Detailed BCPs are available to customers on the Accelerate tier or higher. Otherwise, the summarized version below applies to all other users with an OpinionX account. View all our data security docs here.
Last Review Date: 03 April 2025
This document outlines the approach we take at OpinionX to ensure platform availability, safeguard data, and maintain business resilience during disruptions.
-- -- --
1. Scope & Objectives
This document covers:
Core OpinionX services including user login, survey access, and data access.
Management of metadata (refer to privacy policy for data processing terms).
Clear, proactive communication with customers in case of disruption.
Key objectives:
Ensure service uptime through redundancy and fault-tolerant architecture.
Protect team email data through encryption and secure backup practices.
Restore services rapidly, minimizing downtime.
Maintain transparent customer communication, including incident notifications and access log disclosures when needed.
-- -- --
2. Infrastructure & Hosting
Hosted on Microsoft Azure with auxiliary storage via MongoDB Atlas, both located in the Republic of Ireland.
Deployed across multiple availability zones within a VPC setup for resilience.
All network traffic secured via TLS, databases encrypted at rest with AES‑256.
Infrastructure inaccessible via public internet, with access restricted to authorized IPs only to prevent unwanted intrusion.
-- -- --
3. Backup & Recovery
Regular, automated backups of databases and metadata are performed. These backups are encrypted at rest.
Recovery Time Objective: OpinionX aims to restore normal platform operations within 24 hours following a catastrophic outage.
Enterprise SLAs contain specific time-bound goals.
Backups are automatically captured, stored securely with access controls, and verified periodically.
-- -- --
4. Security & Access
Team email data is the only customer-assigned metadata stored; no participant or survey response data is stored.
All internal tooling and subprocessor access is protected with mandatory MFA.
Encryption in transit (TLS) and at rest (AES‑256) is standard for all stored and transmitted data.
-- -- --
5. Incident Response & Communication
Full incident response protocols are defined, including:
Immediate containment of malicious or performance-affecting incidents.
Triage and forensic investigation to determine root causes.
Restoration of affected services following backup and failover procedures.
Notification triggers are established: whenever an incident impacts system availability or security, customers will be alerted via email in line with GDPR and contractual transparency obligations.
Access logs—covering both customer and internal accesses—are securely stored and available upon request.
-- -- --
6. Subprocessors & Dependencies
We engage only a limited set of subprocessors, all committed to secure operations, encryption, and access controls.
All subprocessors are listed in our Approved Subprocessors register.
Each operates under contract and GDPR-compliant data protection terms.
Data transfers outside the EEA are governed by standard adequacy safeguards.
-- -- --
7. Support & Escalation
Platform support is accessible via live chat or email ([email protected]).
Our Data Protection Officer oversees data handling queries ([email protected]).
SLAs and custom DPA options are available for customers subscribed to the Accelerate Tier or higher.
-- -- --
8. Plan Review & Testing
Our detailed BCP is reviewed annually and after any incident.
Backups and recovery routines are tested 2x per year to ensure effectiveness.
Process improvements are implemented based on test outcomes and incident analyses.
-- -- --
9. Tiered Disclosure
Enterprise-grade assurances like signed SLAs, formal DPAs, or detailed recovery metrics are available upon request to customers on the Accelerate Tier or higher.