Skip to main content

OpinionX Business Continuity Plan

Daniel Kyne avatar
Written by Daniel Kyne
Updated today

Detailed BCPs are available to customers on the Accelerate tier or higher. Otherwise, the summarized version below applies to all other users with an OpinionX account. View all our data security docs here.

Last Review Date: 03 April 2025

This document outlines the approach we take at OpinionX to ensure platform availability, safeguard data, and maintain business resilience during disruptions.

-- -- --

1. Scope & Objectives

This document covers:

  • Core OpinionX services including user login, survey access, and data access.

  • Management of metadata (refer to privacy policy for data processing terms).

  • Clear, proactive communication with customers in case of disruption.

Key objectives:

  1. Ensure service uptime through redundancy and fault-tolerant architecture.

  2. Protect team email data through encryption and secure backup practices.

  3. Restore services rapidly, minimizing downtime.

  4. Maintain transparent customer communication, including incident notifications and access log disclosures when needed.

-- -- --

2. Infrastructure & Hosting

  • Hosted on Microsoft Azure with auxiliary storage via MongoDB Atlas, both located in the Republic of Ireland.

  • Deployed across multiple availability zones within a VPC setup for resilience.

  • All network traffic secured via TLS, databases encrypted at rest with AES‑256.

  • Infrastructure inaccessible via public internet, with access restricted to authorized IPs only to prevent unwanted intrusion.

-- -- --

3. Backup & Recovery

  • Regular, automated backups of databases and metadata are performed. These backups are encrypted at rest.

  • Recovery Time Objective: OpinionX aims to restore normal platform operations within 24 hours following a catastrophic outage.

    • Enterprise SLAs contain specific time-bound goals.

  • Backups are automatically captured, stored securely with access controls, and verified periodically.

-- -- --

4. Security & Access

  • Team email data is the only customer-assigned metadata stored; no participant or survey response data is stored.

  • All internal tooling and subprocessor access is protected with mandatory MFA.

  • Encryption in transit (TLS) and at rest (AES‑256) is standard for all stored and transmitted data.

-- -- --

5. Incident Response & Communication

  • Full incident response protocols are defined, including:

    • Immediate containment of malicious or performance-affecting incidents.

    • Triage and forensic investigation to determine root causes.

    • Restoration of affected services following backup and failover procedures.

  • Notification triggers are established: whenever an incident impacts system availability or security, customers will be alerted via email in line with GDPR and contractual transparency obligations.

  • Access logs—covering both customer and internal accesses—are securely stored and available upon request.

-- -- --

6. Subprocessors & Dependencies

  • We engage only a limited set of subprocessors, all committed to secure operations, encryption, and access controls.

  • All subprocessors are listed in our Approved Subprocessors register.

  • Each operates under contract and GDPR-compliant data protection terms.

  • Data transfers outside the EEA are governed by standard adequacy safeguards.

-- -- --

7. Support & Escalation

  • Platform support is accessible via live chat or email ([email protected]).

  • Our Data Protection Officer oversees data handling queries ([email protected]).

  • SLAs and custom DPA options are available for customers subscribed to the Accelerate Tier or higher.

-- -- --

8. Plan Review & Testing

  • Our detailed BCP is reviewed annually and after any incident.

  • Backups and recovery routines are tested 2x per year to ensure effectiveness.

  • Process improvements are implemented based on test outcomes and incident analyses.

-- -- --

9. Tiered Disclosure

  • Enterprise-grade assurances like signed SLAs, formal DPAs, or detailed recovery metrics are available upon request to customers on the Accelerate Tier or higher.

Did this answer your question?