Thousands of organizations trust Spidergap to securely collect, store and share their 360 feedback data. We take the security of that data, and other data collected through use of the site, very seriously.
This Security Statement is aimed to be transparent about our security infrastructure and practices, to help reassure you that your data is appropriately protected.
Application and User Security
- SSL/TLS Encryption: SSL/TLS is used to ensure data is securely transmitted between our site and intended recipient. All data sent to and from the Spidergap site uses SSL/TLS.
- Data at rest encryption: The application database is encrypted when stored in database tables, temporary files, and backups.
- User Authentication: User data on our database is logically segregated by account-based access rules. User accounts have unique email addresses and passwords that must be entered each time a user logs on. A session cookie records encrypted authentication information for the duration of a specific session. The session cookie does not include the password of the user.
- User Passwords: User application passwords have minimum complexity requirements. Passwords are individually salted and hashed.
- Payment Information: Payment information, including credit card details, is handled by Stripe - the industry leader in this field. We do not store any credit card details on our own systems. You can review their security here.
- Data Portability: Spidergap enables you to export your data from our system to Excel so that you can back it up, or use it with other applications.
- Data Centers: Our information systems infrastructure (servers, networking equipment, etc.) are managed by Google and Rackspace who are accredited with SSAE16 Type II SOC1, SOC2 (Security and Availability Only), and SOC3.
- Data Center Security: Data center access is limited only to authorized personnel, and is protected by badges and biometric scanning; security cameras; access and video surveillance log retention; 24x7 onsite staff and unmarked facilities. Physical security audited by independent firms annually.
- Environmental Controls: Environmental Controls are implemented and monitored to help mitigate against the risk of service interruption caused by fires, floods and other forms of natural disasters.
- Location: All user data is stored on servers located in Europe (and regulated by EU data protection), and we will notify you in advance of any plans to change this.
- Uptime: The site is continuously monitored for uptime, with immediate escalation to Spidergap staff for any downtime. Uptime has been over 99.9% for each of the last 3 years (up to 2017).
- Third Party Scans: Weekly security scans are performed by Qualys.
- Testing: All updates to the Spidergap site are subject to functional and security testing before being pushed to the customer-facing site.
- Penetration testing: External organizations perform penetration tests at least annually.
- Firewall: Firewall restricts access to all ports except a minimal set required by the application.
- Patching: The latest security patches are applied to all operating system and application files to mitigate newly discovered vulnerabilities.
- Access Control: Access to the server is restricted to a small number of staff authenticated over SSH with key-based authentication. Access to perform any harmful actions is further restricted by role-based rules and complex passwords.
- Logging and Auditing: Central logging systems capture and archive all internal systems access including any failed authentication attempts.
- Backup Frequency: Cloud SQL is set-up with daily backups and binary logs to enable point-in-time recovery.
Organizational Administrative Security
- Employee Screening: We perform background screening on all employees.
- Training: We provide security and technology use training for employees.
- Service Providers: We screen our service providers and bind them under contract to appropriate confidentiality obligations if they deal with any user data.
- Access: Access controls to sensitive data in our databases, systems, and environments are set on a need-to-know / least privilege necessary basis.
- Audit Logging: We maintain and monitor audit logs on our services and systems.
- Information Security Policies: We maintain internal information security policies, including incident response plans, and regularly review and update them.
Software Development Practices
- Stack: The backend of the Spidergap site uses PHP and NodeJS services run Google App Engine, with a Cloud SQL MySQL database
- Coding Practices: Our engineers use best practices and industry-standard secure coding guidelines to ensure secure coding.
Handling of Security Breaches
Despite best efforts and adhering to best practices, no method of electronic storage is perfectly secure and we cannot guarantee absolute security. In the event of any security breach, we will notify all users via email notifications and/or through notifications on the Spidergap site itself.
Keeping your data secure also depends on you ensuring that you maintain the security of your account by using sufficiently complicated passwords and storing them safely. You should also ensure that you have sufficient security on your own systems, such that any survey data you download to your own computer is stored securely and is only seen by the intended parties.
Due to the number of customers that use our service, specific security questions or custom security forms can only be addressed for customers purchasing a large volume of credits within Spidergap. If this may be required for your company, you can contact us at firstname.lastname@example.org.