures. A policy has been put in place to approve and regulate visitor access to the building. The office is well equipped with a 24x7 power supply, which is backed up by an alternate power supply system to ensure smooth operation in the unlikely event of a power failure.
SurveySparrow hosts its application and data in industry-leading Amazon Web Services, whose data centers have been thoroughly tested for availability, security and business continuity.
Application Security
All of SurveySparrow's products are hosted on Amazon Web Services. The infrastructure for application servers and databases is managed and maintained by the cloud service provider. At SurveySparrow, we employ a multifaceted approach to application security, to ensure that every process from engineering to deployment, including quality assurance and architecture adheres to our highest standards of safety.
Network Security
In this section, network security is discussed in detail from the development center's perspective and the network where the application is hosted.
SurveySparrow's office network where updates are developed, deployed, monitored and managed is secured by antivirus software and industry-grade firewalls, to provide active alerts in the event of a threat or incident and to protect internal information systems from intrusion. Firewall logs are stored and reviewed at regular intervals. Access to the production environment is via SSH and remote access is possible only through the office network.
Audit logs are generated for each remote user session and reviewed. Also, access to production systems is always through a multi-factor authentication mechanism.
SurveySparrow is hosted on AWS, with security managed by Amazon. The infrastructure is monitored 24x7 by our DevOps and Security teams for stability, intrusions and spam using a dedicated alert system. End-to-end penetration tests and vulnerability assessments are performed every three months. SurveySparrow has an in-built spam protection system for businesses that use it, while the DevOps team oversees and blocks individual accounts and IP addresses which attempt to access the SurveySparrow application.
Operational Security
SurveySparrow understands that formal procedures, controls and well-defined responsibilities need to be in place to ensure continued data security and integrity. The company has transparent change management processes, fallback mechanisms and logging and monitoring procedures which have been put in place as part of its operational security instructions. An information security committee is present to oversee and approve organization-wide security policies.
Operational security begins right from recruiting an engineer to training and auditing their work products. We perform standard background verification checks (including verification of academic records) on all new employees.
Each employee is provided with extensive training about the information security policies of the company and is required to sign that they have read and understood the company's security-related policies. Company-wide confidential information is accessible only to select authorized SurveySparrow employees.
It is imperative that employees report any observed suspicious activities or threats. The HR team takes disciplinary action against employees who violate organizational security policies. Security incidents, such as breaches and potential vulnerabilities, can be reported by customers via support@surveysparrow.com.
SurveySparrow maintains a database of all information systems used by employees for development purposes in an internal service desk, aided by automated probing software that helps in tracking changes to these systems and their configurations. Only authorized and licensed software products are installed by employees. No third parties or contractors manage software or information facilities, and no development activity is outsourced. All employee information systems are authorized by the management before they are installed or put to use.
We employ an external security consultant to perform penetration tests in order to test the resilience of the hosted application. This is always conducted in an architecturally equivalent duplicate of the system with no actual customer data present. The production system is never subject to such tests. Should an individual attempt such a test in the production environment, it will be detected as an interference, and the source IP will be blocked. An alert will then be raised to the DevOps and Security teams who shall rectify the issue.
The company has a privacy notice, approved by an internal legal counsel, publicly available at https://surveysparrow.com/legal/privacy-policy. The payment gateway used by SurveySparrow is PCI compliant.
How to report an issue
If you believe you've discovered a security-related issue, please report the
issue at security@surveysparrow.com. Please feel free
to reach out at the
same address to clarify any queries.