Millions of users have entrusted Wootric with their survey data, and we make it a priority to take our users’ security and privacy concerns seriously. We strive to ensure that user data is kept securely, and that we collect only as much personal data as is required to provide our services to our customers in an efficient and effective manner.
Wootric uses some of the most advanced technology for Internet security that is commercially available today. This Security Statement is aimed at being transparent about our security infrastructure and practices, to help reassure you that your data is appropriately protected.
Wootric will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of personal data processed by its service, as follows:
- Security policies are reviewed and approved by Wootric executive leadership.
- Security systems and processes are regularly reviewed and tested by security staff and third parties.
- Use of network firewalls and Web Application Firewall (WAF) to protect Customer Data accessible via the Internet is required.
- Physical access to systems containing Customer Data is restricted.
- System access is based on the principle of least privilege, separation of duties, and is regularly reviewed.
- Applicable and necessary security patches are kept up-to-date.
- Use of default system passwords is prohibited and the use of “strong passwords” is mandated on all systems.
- Employees receive annual security awareness training and must sign confidentiality agreements as a condition of employment.
- Remote access to the Service Operations Environment is restricted and requires two factor authentication.
- Wootric restricts access to Customer Data only to those employees who have a need to know or otherwise access Customer Data to enable Wootric to perform its obligations under the Agreement; provided that (a) a background check has been conducted of those employees, and (b) those employees are bound in writing by obligations of confidentiality sufficient to protect the Customer Data in accordance with requirements herein.
- Wootric maintains a disciplinary process to address any unauthorized access, use or disclosure of Customer Data.
Customer Data Transmission
- All access into the Service utilizes secure protocol HTTPS; All clear text HTTP connections are disabled by default.
- Copying of Customer Data outside of the SaaS Operations Environment by any employee is restricted by policy and only permitted for legitimate business need.
- Customer Data is transmitted via secure TLS exclusively; SSL is disabled by default.
- Except for transmissions initiated by Customer through the use of the SaaS Service, Wootric does not transmit directly or indirectly, any Customer Data in any form to any country outside of the United States. [except where Data Importer’s sub-contractors and remotely].
Data Storage, Retention and Availability
- Wootric does not store or process Customer Data in any form outside of the United States, other than for transit purposes, without the prior written consent of Customer. Notwithstanding the foregoing, Customer consents to access to its accounts for the purposes of providing support by any Wootric personnel located outside of the United States.
- Customer Data retention timelines are defined for all elements of the Service.
- Wootric will ensure back up of the Customer Data on a daily basis onto an electronic storage medium and shall store all such backups in separate geographic location. Customer Data is transmitted using secure protocols, on dedicated link, and stored in a secured facility for backup.
Security Breach Response
Despite best efforts, no method of transmission over the Internet and no method of electronic storage is perfectly secure. We cannot guarantee absolute security.
- Wootric maintains a security incident response plan and a team of personnel trained to identify, investigate, and respond to security issues.
- In the event of a Security Breach impacting Customer Data, Wootric shall: (a) take immediate steps to remedy the breach; (b) notify Customer as soon as is practicable; and (c) take any other prompt actions towards prevention of any additional Security Breach. In any notification to Customer, Wootric shall
- (i) provide a description of the incident, the data accessed, the identity of affected third parties, if any, and such other relevant information determined by Wootric, and
- (ii) designate a single individual as a point of contact for Customer.
Wootric agrees to cooperate with Customer and any law enforcement or regulatory official in connection with any Security Breach, including without limitation any investigation, reporting or other obligations required by applicable law, as well as any dispute, inquiry or claim concerning the Security Breach. For purposes of this subsection, “Security Breach” means any actual unauthorized use, access, disclosure or misuse of Customer Data of which Wootric becomes aware.
Third Party Testing
- Wootric contracts annually with a reputable third party security firm to conduct a comprehensive security audit (penetration test and web application vulnerability tests) of its SaaS Service.
Trust Service Principles
- Data center providers for Wootric SaaS Operations Environment maintain an AT101 SOC2 Type 2 report or any successor standard.
SaaS Operations Management
- Wootric maintains and follows change management processes. All changes to the production environment are risk- assessed, logged, and approved. Releases to the production environment are promoted through a pre-production test environment.
- The operations environment is separate from the development and staging environments. All SaaS environments are separate from the corporate IT environment.
- Logical access to the Service infrastructure is restricted using the principles of least privilege and need to know.
- Access to all systems is controlled by an authentication method involving a minimum of a unique user ID/password combination. Privileged users and administrators must use strong authentication.
- Remote network access, where available, is secured by two-factor authenticated VPN.
- The Service is hosted in the United States in a Tier 3 SOC 2 Type 2 certified computing facility equipped with fully redundant power backup and fire suppression systems, 24-7 security guards, mantraps, controlled access, biometric authentication, and video surveillance.
- Wootric protects its computer and operations systems using standard industry methods designed to prevent outages and minimize impacts during any unavoidable service interruptions.
- Security relevant events, including, login failures, use of privileged accounts, changes to access models or file permissions, modification to installed software, or operating systems, changes to user permissions or privileges or use of any privileged system function, are logged on all systems.
Keeping your data secure also depends on you ensuring that you maintain the security of your account by using sufficiently complicated passwords and storing them safely. You should also ensure that you have sufficient security on your own systems, to keep any survey data you download to your own computer away from prying eyes. We offer SSL to secure the transmission of survey responses, but it is your responsibility to ensure that your systems are configured to use that feature where appropriate.
We welcome any questions you may have. Please contact us.