There was a time when data security and privacy was an afterthought for companies big and small when launching software products. It was a checkbox that could be solved by making sure you had the latest version of your engineering framework, or adding a cookie popup to your website.
Those days are gone.
Every company now needs to be thinking about their data security & privacy policies from the very beginning, and at each stage of growth the challenge only gets more important.
At Great Question data security & privacy has been a primary product principle since day one. It’s codified in our shorthand, borrowed from our friend’s at Atlassian: “don’t F the customer.
Every feature that gets released is reviewed through the lens of the impact it could have on potentially sensitive customer data, and how it can be leveraged to protect that data - whether from malicious actors, or simply careless colleagues.
We’ve been given the privilege of holding onto some very important user data, and our customers use that data to understand their customer needs better. The least we can do is keep that data safe and secure so that these research relationships can grow.
Data makes research personal: Great research starts with identifying & recruiting the right customers. The challenge comes when the customer data needed to segment that list of customers fringes on PII. There are ways to protect PII AND send targeted research outreach to everyone.
PII shouldn’t be visible to everyone: One of the best definitions I’ve heard of Personally Identifiable Information (PII) is that it’s any data that could be used to identify someone with a Google search. It’s not just a name and an email address, but it could also include a title, a location or a company name.
With that definition, it’s important to reveal the least amount of customer data required in order to do your job. So while an admin might see everything, a product manager likely doesn’t need a last name or an email address in order to know if someone is a good fir for their next research project.
Permission management + access controls protect everyone: Access to user data is not only a privilege, it’s also a risk. You don’t want to be the one to accidentally reveal information you shouldn’t have accessed. This includes everything from participant data, to interview recordings and survey responses.
Granular permission management empowers teams to do their jobs with just enough access to the information they need; audit logs help to identify who has access what data; SSO + SAML with multi-factor authentication protect system-wide access.
Independently audited: Tools that host customer data need to be compliant based on the requirements of the industry in which your company exists, and more importantly should be independently audited to verify these claims. SOC 2 for instance is rapidly becoming the bare minimum standard for security compliance within software as a service businesses.
From the start, we’ve placed data privacy and security at the top of our list of product pillars. We show our commitment to this with the following capabilities:
Pen tests: Three months after launching, we had our first pen test, and a security consultant came in to push the product. We opened our security page and asked people to submit bug bounties, and they did in force. But, it’s made us stronger from the start.
Security compliance certifications: Within nine months, we had our Soc2 Type I and received our SOC 2 Type II certification last quarter. We did this because we knew we were dealing with sensitive customer data. Selling to the biggest companies in the world and ensuring that we weren’t going to ‘F’ our customers is how we show that we care.
Hiding PII by default: We hide any PII to all users that aren’t administrators by default. Product managers and designers don’t need to know things like last names or email addresses. If you can send invites right through Great Question, then you don’t NEED to open up that PII to people who don’t NEED to know their customers' contact information. And everyone is better off.
Audit logs: Every data change, every data sync, every meeting, every survey response, and survey view is logged in Great Question. So, auditors can easily see what data has been accessed, adjusted, and imported, making compliance checks faster and easier on the research operations teams.
2FA & SSO: We offer SSO and two-factor authentication to customers that need it, and we don’t believe that SSO access should be a “tax” it’s included on every plan that we have, and even our free trials allow for Google SSO. It’s been that way from the start, and we plan to keep it that way.
Data retention: Our repository's default setting for auto-deleting data is six months. This removes old data, protects customer PII, and reduces the attack surface area. No one needs to see an interview with a customer from 3 years ago.
I can’t say it loud enough, “security is not just a feature that allows us to check a box on a questionnaire.” We think that great research starts on a foundation of trust, and you can’t have trust without security. It’s how we have the trust of our customers like Brex, Auth0, MainStreet, and Chipper Cash. These large companies trust us to keep their customer data safe, and we’re not going to risk that trust. Ever.