Survey Software Security

Respondent Security (Answering Surveys):

• Each Confirmit project stores all respondent and response data in its own MS SQL Server database with a unique system user access protocol to prevent unauthorized access to confidential data.
• Respondent data is kept separate from response data, ensuring respondent confidentiality.
• All account passwords are encrypted.
• To further prevent unauthorized access to an MS SQL server, where response data is stored, no access is possible directly from the Internet. Access is only interfaced through the Confirmit interview engine or the Confirmit author application.
• Confirmit supports Secure Sockets Layers (SSL) for Confirmit users, survey respondents, and report viewers. SSL is enforced during login, but is optional for authoring and surveys.
• Confirmit uses a combination of system and random generated passwords to identify the respondent and the correct stage in the interview when moving from page to page.
• Interview pages are not cached; i.e.: no information will be stored on the respondents' computers when the browser is closed. This is critical for new product and concept testing.

Author Security (Creating Surveys):

• Access to all available project and data information is by default only granted to the Confirmit user who creates each project.
• In addition to different levels of project permissions, other access levels are determined by the profile assigned to the Confirmit user.
• Login controls: each account has an expiration date.
• The system requires passwords to be changed regularly (interval defined by the client) and must follow specified criteria (validation defined by the client).
• Accounts are locked after a certain number of unsuccessful login attempts.
• Passwords are not visible to Confirmit employees, and One-Time Passwords are set up for new / re-opened accounts.
• Users are automatically logged off after a given period of non-activity (60 minutes on ASP).

Additional Security Features (Confirmit Recommended):

• Confirmit supports encrypted file transfer (PGP encryption) - critical for secure data exports, report exports, respondent uploading, and other data transfers with third party databases.
• FTP transfer of data files to automate the file transfer process, in combination with PGP encryption if desired, is supported.
• To prevent potentially malicious code, Confirmit provides a Script Checker that will indicate code that needs to be excluded or amended in surveys.
• For an extremely strict server environment, it is possible to HTML encode all textual elements.
• To prevent spam listings on survey e-mails, Confirmit provides a Mail Authentication security layer.

Security Assessments - Confirmit On-Demand Environments:

• The Confirmit ASP Hosting Environments has been designed with security, high availability, and performance in mind.
• Confirmit significantly invests in outsourcing the On-Demand / SaaS / ASP Hosting Environments with leading Managed Hosting providers, securing the highest available service levels.
• Confirmit has passed 100% of all security due diligence assessments performed on it by a number of global organizations, including some of the largest financial institutions as well as government agencies.
• Confirmit delivered 99.988% uptime for respondents in 2006.
• Foundstone, a division of McAfee, performed a full Network Assessment Review, including External Penetration testing, in December 2006. Confirmit's sites were rated with the highest Security Posture Analysis Grade: A.
• All servers and application services, as well as the network infrastructure, are redundant with no single point-of-failure.
• Network IDS is deployed to secure the network by automatically blocking malicious network traffic.
• All servers, services, and networks are monitored 24/7 by both Confirmit and the hosting partner, with operation teams on stand-by.
• Strict change configuration control and server installation routines ensure best possible uptime and availability for ASP clients.