Privacy Basics

This is a snapshot of how SurveyMonkey treats personal information and data. FOR FULL DETAILS READ OUR PRIVACY POLICY.

1. Account data

You own the data in your account.

Your surveys/forms/applications/questionnaires and any responses you collect to them are private by default (except if you have made them available via a public link). We don’t sell individual responses to anyone and we don’t use those responses for purposes unrelated to your account and improving our services, except in the limited set of circumstances outlined in the privacy policy. Some uses we do make of Respondent related data includes, for example, in our survey tool aggregating usage trends around Respondents (types of questions answered and success of specific survey and question types over time) – this is done so we can make more accurate recommendations to you around use of our services.

We safeguard respondent email addresses.

To make it easier for you to invite people to take surveys and questionnaires or fill out forms and applications via email, you may upload lists of email addresses, in which case SurveyMonkey acts as a mere custodian of that data. We don’t sell these email addresses and we use them only as directed by you and in accordance with our Privacy Policy. The same goes for any email addresses collected in your account.

2. Privacy compliance

Respondent anonymity?

This depends on how you configure the survey, form, application or questionnaire. Click here to read more about respondent anonymity.

Respondent Information Requests.

SurveyMonkey does not handle respondent information requests such as access requests / right to be forgotten requests etc with respect to the data which you control in your account. We will always direct a Respondent back to you when we receive these requests and we have established processes to provide you with reasonable assistance for these requests as needed.

Data Retention.

You control how long data remains in your account. Once you delete data from your account it only exists in back-ups within our service for a limited period of no more than 12 months. After this time the data is permanently deleted. Any data we retain beyond this is non personal /aggregated and anonymous data related to the operation of our services which we use only to help us build new products and improve our existing services.

Data Transfers.

We offer all our customers our standard Data Processing Agreement with Standard Contractual Clauses (SCCs) and SurveyMonkey Inc is Privacy Shield certified.

3. Security

Security highlights for:

• Access Control (Authentication and Authorization)
• Continuous Network and Security Monitoring
• SOC 2 accredited Data Centers for survey data and AWS cloud storage for other services.
• Vulnerability Management
• Incident Response and Recovery
• Security Awareness Training
• Periodic Independent 3rd Party security reviews and penetration testing
• PCI DSS Compliant (SurveyMonkey/SurveyMonkey Apply and Wufoo services)
• HIPAA Compliant (SurveyMonkey surveys)

Data storage: We have multiple data centers to guarantee a secure and highly available service at scale.

Our Security team has drafted a Security White Paper containing more granular detail for our SurveyMonkey Enterprise customers. Please contact us if you would like to receive a copy. We are also in the process of seeking ISO 27001 certification as part of our security program for certain aspects of our business and will be providing updates as this progresses.