Trust & Security

This section is about how Voxxify handles trust & security for our customers and partners. For website security see our Website Privacy Policy.

Voxxify partners with and provides services to some of the largest enterprises in the world, and security is of paramount importance.

To anticipate customer and regulatory requirements we prioritize data protection by design and by default. We integrate security and data privacy into all our business process life cycles, from privacy-by-design software development to contract termination. Voxxify strives to exceed established standards at every turn.

Voxxify’s software design and Information Security Policies are organized in accordance with the ISO 27001 Information Security Standard, and are in compliance with other regulatory and compliance mandates where applicable.

The ultimate goal of our rigorous security posture is to protect the privacy of the people whose data we have been entrusted with.

This Trust & Security page is provided in a layered format so you can click through to the specific areas set out below.

At Voxxify we understand the process that IT teams in large organisations must go through to approve and implement a new third party supplier, particularly when data transfer and data sharing takes place.
For this reason we have designed our product and process with this front of mind, so that it is quick and seamless to set us up as a supplier and get comfortable about how secure our product is.

Data Centre Security

Voxxify’s platform and technical infrastructure are hosted on best-in-class, highly available and redundant data centres, with ISO 27017/18 certification and SOC 2 accreditation. Physical security controls at our data centers include continuous monitoring, cameras, visitor logs, keyed entry, alarmed doors, and access control based on job function.

Design & Development

From the very outset Voxxify has adopted privacy-by-design foundational principles. That decision led to a security-first software design methodology that includes code test coverage and a semi-automated continuous integration/deployment (CI/CD) pipeline. The OWASP Top Ten serves as a minimum standard guideline for all Internet-facing systems.

Encryption

User data is anonymized, pseudonymized, and compartmentalized where possible and appropriate. All data is encrypted in transit and at rest with modern cryptographic suites.

Operational Security

Access to Voxxify’s platform infrastructure is only permitted through secure connectivity (e.g. VPN, SSH) and requires multi-factor authentication. Maintenance access to user data is granted only temporarily, logged, and monitored. All network and endpoint activity is logged and centrally monitored.
We monitor Common Vulnerabilities and Exposures (CVEs) and reliable threat intelligence sources in order to be proactive in our mitigation activities. We regularly perform penetration tests on multiple surfaces in our environment.

Security Policies

Voxxify actively maintains and reviews its information security policies. Employees are required to adhere to the information security policies and procedures, and to undergo role-specific education and training at least annually.

Incident Management

Our customers and partners know that no Internet-connected system is perfectly secure. In the event of a data breach, Voxxify is committed to complying with or exceeding its obligations under European data protection law.

We know what personal data we hold, for what purpose, what we do with the information, how we secure it, and for how long it is retained. We also actively maintain a data breach policy that sets out what is to happen in the event of any data breach.

If you have specific questions about any of our security policies please email security@voxxify.com.

This section is about how Voxxify protects data privacy when processing customer data. For website data privacy see our Website Privacy Policy

As a survey platform, Voxxify is the data processor for our customers, who are the data controllers for their organisation’s members or employees. The basis for processing the data is contractual. We adhere to the key principles of the European Union General Data Protection Regulation (EU-GDPR): minimising the data processed, limiting the purpose and storage, applying technical and organisational data security, and maintaining accountability.

Platform Compliance with relevant Regulation & Legislation

We, like many Europe-based data processors, are mindful of the July 2020 Schrems II decision in the European Union Court of Justice. In order to use the services of companies from countries that do not have an adequacy agreement with the EU, especially with regards to Electronic Communications Service Providers in the United States, we make all the best efforts to uphold our standard contractual clauses by moving towards a stoppage of data transfer outside the EU as per Article 4 of the EU-GDPR.

We make every possible technological and legal effort to protect our users’ data. We regularly assess risk and apply appropriate controls to minimize our risk exposure. All the data we hold is encrypted at rest and in transit with modern cryptographic standards, and our operational environment is monitored and analysed. We only engage with service providers that can demonstrate appropriate certifications for privacy and security, all the while complying to the best of our ability with EU regulations.

If you have specific questions about any of our data privacy policies please email privacy@voxxify.com

At Voxxify we applaud the valuable work of security researchers. If you have discovered a vulnerability in our website or platform, we welcome the opportunity to work with you and to recognize your contributions.

In order to avoid any confusion and to encourage responsibility, we commit neither to take legal action against you nor to task law enforcement to investigate you, provided you adhere to the following guidelines:

  • Promptly report any discovered vulnerability
  • We do not acknowledge the discovery of common, minor issues such as missing HTTP headers, clickjacking vulnerabilities, TLS configurations or cypher suites, and WordPress functionality or weaknesses
  • XSS reports must demonstrate impact on another user
  • A report should include the nature of the vulnerability, its location, and steps to reproduce, along with your name or handle and any links for recognition
  • Encrypt and email the report to security@voxxify.com (PGP key) along with your public key
  • If email encryption is unavailable to you, please contact us to make alternative arrangements to securely deliver your report
  • Take all reasonable precautions against privacy violations; data destruction, modification, or exfiltration; and/or disruption of our services
  • Allow forty-eight hours for us to examine your report and respond
  • Allow us to agree on a reasonable grace period to fix the disclosed issue, up to a maximum of ninety days
  • Acquire our permission before publicly disclosing your discovery or proof of concept after the agreed-upon grace period has passed
  • Under no circumstances should you:
    • physically attack any Voxxify staff, agents, or property
    • use social engineering or extortion on Voxxify staff, agents, partners, or suppliers
    • engage in DDoS attacks or use of malware

Voxxify does not currently offer monetary rewards (“bug bounties”). Verified disclosures that result in a security patch will be recognized on our Hall of Fame section below, along with some Voxxify swag as a token of our appreciation.

If you have specific questions about any of our security policies please email security@voxxify.com (PGP key).