View all our data security docs here.
-- -- --
Data Protection Officer
At OpinionX, we work hard to ensure that we fulfil the obligations of EU General Data Protection Regulation (GDPR) and maintain transparency about how we use customer and user data. We have a dedicated Data Protection Officer to oversee and advise on our data management. Get in touch through our messenger or by emailing [email protected].
Security Measures
Data is encrypted at rest using industry standard AES-256 encryption. All network traffic is encrypted using Transport layer Security (TLS). Each database is deployed in an isolated virtual private cloud, only accessible from a granted IP address (not accessible from the internet). OpinionX data is hosted on Microsoft Azure and MongoDB Atlas in the Republic of Ireland.
OpinionX maintains a management-approved Risk Governance & Enterprise Risk Management (ERM) policy that governs the security and operational controls described below. The policy defines risk ownership, a maintained risk register, and a semi-annual review cycle. It is available to customers on request.
Security Questionnaire
1. Does OpinionX process (eg. store, transfer, modify, use, destroy) any customer data?
Yes, as a processor. OpinionX stores whatever survey and participant data each customer chooses to collect (from anonymous responses up to identifiable participant data, at the customer's discretion), plus team account details (name, email, hashed password). All encrypted at rest and in transit, hosted in Ireland. We don't process customers' business / operational records.
2. Does any OpinionX staff have access to customer data in clear text?
Yes, limited authorized staff can access survey and account data (eg. workspace members list, email addresses) to provide support and run the Services. Access is restricted to authorized personnel with legitimate business need, and access is logged.
3. Does OpinionX rely on Amazon (AWS), Google (GCP) or Microsoft (Azure) as sub-processors?
Yes, Azure.
4. Do any third parties (external to OpinionX, eg. business partners, sub-processors), other than those listed in the previous question process (eg. store, transfer, modify, use, destroy) customer data?
Yes, view our full list of Approved Subprocessors for more info.
5. Is multi-factor authentication mandatory for all OpinionX staff members and third parties (as from the previous question) who access user data?
Yes, 2FA is required on all third-party platforms used by OpinionX employees.
6. Is it possible for the customer to mandate multi-factor authentication for all its staff members who will use the service?
Yes, 2FA and SAML SSO are available to customers on the Accelerate tier.
7. Is customer data encrypted at rest and always encrypted in transit??
Yes, via AES-256 encryption at rest and TLS in transit.
8. Is customer data (including back-ups) hosted, processed or transferred outside of the EU?
Yes, OpinionX's approved subprocessors include non-core services that process data outside of the EU, such as Customer.io (US, email to users), Substack (US, marketing), and Sentry (US, user/error monitoring). For more information, view our approved subprocessors list.
9. Does OpinionX outsource data hosting to a third party other than Amazon (AWS), Google (GCP) or Microsoft (Azure)?
Yes, to MongoDB.
10. Does OpinionX regularly back-up customer data? Are back-ups encrypted?
Yes
11. Is OpinionX's RTO equal to or more than 4 hours?
Yes, OpinionX targets a Recovery Time Objective of 24 hours, ie. restoration of normal platform operations within 24 hours following a catastrophic outage. Routine failover events are typically resolved far faster.
12. Is OpinionX's RPO equal to or more than 1 day?
No, OpinionX targets a Recovery Point Objective of less than 1 day. Backups are automated, encrypted at rest, and verified periodically.
13. Is customer data stored in a multi-tenant set-up?
Yes
14. Does OpinionX have a process to securely delete customer data at contract termination and upon request?
Yes
15. Are SLAs defined between OpinionX and the customer's organization for the scope of services covered?
Yes, available upon request.
16. Does OpinionX have formally defined criteria for notifying the customer in the event of an incident that might impact the security of our data or systems?
Yes
17. Can OpinionX provide the customer with a copy of access logs upon request (covering both customer staff and OpinionX staff)?
Yes
18. Is the ISMS related to the contracted services ISO 27001 certified?
No
19. Does OpinionX have a current SOC2 type 2 report covering the scope of contracted services?
No
20. Does OpinionX perform independent code reviews?
Yes, independent pen testing certification is available upon request.
21. Does OpinionX maintain a formal risk management / ERM policy?
Yes, management-approved, with a maintained risk register and named risk owners, reviewed semi-annually and after any significant incident or material change. Available to customers on request.