Survey Space System Architecture Overview

This document provides a high level overview of the Survey Space system and architecture. Please read this document in conjunction with the Survey Space Privacy Policy, Data Processing Agreement and Terms & Conditions.

Architecture

The Survey Space system runs on a custom backend framework developed by Survey Space, built using a LAMP Stack. The front-end runs using a Bootstrap-derived user interface combined with jQuery to provide an interactive user experience. Several third-party commercial components are used for functionality like the graphical charting and rich-text editors. All the solutions used have been tested & verified and are regularly updated.

System Map

Survey Space Architecture

Hosting

Survey Space is hosted with either a leading US-based provider, Liquid Web (www.liquidweb.com) or an Australian provider, Digital Pacific (www.digitalpacific.com.au). They have decades of experience in hosting web applications and provide exemplary service and technical administration. In addition to their EU-US and Swiss-US Privacy Shield Framework compliance, Liquid Web also fully complies with the European General Data Protection Regulation (GDPR).

Our managed hosting platform is supported 24/7/365 by administrators responsible for the operation of the server and security. Systems are in place to automatically issue alerts should any technical issues or breaches arise. To date we’ve had zero security incidents.

Physical Security

Survey Space’s applications and data storage is contained at either Liquid Web’s Data Centers or Digital Pacific’s Data Centers, which are SOC 2 accredited facilities. The Data Centers have security guards on-site 24/7/365, with CCTV monitoring and perimeter fencing.

Data Security

Survey Space employs strict internal security procedures with regards to both the application and client data. All data generated within the Survey Space application is stored at either the Liquid Web Data Center or the Digital Pacific Data Centre in Australia, depending on each client’s selection of server location on sign up. At no time is any information replicated to any external system (with certain exemptions made when utilising optional functionality of Survey Space, defined in the privacy section).

Only company directors have login credentials to the production and staging environments. Every code submit is vetted before going from our development environment into staging & eventual live deployment. All our environments run on SSL connections and access to servers is only via secure SSH connections. Our code base follows latest recommended security standards and user accounts are secured with complex non-plain text passwords.

Participant Privacy

Survey Space users have full control over their own project’s data privacy. By default, no information is collected about any survey participant. When a participant clicks a link to a survey, the only additional information logged is the time they accessed, started & finished and their survey responses. There are two cases where data can be gathered about the participant. Both require an action from the survey creator.

1. Group link with optional or mandatory registration

If this option is enabled in a Group Link, the participant is asked to enter their first name, last name and email address. This data is stored with their results.

2. Enable the capturing of participant details

This setting (off by default) is enabled on a per-project basis. When enabled it triggers the collection of the following information from the participant’s system;

* Browser user agent
* IP address

The browser user agent string is decoded to get information about the browser, version & device platform (Android, iOS, Mac OS, Windows) used. The IP address is used in conjunction with a third-party geolocation service to retrieve the following details;

* Country
* Latitude & Longitude
* Time zone
* City (if possible)
* Region (if possible)
* Postcode (if possible)

The information is retrieved strictly based on the IP address. No information is pulled from the participants system, or through a Locations request in their device/browser. This information is only as accurate as the participants IP address. For example, if they are using a VPN this data will not be accurate. Details such as latitude/longitude, city & postcode are all based on the IP address and the accuracy is only approximate.