Set your workspace session timeout
What a session timeout is
A session timeout controls how long you stay signed in to Great Question. There are two kinds of limit, and we use both:
- Inactivity (idle) timeout — you're signed out after a period of not interacting with a Great Question tab (no clicks, typing, or scrolling).
- Absolute session limit — a hard ceiling on how long a session can live since you last signed in, no matter how active you are. Ours is 30 days, after which you re-authenticate. Balancing these is a trade-off between security (shorter = less risk if a device is left unlocked or stolen) and convenience (longer = fewer logins).
What Great Question does today
Today every workspace uses a single, security-first default: you're signed out after 2 hours of inactivity. Workspaces with HIPAA mode enabled are stricter — anyone in a role that can view participant PII is signed out after 15 minutes of inactivity. We started conservative on purpose. A short, fixed timeout is the safest default and the one enterprise security reviews expect, so no workspace is ever less protected than it should be out of the box.
What's coming: choose the posture that fits your workspace
We're making the inactivity timeout configurable. Account admins will find it under Governance → Security → Session timeout, with three recommended postures plus a custom option:
- Strict — 30 minutes — workspaces handling sensitive participant PII; the number most security questionnaires expect.
- Standard — 24 hours — teams that want to sign in about once a working day.
- Relaxed — 1 week (recommended) — most teams; stay signed in across the week, in line with the tools you already use daily.
- Custom — 30 minutes to 30 days — set an exact window to match your security policy. A few things stay constant:
- The default remains 2 hours — nothing changes for your workspace until an admin chooses a new posture.
- HIPAA workspaces keep the 15-minute lock for roles that can view participant PII. The posture you choose applies to roles that cannot view PII.
- Regardless of posture, the 30-day absolute limit always applies.
- When a session ends, you're returned to the page you were on after you sign back in.
Why these recommendations?
We anchored the options to recognized identity-security guidance and to the norms of tools you already trust. NIST SP 800-63B (the US digital-identity standard most enterprise and government buyers reference) defines session limits by assurance level:
- AAL1 (standard assurance): re-authenticate at least every 30 days. This is the basis for our 30-day absolute cap.
- AAL2 (higher assurance): re-authenticate after 12 hours, or 30 minutes of inactivity. Our Strict (30 min) posture matches this inactivity bound.
- AAL3 (highest assurance): 15 minutes of inactivity. This is the basis for the HIPAA 15-minute lock, and it aligns with HIPAA's "automatic logoff" implementation spec (45 CFR §164.312(a)(2)(iii)). Industry norms for the convenience end of the spectrum:
- Consumer-grade productivity tools like Figma and Notion keep you signed in for weeks by default — the basis for our Relaxed (1 week) option.
- Security-sensitive applications — banking and healthcare portals — typically log you out after ~15 minutes of inactivity.
- Enterprise SaaS like Salesforce and Google Workspace let admins choose rather than picking one number for everyone. That's the model we're adopting, with safe defaults. In short: Strict for regulated/PII-heavy work, Standard for a daily sign-in rhythm, Relaxed for everyday convenience — all bounded by a 30-day hard limit so no session lives indefinitely.
How "inactivity" is measured
Activity means interacting with an open Great Question tab — moving the mouse, typing, or scrolling — which we register at most once a minute. Leaving a tab open but untouched counts as idle. Your session also survives a browser restart within your chosen window, so quitting and reopening your browser won't sign you out early.
FAQ
Will changing this log my team out immediately? No — it changes when future inactivity signs people out. Anyone idle past the new, shorter window will be signed out on their next action. Can I set it per person or per role? The timeout is set per workspace. The only role-based difference is the HIPAA PII lock described above. Who can change it? Account admins, under Governance → Security.
