1. Application and User Security
SSL/TLS Encryption: SSL/TLS is used to ensure data is securely transmitted between our site and intended recipient. All data sent to and from the 360 Feedback Manager site uses SSL/TLS.
User Authentication: User data on our database is logically segregated by account-based access rules. User accounts have unique email addresses and passwords that must be entered each time a user logs on. A session cookie records encrypted authentication information for the duration of a specific session. The session cookie does not include the password of the user.
User Passwords: User application passwords have minimum complexity requirements.
Data Portability: 360 Feedback Manager enables you to export your data from our system to Excel so that you can back it up, or use it with other applications.
2. Physical Security
Data Centers: Our information systems infrastructure (servers, networking equipment, etc.) are managed by Amazon AWS who are accredited with SSAE16 Type II SOC1, SOC2 (Security and Availability Only), and SOC3.
Location: All user data is stored on servers located in Europe (and regulated by EU data protection), and we will notify you in advance of any plans to change this.
3. Network Security
Uptime: The site is continuously monitored for uptime, with immediate escalation to 360 Feedback Manager staff for any downtime. Uptime has been over 99.9% for each of the last 3 years (up to 2018).
Testing: All updates to the 360 Feedback Manager site are subject to functional and security testing before being pushed to the customer-facing site.
Penetration testing: We plan to do this test annually - Scheduled for 1st Dec
Firewall: Firewall restricts access to all ports except a minimal set required by the application.
Patching: The latest security patches are applied to all operating system and application files to mitigate newly discovered vulnerabilities.
Access Control: Access to the server is restricted to a small number of staff authenticated over complex passwords which are reset every 3 months. Access to perform any harmful actions is further restricted by role-based rules and complex passwords.
Logging and Auditing: Central logging systems capture and archive all internal systems access including any failed authentication attempts.
Anti Virus and Anti Malware: Our system is installed with antivirus and anti malware and network security software which is updated regularly.
4. Storage Security
Backup Frequency: Daily full backups of all data. This enables us to restore the site to a state not-more than 24 hour before a major issue occurs.
5. Organizational Administrative Security
Employee Screening: We perform background screening on all employees.
Service Providers: We screen our service providers and to ensure appropriate confidentiality obligations if they deal with any user data.
Audit Logging: We maintain and monitor audit logs on our services and systems
Information Security Policies: We maintain internal information security policies, including incident response plans, and regularly review and update them.
6. Software Development Practices
Stack: The backend of the 360 Feedback Manager site uses Microsoft SQL Server, ASP.NET C# , IIS.
Coding Practices: Our engineers use best practices and industry-standard secure coding guidelines to ensure secure coding.
7. Handling of Security Breaches
Despite best efforts and adhering to best practices, no method of electronic storage is perfectly secure and we cannot guarantee absolute security. In the event of any security breach, we will notify all users via email notifications and/or through notifications on the 360 Feedback Manager site itself.
8. Your Responsibilities
Keeping your data secure also depends on you ensuring that you maintain the security of your account by using sufficiently complicated passwords and storing them safely. You should also ensure that you have sufficient security on your own systems, such that any survey data you download to your own computer is stored securely and is only seen by the intended parties.
9. Custom Requests
Due to the number of customers that use our service, specific security questions or custom security forms can only be addressed for customers purchasing a large volume of credits within 360 Feedback Manager. If this may be required for your company, you can contact us at support@360FeedbackManager.com.