Security Statement

July 13, 2018

Qualtrics is dedicated to protecting all Customer data using industry best standards.

Many of our biggest Customers demand the highest levels of data security and have tested our services to verify that it meets their standards. In each case, we have surpassed expectations and received high praise from large international organizations.

ISO 27001 Certification

In April 2018, Qualtrics achieved ISO 27001 certification. The direct link to the information and certificate is: https://cert.schellmanco.com/?certhash=f4EjsRoh8OCD. To independently verify the status of the certification, please visit https://www.schellman.com/certificate-directory.

Our Security, briefly stated

Qualtrics’ most important concern is the protection and reliability of Customer data. Our servers are protected by high-end firewall systems, and scans are performed regularly to ensure that any vulnerabilities are quickly found and patched. Complete penetration tests are performed yearly. All services have quick failover points and redundant hardware, with complete backups performed nightly.

Our confidential system component design uses multiple checks to certify that packets from one subsystem can only be received by a designated subsystem. Access to systems is severely restricted to specific individuals, whose access is monitored and audited for compliance.

Customer data are processed (stored, collected, retrieved) in a specific location known to the Customer within a specific region such as North America, Europe, and Australia.

Qualtrics uses Transport Layer Security (TLS) encryption (also known as HTTPS) for all transmitted data. Surveys may be protected with passwords and HTTP referrer checking. Our services are hosted by trusted data centers that are independently audited using the industry standard SSAE-16 method.

Since our subscribers control their users and their data, it is important for the users to practice sound security practices by using strong account passwords and restricting access to their accounts to authorized persons.

FedRAMP Authorization

Qualtrics is FedRamp Authorized. FedRAMP is the gold standard of U.S. government security compliance, with over 300 controls based on the highly-regarded NIST 800-53 that requires constant monitoring and periodic independent assessments. More information is found at https://www.fedramp.gov.

Qualtrics meets the general requirements set forth by many U.S. Federal requirements, including the FISMA Act of 2002. We meet or exceed the minimum requirements as outlined in FIPS Publication 200.

HIPAA

Regarding HIPAA, HITECH, and specific data types: Qualtrics provides general research software and other services where all data are processed equally, without regard to how a Customer might classify their data. As such, Qualtrics cannot declare or represent any data entered into its services. Any processing of specific data types is purely incidental, and not required to use the services.

HITECH (Health Information Technology for Economic and Clinical Health Act) updated HIPAA rules to ensure that data are properly protected and best security practices followed. Qualtrics safeguards all Customer data and uses secure data centers to ensure the highest protection as per HITECH requirements.

More Information

Qualtrics Customers may request various security-related documents and questionnaires by contacting their account executive.