April 11, 2019|Data Security & Compliance|

Overview

Checkbox takes data security very seriously and is committed to protecting the privacy of its customers and users. The information in this article is intended to provide an overview of the security measures that Checkbox has implemented with regard to data storage and application security. This article is not intended to be a comprehensive list of all of our security controls, as we do not disclose the details of certain policies, procedures and controls for security reasons.

Users of the Checkbox website, Checkbox hosted application, and Checkbox on-premises software should note that, while we follow generally accepted industry standards to protect your data, both during transmission and once we receive it, no method of transmission over the internet, or method of electronic storage, is 100% secure. Therefore, while we strive to use commercially acceptable means to protect your personal information, we cannot guarantee its absolute security.

Users of the Checkbox hosted application and Checkbox on-premises software should also be aware that the commitment to data privacy and security is a joint effort between Checkbox and you, as the survey or account administrator. It is your responsibility to be aware of the laws and regulations that are applicable to the type of data you are collecting, and to implement the Checkbox features that are necessary to protect that data. It is also your responsibility to ensure the accuracy of your Checkbox account data and to respond to requests from your respondents and users regarding any deletion of or updates to their data.

For information on GDPR compliance related to your Checkbox data, please see our GDPR help guide.

 

Hosting Architecture

Location

Checkbox utilizes Amazon Web Services (AWS) cloud-based virtual web servers in the United States, Montreal and Ireland to host its Checkbox hosted application.  Depending on the Checkbox plan level purchased, customers may have the option to choose their preferred hosting location at the time of purchase. For security reasons, Amazon does not disclose the exact address of its hosting locations. Details on Amazon’s AWS security and compliance policies can be found here: http://aws.amazon.com/security/.

Access

Access to data hosted on AWS is strictly limited to those employees who have a need to know. Remote access to customer or other sensitive data is highly restricted and no data is permitted to be downloaded or housed remotely. Contractors are not permitted access to any customer data.

Hosting infrastructure and hosted customer data is protected by a firewall, which limits public access to these instances to only the ports needed to use the service. Our Amazon customer support includes a monitoring system that detects the presence of a compromised hosting instance. Checkbox support is notified of issues in real time.

Scalability

The Amazon hosting infrastructure is scaled in quantity based on anticipated demand using a series of load balancers and Amazon’s Auto Scaling feature. Checkbox support is notified in real-time of any issues with server load or performance.

Backups and Disaster Recovery

Amazon’s elastic cloud computing allows Checkbox support to move customer databases to separate cloud computing instances within minutes in the event of a compromised instance or other issue that threatens customer data. Data is backed up on a daily basis, with backups stored as encrypted files on redundant Amazon S3 storage. 

In the event of an unexpected software outage, hardware, software, or infrastructure failure that leads to service downtime or data loss, or a security breach that compromises customer data, Checkbox will immediately notify all customers potentially affected by the failure.  Customers will be notified individually by email and messages will also be posted in the customer announcement section of the Checkbox customer support site and in the news section of the Checkbox website.

Application-Level Security & Testing

Application Security Features

Both the Checkbox hosted and on-premises versions include various features intended to protect the security and integrity of sensitive data, such as user role controls, survey and report access controls, password restriction settings, user lockout features, and single sign-on capabilities. Users who have questions about the features included in their plan or how to enable them should contact customer support or their account manager.

Encryption

Data that is transmitted from Checkbox hosted accounts is encrypted in transit using TLS 1.2 protocol. Checkbox on-premises customers have the option to enforce encryption on data in transit as well.

Backups of customer data are stored as encrypted files using redundant Amazon S3 storage. Checkbox on-premises customers and hosted customers customers on Team or Enterprise plans may also choose to enable encryption of their data at rest.

Customer Responsibilities for Application Security

Customers of Checkbox, including any users granted access to Checkbox by and on behalf of customers, are expected to maintain the security of their accounts and account data. This includes, but is not limited to, using sound and reasonable judgment when choosing and storing Checkbox passwords. Checkbox offers password encryption and password lockout features, but it is the responsibility of customers to enable and properly configure these features. Customers are also expected to maintain sufficient security and protection of their own servers and systems, and to protect sensitive and confidential survey and user data in their possession. 

Development Testing

Prior to each upgrade or update release of the Checkbox Survey application, all inputs within the administrative interface and within surveys are checked for vulnerabilities to JavaScript and SQL injection attacks. Encryption algorithms are consistently examined for possible security vulnerabilities and are updated as needed to remain in line with current technologies and current known security concerns. In the event of a customer detecting and reporting a security hole or issue, Checkbox will use industry-acceptable and reasonable methods to reproduce and identify said issue. Once identified, Checkbox will use commercially available and reasonable methods to develop and test a fix for the issue, and will release the fix with the next subsequent upgrade or update release. If Checkbox deems the issue to be a critical security vulnerability, a security “hotfix” may be released to resolve the issue in advance of the next full software release.

Notification of Application Security Issues

Despite best efforts, no software is bug-free and no method of transmission over the Internet or method of electronic storage is perfectly secure. Should Checkbox learn of a security issue within the application, Checkbox will immediately notify all customers potentially affected by the issue.  Customers will be notified individually by email and/or messages will be posted in the customer announcement section of the Checkbox customer support site and in the news section of the Checkbox website, as deemed appropriate.

 

Internal Security Policies & Controls

Security Policies & Training

Security policies and procedures are reviewed and updated by upper management on an annual basis. The updated policy is communicated to all employees upon hire, and reviewed annually with all employees.

Customer Data Policies

All employees are bound by the terms of their confidentiality agreement to protect the integrity of customer data at all times. There is a zero tolerance policy for negligence or misconduct with regard to customer data. Such negligence or misconduct is grounds for immediate termination. Any modifications to or testing of Checkbox customer databases are done on an in-house server and never on any employee’s personal computer. Customer databases used for testing purposes are immediately deleted from Checkbox servers once testing is complete and data is no longer needed. Non-disclosure agreements (NDAs) required by customers prior to release of customer data to Checkbox are reviewed by Checkbox upper management and the employee(s) who will be accessing the data, and are signed by Checkbox upper management. NDAs are filed with customer records.

Employee Access Controls

Only employees with a need to know basis have access to customer data. Remote access to customer or other sensitive data is highly restricted and no data is permitted to be downloaded or housed remotely. All company devices that house customer or other sensitive data are encrypted.

Password Policies

Checkbox follows Microsoft’s password policy recommendations for any company device or network passwords. All system-level passwords or passwords that are used to gain access to servers and systems containing sensitive internal and customer data are changed upon termination of any employee that had access to the password(s).

Employee Background Checks & Confidentiality Agreements

All employees with access to customer or other sensitive data are required to submit to a background check prior to hire. All Checkbox employees are required to sign a proprietary and confidential information agreement upon hiring. This agreement is in full force during and following the employee’s term of employment. Terminated employees are given a copy of the signed agreement upon termination. Protection of company and customer information is also covered in the Checkbox Employee Handbook, which all employees are required to review and sign upon hiring.

Security Questionnaires

Checkbox maintains a standard security questionnaire for its customers who would like more detail on Checkbox’s security policies. The questionnaire has been assembled by our management and security teams based on their knowledge of best practices and industry-standard questionnaires. If you would like a copy of this questionnaire, please email your request to info@checkbox.com. We are not able to accommodate requests for client-specific security questionnaires, except at the Enterprise account level.

Disclosure of Data to Third Parties

Checkbox will not disclose your personal data or your Checkbox hosted data to any non-agent third party, except as outlined in this document or our Privacy Policy.

We reserve the right to disclose your personally identifiable information as required by law and when we believe that disclosure is necessary to protect our rights and/or comply with a judicial proceeding, court order, or legal process served on our website.

There may also be instances where Checkbox may be required to share your information with third parties who have not been retained by Checkbox, during inspections or audits, in response to lawful requests by public authorities, including to meet national security or law enforcement requirements, or as ordered or directed by courts or other governmental agencies. Many entities receiving your information under these conditions have privacy requirements that apply to their handling of your information.

 

Questions?

If you have questions about the security features of your account or how to use them, please contact support. If you have general questions about Checkbox’s security features or practices, or to request a copy of our standard security questionnaire, please email info@checkbox.com.