Keeping your data secure
SurveyCTO has been built with industry-leading data-security features, in order to help users safeguard even the most sensitive PII data (including, e.g., health and financial data). Some features are fully automatic, such as the extensive SOC 2 compliance program that safeguards all of our server hosting operations. Other features are optional, allowing you to find your preferred balance between convenience and security. So, for example, you can set password complexity and expiration rules to match your own preferences and information security policies.
One important option offered by the SurveyCTO platform is end-to-end encryption. While each SurveyCTO component uses strong industry-standard methods like at-rest and in-transit encryption to protect data against unauthorized outside access, end-to-end encryption allows you to protect data even from inside access (from authorized users, server administrators, and even the SurveyCTO platform itself). With this option, form data is encrypted with a public encryption key as soon as a submission is finalized, and from that point onward it is only readable by people who have the private encryption key. You create and manage your own keys, so not even SurveyCTO engineers or server administrators can see the encrypted data you collect: it passes through SurveyCTO cloud systems in an encrypted, unreadable format.
Just below is a checklist of best practices for the most secure data collection program, followed by a fuller discussion of data security considerations all through the SurveyCTO ecosystem (from securing devices to server management to exporting, publishing, and sharing data).
Best practices for secure data collection
The following are best practices for securing data collected with SurveyCTO. When collecting sensitive data, we generally advise that you adopt as many of these practices as possible. Each topic is discussed more fully in both the hyperlinked help topics and the sections that follow.
When collecting data with mobile devices:
Configure your server to require all available mobile security requirements. If you need to make exceptions for certain cases (e.g., if somebody needs to use local wi-fi sync), you can use the “Ignore mobile security settings” option for individual user roles. Available options include:
- Require lock screen
- Require device encryption
- Don't allow jailbroken or rooted devices
- Require dedicated workspaces
- Don't allow any outside access
- Don’t allow un-dedicating
Configure devices to log in with users in data-collection-only user roles, so that their credentials don’t give them unnecessary access. Also configure workspace and admin passcodes for the highest level of security.
Use default device configurations and the quick setup facility to set up new devices in a uniform way, customizing default settings to user roles as needed.
Set password complexity and expiration rules appropriate for the kinds of data you are collecting, perhaps in excess of what is required by your organization’s information security policies.
Configure external authentication if possible, and set all manager and admin user roles to require external authentication. That way, when somebody leaves your organization and loses access to their organizational email account, they automatically lose access to your SurveyCTO server.
Manage users and user roles so that individual users have no more access than they require to do their jobs.
Configure most or even all user roles not to allow API access. If you have users that need API access, create a special user role for them.
Configure end-to-end encryption for all forms containing sensitive data, use different encryption keys for different forms or projects, and be extremely careful how and with whom you share the private keys. When it’s necessary to publish certain fields to an outside system or server-side dataset, you can flag only those individual fields as publishable.
Only allow anonymous access to web forms when the forms themselves reveal no sensitive information or data.
Secure all systems to which you export SurveyCTO data – including those systems’ backups – and consider using cold room computers for processing your most sensitive data.
When sharing data with others, consider sharing safe, non-PII subsets of responses, and/or sharing via SurveyCTO’s secure facility for sharing data.
When publishing data directly to an outside system, avoid publishing PII fields unless strictly necessary (and unless you are able to fully trust the security of the outside system).
If you’re collecting data with Android or iOS devices, data security starts on those devices. They should all be configured with secure lock screens and device encryption, and they should never be “jailbroken” or “rooted” to bypass device-level security protections. You can configure your SurveyCTO server to require all of this as a matter of policy, so that devices that don’t meet your requirements aren’t allowed to download forms or submit data until they’re brought into compliance.
You can also configure your server to require that all local forms and data be stored in private device storage, within a separate workspace dedicated to your server only, and that all outside access to collected data be disabled, such as local wi-fi sync features.
To ensure that new devices are always onboarded with the right settings, you can use default device configurations and the quick setup facility, customizing the default device configurations by user role. To be safe, also configure devices to log in with users in data-collection-only user roles, so that their credentials don’t give them more access than necessary, and configure passcodes to protect workspaces and administrative settings.
Finally, assuming that they are devices that you own and manage for data-collection purposes, you might install some kind of mobile device management (MDM) or even parental-control app, in order to help manage your devices and limit how they’re used. (Limiting access to install new apps, for example, can improve security while also extending battery life.)
Server and web-form security
Server security is a shared responsibility. As the hosting provider for SurveyCTO services, the Dobility team hosts all production systems in an industry-leading security environment and protects servers with a strong, externally-audited information security compliance program. This includes layers of safeguards, monitoring, and auditing, including external penetration testing and SOC 2 audits. As the user, you also have some responsibilities.
First and foremost: you control who has access to your SurveyCTO server by managing users and user roles. You can set password complexity and expiration rules to match your organization’s information security policies, configure external authentication so that users sign in with single-sign-on (SSO), and control exactly which user roles have access to server APIs.
In managing users, you should follow the “principle of least privilege”: users should have no more access than required for them to perform their role on the team or project. You do this by ensuring that each user is set to a user role with only the appropriate level of access and that each device logs in as an appropriate user. (SurveyCTO allows extremely fine-grained control over permissions; you can create as many custom user roles as you need and even grant view-only access to data on a per-form basis.)
Finally, when you collect data with web forms, they default to private: only logged-in users in roles with the relevant access will be allowed to see and fill them out. You can individually override this default by opening a form to anonymous web users, but you should only do so when you’re sure that the form itself doesn’t reveal any sensitive information or data.
Exporting, publishing, and sharing data
Only export and save SurveyCTO data on systems that are fully secure. If saving onto a laptop computer, for example, you will first want to make sure that the laptop is adequately protected against outside access; it should be running modern firewall systems, be secured with a password lock screen, and, for systems housing sensitive data, be fully encrypted. All of the laptop’s backups should also be password-protected, encrypted, and kept in a safe physical environment.
For working with the most sensitive PII data, you might need to use a cold room (air gap) computer that is fully isolated from public networks. SurveyCTO Desktop can make it painless to download encrypted data, transfer it to a cold-room computer, and decrypt it there, within a fully-safe environment.
When it comes to sharing data with others, SurveyCTO Desktop can make it easy to export safe, non-PII subsets of responses. If you’re sharing full PII data with others, you should be very careful about how you do it; never email PII data, and never put PII data in a public location that others may access (e.g., protected only by a secret link). Instead, you can use SurveyCTO’s secure facility for sharing data with external users.
If a form is configured for end-to-end encryption, be very careful about how and with whom you share its private encryption key. Rather than sharing the key with everybody who needs access to the data, you might consider marking certain non-PII fields as publishable, so that people without the private key can see them. That way, you can share the non-PII data more widely, without having to share the private key.
Finally, if you’re publishing data directly to other systems via Google Sheets, Zapier, or webhooks, be careful to only publish PII fields when strictly necessary. In most cases, you should be able to publish only a safe subset of non-PII fields.