Security Policy

Valid as at 27 July 2021

Web Survey Creator takes data security very seriously. We make every effort to ensure that your data is kept secure and that we collect and store only the personal information required to administer your account and make your use of the software as efficient as possible. We have detailed below all steps taken by us to ensure the security of your data.

STORAGE AND SECURITY OF PERSONAL INFORMATION

At any time that Web Survey Creator has possession or control of a record that contains personal information, we ensure:

  1. that the record is protected, by such security safeguards as it is reasonable in the circumstances to take, against loss, against unauthorised access, use, modification or disclosure, and against other misuse; and
  2. that if it is necessary for the record to be given to a person in connection with the provision of a service to Web Survey Creator, everything reasonably within the power of the Web Survey Creator is done to prevent unauthorised use or disclosure of information contained in the record.

We have in place appropriate disposal arrangements for records containing personal information. Destruction of records is secure.

APPLICATION AND USER SECURITY

Web Survey Creator uses advanced commercially available technology to secure each user's internet session.

When a user registers with Web Survey Creator they must create a unique username and password that must be entered each time they log on. User data in the database is segregated logically by user account-based rules. User accounts have unique usernames and passwords that must be entered each time the user accesses the system.

User passwords have requirements for complexity and length and are individually salted and hashed.

All areas of the site use Transport Layer Security (TLS) to protect user data during transmission. This includes all sensitive data such as credit card details and passwords and all responses submitted by survey respondents.

All credit card information is transmitted via TLS to our payment gateway provider, SecurePay, where it is securely stored. SecurePay holds the highest level of PCI DSS accreditation - strict global security standards to ensure this information is properly protected. No credit card information is stored in our database except for the expiry date and last 3 digits of the card to assist you in identifying the card used.

DATA CENTRE PHYSICAL SECURITY

Data centres feature a layered security model, including safeguards like custom-designed electronic access cards, alarms, vehicle access barriers, perimeter fencing, metal detectors, and biometrics. The data centre floor features laser beam intrusion detection.

Our data centres are monitored 24/7 by high-resolution interior and exterior cameras that can detect and track intruders. Access logs, activity records, and camera footage are reviewed in case an incident occurs. Data centres are also routinely patrolled by experienced security guards who have undergone rigorous background checks and training.

NETWORK SECURITY

24x7 Monitoring of Network

Redundant power supplies and environmental controls

Low latency and highly available

ISO 27001, ISO 27017, ISO 27018 compliant

Regular security patching and auditing ensure minimum vulnerability footprint on OS layer.

DIGITAL DATA STORAGE SECURITY

Data stored on fully redundant, fault tolerant, encrypted disk subsystems

Continuous data protection offered from daily, 90-day retention backups to physically disparate devices.

We use several layers of encryption to protect customer data at rest. Data stored is encrypted at the storage level using either AES256 or AES128.

SOFTWARE DEVELOPMENT PRACTICES

We code in Microsoft technologies including C#.

Our engineers use best practice and industry standard guidelines for software development and security of code.

HANDLING OF SECURITY AND DATA BREACHES

No method of communication or transmission over the Internet is perfectly secure despite everyone's best efforts. Whilst we cannot guarantee absolute security, if Web Survey Creator learns of or is advised of a potential security or data breach, we will

  • Form a team including senior WebSurveyCreator.com personnel
  • Investigate what has occurred
  • Investigate what information has been compromised (e.g. usernames, passwords, survey response data)
  • Immediately take action to determine the nature and scope of the breach and take action to prevent further data loss
  • Notify affected customers, if appropriate
  • Notify the Office of the Australian Information Commissioner (OAIC), if appropriate
  • Notify the Australian Market & Social Research Society Limited (AMSRS), if appropriate
  • Take action to remediate the breached data
  • Take action to ensure the data breach cannot reoccur

PENETRATION TESTING

Web Survey Creator has been penetration tested. These tests were conducted by an independent security consultant to industry guidelines and the OWASP Application Security Verification Standard was followed.

The scope of testing included all the functionality available to unauthenticated and authenticated users. To make sure that the whole attack surface was covered and all critical parts of the Web Survey Creator application were sufficiently tested to industry guidelines, the OWASP Application Security Verification Standard was followed. Specifically, the testing included but was not limited to following areas:

  1. It was verified that Authentication and Session Management subsystems are securely implemented and can’t be bypassed, and that session can’t be hijacked.
  2. In an effort to confirm correctness of Authorization and Permissions subsystems various tests were performed to make sure that it is not possible to escalate privileges or to access functionality and/or resources only available for higher privileged users.
  3. Malicious Input Handling: all discovered endpoints were thoroughly tested against various forms of server-side content injection issues (SQL, XXE, LDAP, XML, etc.). Also testing for client-side content injection was performed (XSS, HTML injection, JS script inclusion, response splitting, etc.).
  4. Risky Functionality and Business Logic: application-specific logic was tested to make sure that it can’t be abused or circumvented.
  5. Cryptography is used correctly and does not use insecure/obsolete protocols and crypto primitives.

The independent consultant acknowledged that all high and medium risk issues identified during the testing were properly mitigated by Web Survey Creator, which was confirmed during a separate retesting phase.

Click Here to view the Pen Testing Executive Summary

FURTHER SECURITY INFORMATION

If you have any concerns or questions, please contact us at support@websurveycreator.com.

Click Here to view our previous Security Policy