Self-Service Compliance Pack
All the materials including DPA, HECVAT, VPAT
needed by the procurement department to make
your platform subscription (a little) easier. .
Platform Compliance Overview
- Hosting – Survey response data is stored, processed and managed exclusively within SurveyEngine infrastructure hosted on Google Cloud Platform within the EU, unless explicitly requested by the subscriber.
- GDPR – SurveyEngine operates under European Union data protection requirements and applies GDPR principles globally.
- Data Ownership – Survey response data is not shared with billing, CRM, marketing, forum, AI, or other third-party service providers. The subscriber is the data controller and owns all data collected within their account.
- Information Security Programme available – ISO 27001 Information Security Management System (ISMS) and is progressing through formal certification. See the Privacy Policy & GDPR Compliance Information
- DPA available– A standard Data Processing agreement, in force on platform access payment may be downloaded here SaaS_DPA_Jun2026.pdf.
- HECVAT available – General Responses to Higher Education Community Vendor Assessment Toolkit (HECVAT) are available here SurveyEngine_HECVAT_Master_Response_Jun2026.xlsx.
- VPAT (WCAGG 20 AA) available – General answers to the Voluntary Product Accessibility Template® (VPAT®) are available here SurveyEngine_VPAT_Master_Response_Jun2026.xlsx
Procurement contact
Most procurement questions can be answered using information on this page and our published compliance documentation.
For institution-specific security reviews, custom questionnaires, procurement meetings, or extended compliance assessments, additional paid professional services may be required.
Please contact sales@surveyengine.com for assistance.
Company Information
SurveyEngine GmbH
Viktoria-Luise-Platz 7
10777 Berlin
Germany
info@surveyengine.com
+49 30 201 692 320
Compliance Sorted?
Now lets help with Billing.
Detailed Platform Compliance
Hosting
SurveyEngine hosts customer data within Google Cloud managed infrastructure environments.
For all Subscriptions the physical location of all customer data is held in Germany. The physical location of customer data may, at the customer’s request, be specified as :
- The United States
- Great Britain
- Australia
- Japan
Data Residency
- Survey response data is stored and processed exclusively within SurveyEngine infrastructure hosted on Google Cloud Platform.
- Survey response data is not shared with billing, CRM, marketing, forum, AI, or other third-party service providers.
- Each customer maintains a separate response database. Customer Account data, not response data, may exist across various account management systems listed below under subprocessors.
- Customer data is not used for AI training
Encryption and Access Control
SurveyEngine implements security controls including:
- HTTPS/TLS encryption for data in transit
- Role-based access controls
- Authentication controls
- Administrative access restrictions
- Logging and monitoring processes
- Backup and recovery procedures
Subprocessors
SurveyEngine uses a limited number of third-party service providers (“subprocessors”) to support the delivery and operation of the platform.
| Subprocessor | Service Provided | Categories of Data Processed | Receives Survey Response Data |
|---|---|---|---|
| Google Cloud Platform | Application hosting, databases, storage, backup and infrastructure services | Survey responses, uploaded files, respondent metadata, customer account information | Yes |
| Stripe | Subscription billing and payment processing | Customer billing information, subscription records and transaction data | No |
| Google Workspace | Customer support, operational communications and account administration | Customer contact information and support correspondence | No* |
| HubSpot | Customer relationship management, onboarding, support ticket management and customer success activities | Customer contact information, support requests and account history | No* |
| Discourse | Community forum and user support platform | Forum account information, forum posts and community discussions | No* |
| Intruder | Security monitoring and vulnerability management | Technical infrastructure and security telemetry | No |
* No routine processing of survey data. customer-submitted support materials may occasionally contain survey content provided voluntarily during support interactions.
SurveyEngine reviews all subprocessors through its supplier management and information security processes. New subprocessors will be assessed before being granted access to customer information.
Privacy
SurveyEngine operates under European Union data protection requirements and applies GDPR principles globally. Key principles include:
- Data minimisation
- Purpose limitation
- Privacy by design
- Secure processing
- Controlled access
- Defined retention procedures
Data Controller and Processor Responsibilities
For software subscriptions:
- The customer institution acts as Data Controller.
- SurveyEngine acts as a Data Processor providing survey software and support.
The customer determines:
- what data is collected
- legal basis for collection
- consent procedures
- retention requirements
- participant information provided to respondents
SurveyEngine provides the technical platform used to collect and manage data.
Additional information:
Privacy Policy
GDPR Compliance Information
Data Types Processed
SurveyEngine may process subscriber information including:
Account Information
- Name
- Email address
- Organisation
- Account preferences and usage
- Billing information
Survey Data
Determined entirely by the customer, which may include:
- Survey responses
- Experimental choice data
- Uploaded files
- Metadata collected by survey designers
Special Category Data
SurveyEngine does not require special category or sensitive personal data for operation of the platform.
If customers choose to collect sensitive information, responsibility for lawful collection and ethics approval remains with the customer institution.
Data Classification
SurveyEngine is designed to support:
- Public data
- Internal institutional data
- Research data
- Personal data
Customers are responsible for determining the classification level of the data they collect.
Highly sensitive or regulated datasets should be assessed by the customer under their own institutional policies before use.
Accessibility
SurveyEngine is committed to providing accessible software wherever practical. Accessibility considerations are incorporated into product design and ongoing development.
The core SurveyEngine platform conforms to VPAT WCAGG 20 AA in standard use. The platform allows authors the freedom to comply with accessibility Requirements. General answers to the Voluntary Product Accessibility Template® (VPAT®) are available here SurveyEngine_VPAT_Master_Response_Jun2026.xlsx
Common Procurement Questions
| Question | Response |
|---|---|
| Is the Vendor GDPR compliant? | Yes |
| IS a Data Processing Agreement available? | Yes |
| Who is the Data Controller | Customer institution |
| Who is the Data Processor | SurveyEngine |
| Has a DPO been appointed | Yes |
| Is the EU privacy framework followed | Yes |
| Is a Security programme in place | Yes |
| Is the Vendor ISO 27001 compliance | Yes, (formal accreditation expected expected Q3 2026 |
| HECVAT available? | Yes |
| VPAT available? | Yes |