Safe + Secure
Securing your data
We’re in the final stages of becoming ISO 27001 certified, and FedRAMP authorised – that’s the “gold standard” of security certification used by the U.S. Government for SaaS providers. As part of those programs, a Privacy Impact Assessment (PIA) – a key requirement of GDPR – has been performed and evaluated by an independent third-party assessor, so you can be confident your data is secure. In addition, Qualtrics has a Data Protection Impact Assessment (DPIA) that documents our handing of all your data, including personal data.
Brand administrators can easily find and modify collected personal data to meet the ‘correction’ requirement of the GDPR. So, you’ll easily be able to modify an individual’s personal data should they request it.
Right to be forgotten
Brand administrators can permanently delete individual contacts and respondent personal data should an individual request it using a Subject Access Request.
Built for enterprise security
Email Security (SMTP Server Setup, DKIM)
Data encryption in transit
Data Centers are audited with industry-standard SSAE-16 methods
Data redundancy for resilience during disasters
Independent 3rd-Party security reviews and penetration tests
Continuous network monitoring
Single Sign On (SSO)
EU-US Privacy Shield Certified
Swiss-US Privacy Shield Certified
In-house 24/7 security operations center
Active session management
Users can opt-out of re-contact for a survey
Control password parameters and expirations
Industry-standard security evaluations
Data sovereignty: U.S., Canada, APAC, EU
Data isolation option for unique encryption keys
HITRUST self assessed | HIPAA Self Certified
Got a question on GDPR?
Frequently Asked Questions
Disclaimer: This FAQ contains helpful compliance information when using Qualtrics products. Customers should always consult their internal compliance team and/or their privacy attorney regarding legal matters. The information herein is provided as-is, and should not be considered legal advice. Qualtrics desires to enable its customers to comply with applicable laws, but does not warrant that a customer’s particular use of its products will be compliant.
For purposes of this FAQ, the terms “You taking,” “Your,” “I”, and “My” refer to the owner or creator of the survey. And “Respondent” refers to the person taking the survey.
Should I get consent from a Respondent to collect their personal data?
In the Qualtrics platform, You may easily create a multiple choice question to display a landing page and ask for consent. The Respondent can select Yes or No before they proceed with the rest of the survey. That response is recorded with the others, and may be used as evidence that the respondent did, indeed, consent. To ensure that the question is answered, the Force Response option should be used. If the Respondent chooses No, then direct the Survey Flow to the End of Survey so no data will be collected.
Can I avoid collecting personal data that would identify a Respondent?
Can I modify a Respondent’s personal data that resides in an existing survey?
Can I delete personal data that resides in an existing survey?
- a single response
- all responses
- the entire survey project (and all related data and associations to contacts)
Is personal data permanently deleted when I remove it?
How long is personal data retained in Qualtrics if I don’t delete it?
Does my brand data get included in backups, and if so, for how long?
Can I delete customer’s personal data from Qualtrics backups?
If my data centre is located in the EU, does Qualtrics transfer My personal data outside the EU at any point?
If my data centre is located in the EU, does Qualtrics ensure that My data are accessed only by EU-based employees?
Does Qualtrics ensure that My data are accessed only by employees that have reasonable justification for doing so?
Does Qualtrics use sub-processors that process My data?
If a data breach occurs with the Qualtrics platform that affects My data, how and when will I be notified?
How can I comply with a subject access request and portability as required by GDPR?
How do I comply with a subject access request to “be forgotten?”
How does Qualtrics comply with its GDPR obligations to return or destroy all EU personal data?
How does Qualtrics comply with its GDPR obligations to encrypt personal data?
How can I ensure my customers that Qualtrics security meets applicable law and the GDPR (Article 32)?