Security Statement

Qualtrics is dedicated to protect all customer data using industry best standards.

Many of our biggest customers demand the highest levels of data security, and have tested our services to be verify that it meets their standards. In each case, we have surpassed expectations and received high praise from large international organizations.

Qualtrics’ most important concern is the protection and reliability of customer data. Our servers are protected by high-end firewall systems, and scans are performed regularly to ensure that any vulnerabilities are quickly found and patched. Complete penetration tests are performed yearly. All services have quick failover points and redundant hardware, with complete backups performed nightly. Most important is our confidential system component design. It uses multiple checks to certify that packets from one subsystem can only be received by a designated subsystem. Access to systems is severely restricted to specific individuals, whose access is monitored and audited for compliance. Customer data are stored in a specific location; it does not float around in the “cloud.” In addition, all data are processed in that location, and are not moved to another jurisdictional area. In other words, if data are collected in the U.S., all data are processed in the U.S.

Qualtrics uses Transport Layer Security (TLS) encryption (also known as HTTPS) for all transmitted data. We can also protect surveys with passwords and HTTP referrer checking. Our services are hosted by trusted data centers that are independently audited using the industry standard SSAE-16 method. Qualtrics deploys the general requirements set forth by many Federal Acts, including the FISMA Act of 2002. We meet or exceed the minimum requirements as outlined in FIPS Publication 200.

Since our subscribers control their users and their data, it is important for the users to practice sound security practices by using strong account passwords and restricting access to their accounts to authorized persons

Regarding HIPAA, HITECH, and specific data types: Qualtrics provides general research software and other services where all data are processed equally, without regard to how a customer might classify their data. As such, Qualtrics cannot declare or represent any data entered into its services. Any processing of specific data types are purely incidental, and not required to use the services.

HITECH (Health Information Technology for Economic and Clinical Health Act) updated HIPAA rules to ensure that data are properly protected and best security practices followed. Qualtrics safeguards all customer data, and uses secure data centers to ensure the highest protection as per HITECH requirements.

Questions regarding this statement may be sent to Qualtrics Support.