Platform Compliance & Security


Last Updated: June 2026

SurveyEngine is a professional survey and choice modelling platform used by universities, research organisations, government agencies, and commercial researchers worldwide.

This page provides information commonly requested during procurement, ethics review, information security review, and institutional purchasing processes for Non-Enterprise software subscriptions only (Free, Trial, Student and Standard), and designed to assist researchers managing their own compliance process with their institution. For Enterprise Licenses or project engagements contact SurveyEngine on info@surveyengine.com.


Platform Compliance Overview

Hosting - Survey response data is stored and processed exclusively within SurveyEngine infrastructure hosted on Google Cloud Platform within the EU, unless requested by the subscriber.

GDPR - SurveyEngine operates under European Union data protection requirements and applies GDPR principles globally.

Data Ownership - Survey response data is not shared with billing, CRM, marketing, forum, AI, or other third-party service providers. The subscriber is the data controller and owns all data collected within their account.

Information Security Programme - SurveyEngine has implemented an ISO 27001 Information Security Management System (ISMS) and is progressing through formal certification.
Data Processing Agreement available- A standard DPA, in force on platform access payment may be downloaded here SaaS_DPA_Jun2026.pdf.
HECVAT available - General Responses to Higher Education Community Vendor Assessment Toolkit (HECVAT) are available here SurveyEngine_HECVAT_Master_Response_Jun2026.xlsx.

VPAT available - General answers to the Voluntary Product Accessibility Template® (VPAT®) are available here

Procurement contact - Most procurement questions can be answered using information on this page and our published compliance documentation. For institution-specific security reviews, custom questionnaires, procurement meetings, or extended compliance assessments, additional paid professional services may be required. Please contact sales@surveyengine.com for assistance.

Company Information

SurveyEngine GmbH
Viktoria-Luise-Platz 7
10777 Berlin
Germany
info@surveyengine.com
+49 30 201 692 320


Security & Privacy

Hosting

SurveyEngine hosts customer data within Google Cloud managed infrastructure environments.
For all Subscriptions the physical location of all customer data is held in Germany. The physical location of customer data may, at the customer's request, be specified as :

  • The United States
  • Great Britain
  • Australia
  • Japan

Data Residency

Survey response data is stored and processed exclusively within SurveyEngine infrastructure hosted on Google Cloud Platform.

Survey response data is not shared with billing, CRM, marketing, forum, AI, or other third-party service providers.

Each customer maintains a separate response database.

Customer Account data, not response data, may exist across various account management systems listed below under subprocessors.

Customer data is not used for AI training

Encryption and Access Control

SurveyEngine implements security controls including:

  • HTTPS/TLS encryption for data in transit
  • Role-based access controls
  • Authentication controls
  • Administrative access restrictions
  • Logging and monitoring processes
  • Backup and recovery procedures

Subprocessors

SurveyEngine uses a limited number of third-party service providers ("subprocessors") to support the delivery and operation of the platform.

SubprocessorService ProvidedCategories of Data ProcessedReceives Survey Response Data
Google Cloud PlatformApplication hosting, databases, storage, backup and infrastructure servicesSurvey responses, uploaded files, respondent metadata, customer account informationYes
StripeSubscription billing and payment processingCustomer billing information, subscription records and transaction dataNo
Google WorkspaceCustomer support, operational communications and account administrationCustomer contact information and support correspondenceNo*
HubSpotCustomer relationship management, onboarding, support ticket management and customer success activitiesCustomer contact information, support requests and account historyNo*
DiscourseCommunity forum and user support platformForum account information, forum posts and community discussionsNo*
IntruderSecurity monitoring and vulnerability managementTechnical infrastructure and security telemetryNo

* No routine processing of survey data. customer-submitted support materials may occasionally contain survey content provided voluntarily during support interactions.

SurveyEngine reviews all subprocessors through its supplier management and information security processes. New subprocessors will be assessed before being granted access to customer information.

Privacy

SurveyEngine operates under European Union data protection requirements and applies GDPR principles globally. Key principles include:

  • Data minimisation
  • Purpose limitation
  • Privacy by design
  • Secure processing
  • Controlled access
  • Defined retention procedures

Data Controller and Processor Responsibilities

For software subscriptions:

  • The customer institution acts as Data Controller.
  • SurveyEngine acts as a Data Processor providing survey software and support.

The customer determines:

  • what data is collected
  • legal basis for collection
  • consent procedures
  • retention requirements
  • participant information provided to respondents

SurveyEngine provides the technical platform used to collect and manage data.

Additional information:
Privacy Policy
GDPR Compliance Information


Data Types Processed

SurveyEngine may process subscriber information including:

Account Information

  • Name
  • Email address
  • Organisation
  • Account preferences and usage
  • Billing information

Survey Data

Determined entirely by the customer, which may include:

  • Survey responses
  • Experimental choice data
  • Uploaded files
  • Metadata collected by survey designers

Special Category Data

SurveyEngine does not require special category or sensitive personal data for operation of the platform.

If customers choose to collect sensitive information, responsibility for lawful collection and ethics approval remains with the customer institution.


Data Classification

SurveyEngine is designed to support:

  • Public data
  • Internal institutional data
  • Research data
  • Personal data

Customers are responsible for determining the classification level of the data they collect.

Highly sensitive or regulated datasets should be assessed by the customer under their own institutional policies before use.

Accessibility

SurveyEngine is committed to providing accessible software wherever practical. Accessibility considerations are incorporated into product design and ongoing development.

At present SurveyEngine does not maintain a formal VPAT. Institutions requiring accessibility information may request an accessibility statement describing current accessibility features and practices.


Common Procurement Questions

QuestionResponse
Is the Vendor GDPR compliant?Yes
IS a Data Processing Agreement available?Yes
Who is the Data ControllerCustomer institution
Who is the Data ProcessorSurveyEngine
Has a DPO been appointedYes
Is the EU privacy framework followedYes
Is a Security programme in placeYes
Is the Vendor ISO 27001 complianceYes, (formal accreditation expected expected Q3 2026
HECVAT available?Available upon request
VPAT available?No formal VPAT currently maintained


Scroll to Top