Yes, SurveyMonkey is safe to use. We have implemented multiple levels of security controls to ensure that your data is kept safe and secure, including security-enhancing product features like SSO and multi-factor authentication technology. We also incorporate intrusion protections systems, data leakage prevention tools, and bug bounty programs.

SurveyMonkey is also compliant with ISO 27001, SOC2, and PCI-DSS.

Yes, we comply and help our customers comply with the General Data Protection Regulation (GDPR) applicable in the European Union and with similar rules in regions like the UK and Switzerland. We have implemented a variety of measures to ensure we meet the requirements of the GDPR. This includes features like data encryption, secure data storage in our EU-based data center, and robust privacy controls. We also provide tools that allow you to manage consent, data access, and data retention, helping you remain compliant.

SurveyMonkey data centers operate within a cloud-based architecture powered by Amazon Web Services (AWS), with locations in Ireland (EU), Canada, and the United States. Enterprise users can select the physical location for the storage of some of their data. Regardless of where your data is stored, our privacy and security settings ensure compliance with data protection regulations in regions such as Australia, Canada, the UK, and the EU.

Yes, we offer HIPAA-compliant features as an add-on to help you meet your compliance needs. This add-on is only available to SurveyMonkey Enterprise customers. Learn more about HIPAA compliance at SurveyMonkey, including how to sign a Business Associate Agreement with us.

Yes, we offer an enhanced sensitive data protection add-on which provides a higher level of security when using SurveyMonkey to collect or store sensitive information. This add-on is only available to SurveyMonkey Enterprise customers. This offering is currently not available to Apply or GetFeedback products.

Our approach is a privacy-by-design and data minimization-first approach. Following industry practice and consistent with our Privacy Notice, we use de-identified customer data or synthetically-generated data to train and build our proprietary AI models, while also protecting customer security and privacy.

We have spent many years developing a secure methodology for safely and securely improving our models with minimal invasiveness or human review. This involves a thorough automated method for aggregating and de-identifying data prior to use for model training. We exclude personal data from these data sets and we set strict retention limitations on all data used for this purpose, ensuring that it is deleted within a set time period after use. We also apply strict access controls for data, such that least privileged rules apply. 

Several AI features use OpenAI or other third-party providers to generate insights. Data shared with these third-party providers is not used to train their AI models.

SurveyMonkey encrypts all data at rest in our data centers using AES 256 based encryption. Additionally, SurveyMonkey encrypts all data in motion using (i) RSA with 2048 bit key length based certificates generated via a public Certificate Authority, for communications with entities outside SurveyMonkey data centers, and (ii) RSA 256 certificates generated via Internal Certificate Authority, for all the data within the data centre.

Yes. We conduct annual third-party penetration tests to check for any vulnerabilities.

SurveyMonkey maintains the following security certifications:   SOC II,  ISO 27001, PCI DSS 3.2 and EU-US Data Privacy Framework Certification. 

Since our customers act as controllers (or businesses) over their respondents’ personal data, we enable our customers to fulfill the data subject requests of their users.

No. See our Region-Specific Privacy Notice for more details.

See a full description of our subprocessors.

Yes, we conduct bi-annual audits of our security and privacy practices to ensure compliance with applicable local and international regulations.

SurveyMonkey relies on Standard Contractual Clauses for international data transfers, including appropriate technical and organizational measures to protect EEA, UK, and Swiss personal data during and after transfer. 

We have also self-certified under the EU-US Data Privacy Framework, the UK Extension, and the Swiss-US DPF Principles, ensuring that we adhere to strict data protection standards when handling customer data.
Please see our EU Data Transfer Statement for more information.

When you are an Australian customer, you enter into a contract for SurveyMonkey services with our Irish entity, SurveyMonkey Europe UC. SurveyMonkey Europe UC complies with laws applicable to it in Ireland and the European Union to include the General Data Protection Regulation (GDPR). However, we have taken steps to ensure that our contract terms, data protection, and security controls are more broadly compatible with laws that are of concern to our customers where possible. This includes implementing transparent privacy notices, user controls in our products/privacy by design, industry standard technical and organizational security measures to protect data, and ethical AI development and governance practices. We also have an Australia addendum to our DPA which is available for our Australian customers.