Data security is a top priority
At Great Question we take security and privacy very seriously. We apply best practices and manage security at all levels of our organization - from infrastructure through to development processes and employee training.
- Encrypted data
All data in-transit is secured using TLS and at-rest with AES-256, block-level storage encryption.
All customer passwords are hashed. This means if you lose it, it's gone forever.
- Certified infrastructure
- We rely on Heroku to provide our infrastructure. Heroku data centers are SOC 1, SOC 2 and SOC 3 certified.
- Constant monitoring
- We monitor both our infrastructure and network traffic to detect anomalies and prevent potential threats.
- User roles and permissions
- Each organization on Great Question has the power to configure their own access roles to ensure security within their organization.
- Limited employee access
- Only select Great Question employees (those who directly require it to do their job) are authorized to access your data.
- Audit trails and logging
- All access to user data is logged, whether by your own team members or Great Question employees.
An ongoing commitment
We don't ever consider security "done". Rather we are continually refining and improving our security practices.
- Software development process
- We incorporate security throughout our entire software development lifecycle with both static code analysis tools and human review processes.
- Regular internal audits
- We perform regular reviews of all our third party services and software libraries to ensure there are no vulnerabilities.
- Employee training
- As an ongoing commitment to security all employees regularly complete security training.
- Penetration testing
- Annually we engage with external security firms to perform penetration testing.
If you would like to report a security vulnerability, or have any security concerns, please contact us at email@example.com. We will acknowledge your email within five business days.
We ask that while researching security vulnerabilities you refrain from spamming, social engineering, phishing, DDOS, or any physical attacks.