Table of Contents

Security & Data Retention

Gina Romero Updated by Gina Romero

Security & Data Retention

Get a clear understanding of Great Question’s security practices, compliance standards, and how data retention works in your workspace.

Great Question’s Approach to Security

We apply industry-standard security practices at every layer—from infrastructure to code to internal processes. Security is continuously monitored and independently verified.

Key Security Practices

  • SOC-2 Type II certified controls and systems
  • Continuous monitoring through our security vendor Vanta
  • Regular penetration tests and policy reviews
  • TLS encryption for data in transit and AES-256 block-level encryption for data at rest
  • Passwords are hashed, protecting credentials even in the event of unauthorized access
  • Infrastructure hosted on Heroku, with SOC 1, SOC 2, and SOC 3 certified data centers (US-1 West region)
  • Constant monitoring of infrastructure and network traffic for anomalies

Access Controls

  • Each organization can configure roles and permissions to manage internal data access
  • Only a limited set of Great Question employees—those who require it for their job—may access customer data
  • All employee and customer data access is logged

Compliance: GDPR & CCPA

Great Question is committed to supporting your compliance needs as both a processor of your data and a partner in protecting participant information.

Your Participants’ Data Rights (Supported)
  • Right to Access & Portability — Request exports via [email protected]
  • Right to be Forgotten — Full deletion across our systems and sub-processors
  • Right to Object — Participants can opt out per study or across the account
  • Right to Rectification — Users can make updates directly or by contacting support

What GDPR Is

A European Union regulation ensuring individuals have control over their personal data and requiring strict protection standards for organizations.

What CCPA Is

A California privacy regulation giving residents more control over how companies use and share their personal data.

Data Processing Agreements (DPAs)

If your legal or security team requires a DPA, we’re happy to provide one.

  • Request a DPA anytime through support.
  • Enterprise plans: We can review and sign your custom DPA.

Data Retention in Great Question

Admins can choose to automatically delete recordings and transcripts after 6 months. This supports data minimization and compliance with privacy standards.

What Gets Deleted
  • Interview recordings
  • Transcripts associated with those recordings
  • Highlights linked to deleted recordings
What Stays Intact
  • Studies
  • Candidate profiles
  • Incentive records
  • Any non-recording data

How to Enable or Disable Data Retention

Only Admins can modify data retention settings.

  1. Open Settings
    Click your name in the bottom-left corner and select Account.
  2. Scroll to Governance
    Look for the Data Retention section.
  3. Toggle the Setting
    Turn the automatic deletion feature on or off. Changes save automatically.

After enabling, recordings and transcripts older than 6 months will be removed on an ongoing basis.

Have Questions?

Please reach out to us in the chat or at [email protected]!

How did we do?

User Roles and Permissions

Billing

Contact