Security Policy

This Security Policy applies to the products, services, websites and apps offered by Problem Free Limited. We refer to those products, services, websites and apps collectively as the “Services” in this Statement. This Security Policy also forms part of the user agreements for FreeOnlineSurveys, KwikSurveys and Shout customers.

We take the security of your data very seriously and in striving for complete transparency in how we handle and protect your data.

Human resource security

A comprehensive awareness training program is delivered on an ongoing basis to all Problem Free Limited employees to emphasise the need to protect customer cloud data appropriately. We also require our contractors to provide appropriate awareness training to all relevant employees and they are briefed on the specific requirements.

Encryption

Transactions between the user (including administrators) and the cloud environment are encrypted using TLS 1.2+ by default. If removed from a physically secure datacentre customer data will be encrypted at rest. Any data sent between our production servers (such as to a database) will only be communicated via their own private network, private virtual LAN or through an encrypted channel.

Physical security

Our primary database and web servers are located at a reputable data centres in the UK.  Our datacenters have 24/7 on-site security, CCTV monitoring and access control via RF key cards. The data centre holds ISO 27001 information security management certifications. Backups are encrypted before being transferred to the Amazon S3 cloud (EU).  All datacenters we use will have appropriate physical security in place.

Access Control and logging

We use the “authentication everywhere” principle for all internal admin systems. Employees are only given access to systems and personal data if it is required for the performance of their role. We record audit logs of any access to customer accounts (including our own staff), as well as important operations that take place on their accounts for legal and security purposes. Employee access to company systems will be revoked within 24 hours of termination. Complex password policies are enforced.  Server logs are shipped to an external log aggregator.

Asset management

All company hard drives are encrypted with full disk encryption. Only devices properly secured by the company will be able to access company networks. Employee PCs all have firewalls installed as standard, as well as anti-malware software that scans systems for vulnerabilities at least once a week. 

Development

Our service is built on the enterprise-grade Microsoft .NET MVC platform and uses an ORM to interact with the customer database. This prevents many of the most common security venerability’s (such as SQL injection.)  We use deployment automation systems to move the code from distributed source control system, to staging environments for review and testing before deploying to the production environment.  Staging and production systems are always separated.

Vulnerability testing and patch management

We will periodically perform venerability scanning on our servers to identify any relevant issues. Security patches are reviewed regularly and applied to our servers where appropriate.

Web application firewall and security proxy

Our servers are protected by Cloudflare who provide expert defence against DDOS attacks, a web application firewall to filter suspicious or dangerous activity, block known “bad IP addresses/users” and offer various cryptographic enhancements.  Our surveys and forms are pushed out to their edge servers to ensure high performance for end-users.

Information security incident management

Where we believe it’s appropriate to inform the customer of an information security event (before it has been determined if it should be treated as an incident), it will be relayed to the nominated customer administrator. Similarly, the customer may report security events to our support desk where they will be logged, and appropriate action will be decided on. Information about the progress of such events may be obtained from the support desk. We will report information security incidents to the customer where we believe that the customer service or data has or will be affected.

We will do this to the nominated customer administrator or deputy as soon as reasonably possible and will share as much information about the impact and investigation of the incident as we believe to be appropriate for its effective and timely resolution. An incident manager will be appointed in each case who will act as the Problem Free Limited point of contact for the incident, including matters related to the capture and preservation of digital evidence if required. We prioritise incident management activities to ensure that the timescale requirements of the GDPR, for notification of breaches affecting personal data, are met.

Information Security Aspects of Business Continuity Management

Our production data centres are distributed across multiple cities to provide redundancy in the event of a widespread outage. Database transaction log backups are scheduled for every 15 minutes and are automatically encrypted and transferred to the remote Amazon S3 storage cloud. Additional full and differential backups are taken periodically and similarly transferred to the same safe location.  Source code is stored in distributed version control.