Customer research privacy features

At Great Question we take security and privacy very seriously. We apply best practices and manage security at all levels of our organization - from infrastructure through to development processes and employee training.

Encrypted data
All data in-transit is secured using TLS and at-rest with AES-256, block-level storage encryption.
All customer passwords are hashed. This means if you lose it, it's gone forever.
Certified infrastructure
We rely on Heroku to provide our infrastructure. Heroku data centers are SOC 1, SOC 2 and SOC 3 certified.
Constant monitoring
We monitor both our infrastructure and network traffic to detect anomalies and prevent potential threats.
User roles and permissions
Each organization on Great Question has the power to configure their own access roles to ensure security within their organization.
Limited employee access
Only select Great Question employees (those who directly require it to do their job) are authorized to access your data.
Audit trails and logging
All access to user data is logged, whether by your own team members or Great Question employees.

An ongoing commitment

We don't ever consider security "done". Rather we are continually refining and improving our security practices.

Software development process
We incorporate security throughout our entire software development lifecycle with both static code analysis tools and human review processes.
Regular internal audits
We perform regular reviews of all our third party services and software libraries to ensure there are no vulnerabilities.
Employee training
As an ongoing commitment to security all employees regularly complete security training.
Penetration testing
Annually we engage with external security firms to perform penetration testing.

Security disclosure

If you would like to report a security vulnerability, or have any security concerns, please contact us at We will acknowledge your email within five business days as per our disclosure policy.

We ask that while researching security vulnerabilities you refrain from spamming, social engineering, phishing, DDOS, or any physical attacks.

© 2021 Great Question, Inc. All rights reserved.