Checkbox takes data security very seriously and is committed to protecting the privacy of its customers and users. The information in this article is intended to provide an overview of the security measures that Checkbox has implemented with regard to data storage and application security. This article is not intended to be a comprehensive list of all of our security controls, as we do not disclose the details of certain policies, procedures and controls for security reasons. Users of the Checkbox website, Checkbox hosted application, and Checkbox on-premises software should note that, while we follow generally accepted industry standards to protect your data, both during transmission and once we receive it, no method of transmission over the internet, or method of electronic storage, is 100% secure. Therefore, while we strive to use commercially acceptable means to protect your personal information, we cannot guarantee its absolute security. Users of the Checkbox hosted application and Checkbox on-premises software should also be aware that the commitment to data privacy and security is a joint effort between Checkbox and you, as the survey or account administrator. It is your responsibility to be aware of the laws and regulations that are applicable to the type of data you are collecting, and to implement the Checkbox features that are necessary to protect that data. It is also your responsibility to ensure the accuracy of your Checkbox account data and to respond to requests from your respondents and users regarding any deletion of or updates to their data.
For information on GDPR compliance related to your Checkbox data, please see our GDPR help guide.
Location Checkbox utilizes Amazon Web Services (AWS) cloud-based virtual web servers in the United States, Montreal and Ireland to host its Checkbox hosted application. Depending on the Checkbox plan level purchased, customers may have the option to choose their preferred hosting location at the time of purchase. For security reasons, Amazon does not disclose the exact address of its hosting locations. Details on Amazon's AWS security and compliance policies can be found here: http://aws.amazon.com/security/. Access Access to data hosted on AWS is strictly limited to those employees who have a need to know. Remote access to customer or other sensitive data is highly restricted and no data is permitted to be downloaded or housed remotely. Contractors are not permitted access to any customer data. Hosting infrastructure and hosted customer data is protected by a firewall, which limits public access to these instances to only the ports needed to use the service. Our Amazon customer support includes a monitoring system that detects the presence of a compromised hosting instance. Checkbox support is notified of issues in real time. Scalability The Amazon hosting infrastructure is scaled in quantity based on anticipated demand using a series of load balancers and Amazon’s Auto Scaling feature. Checkbox support is notified in real-time of any issues with server load or performance. Backups and Disaster Recovery Amazon’s elastic cloud computing allows Checkbox support to move customer databases to separate cloud computing instances within minutes in the event of a compromised instance or other issue that threatens customer data. Data is backed up on a daily basis, with backups stored as encrypted files on redundant Amazon S3 storage. In the event of an unexpected software outage, hardware, software, or infrastructure failure that leads to service downtime or data loss, or a security breach that compromises customer data, Checkbox will immediately notify all customers potentially affected by the failure. Customers will be notified individually by email and messages will also be posted in the customer announcement section of the Checkbox customer support site and in the news section of the Checkbox website.
Application-Level Security & Testing
Internal Security Policies & Controls
Security Policies & Training Security policies and procedures are reviewed and updated by upper management on an annual basis. The updated policy is communicated to all employees upon hire, and reviewed annually with all employees. Customer Data Policies All employees are bound by the terms of their confidentiality agreement to protect the integrity of customer data at all times. There is a zero tolerance policy for negligence or misconduct with regard to customer data. Such negligence or misconduct is grounds for immediate termination. Any modifications to or testing of Checkbox customer databases are done on an in-house server and never on any employee’s personal computer. Customer databases used for testing purposes are immediately deleted from Checkbox servers once testing is complete and data is no longer needed. Non-disclosure agreements (NDAs) required by customers prior to release of customer data to Checkbox are reviewed by Checkbox upper management and the employee(s) who will be accessing the data, and are signed by Checkbox upper management. NDAs are filed with customer records. Employee Access Controls Only employees with a need to know basis have access to customer data. Remote access to customer or other sensitive data is highly restricted and no data is permitted to be downloaded or housed remotely. All company devices that house customer or other sensitive data are encrypted. Password Policies Checkbox follows Microsoft's password policy recommendations for any company device or network passwords. All system-level passwords or passwords that are used to gain access to servers and systems containing sensitive internal and customer data are changed upon termination of any employee that had access to the password(s). Employee Background Checks & Confidentiality Agreements All employees with access to customer or other sensitive data are required to submit to a background check prior to hire. All Checkbox employees are required to sign a proprietary and confidential information agreement upon hiring. This agreement is in full force during and following the employee’s term of employment. Terminated employees are given a copy of the signed agreement upon termination. Protection of company and customer information is also covered in the Checkbox Employee Handbook, which all employees are required to review and sign upon hiring. Security Questionnaires Checkbox maintains a standard security questionnaire for its customers who would like more detail on Checkbox's security policies. The questionnaire has been assembled by our management and security teams based on their knowledge of best practices and industry-standard questionnaires. If you would like a copy of this questionnaire, please email your request to firstname.lastname@example.org. We are not able to accommodate requests for client-specific security questionnaires, except at the Enterprise account level.
Disclosure of Data to Third Parties
If you have questions about the security features of your account or how to use them, please contact support. If you have general questions about Checkbox's security features or practices, or to request a copy of our standard security questionnaire, please email email@example.com.