Data Protection at Attest

We offer two different styles of survey to our customers: our standard text-based surveys and as of October 2023, our Video Response functionality.

What personally identifiable information (PII) is collected from survey respondents (if any)?

For text-based surveys, we do not collect and we do not permit our customers to collect any PII from survey respondents, whether those respondents are from audiences provided via the Attest platform or from the customer’s own audience. The only information our customers receive about text-based survey respondents (aside from their survey responses) is the anonymous demographic grouping, for example, age, gender and region.

For customers who choose to make use of our Video Responses functionality, the video and audio recordings that are collected through Video Responses are regarded as PII. This is the only PII that you will receive from Video Response respondents because, as with our text-based surveys, we do not permit our customers to collect any other PII from Video Response survey respondents (e.g. you will not be able to request a respondent’s name, email or contract details, etc.). This means that the only information our customers receive about Video Response respondents is the video and audio recordings, and their anonymous demographic grouping, for example, age, gender and region. 

What PII does Attest collect from customers (if any)?

The only PII Attest will process in accordance with a customer’s contract is the customer’s name, email address and information relating to their use of the Attest platform. Where the customer is an organisation, this same information will be collected in relation to those of its employees who opt to use the Attest platform, so each user’s name, email address and information relating to their use of the Attest platform.

All information regarding the collection and processing of PII at Attest is set out in our Privacy Policy

Information Security at Attest

Attest is committed to maintaining appropriate technical and organisational measures to protect against unauthorised or unlawful processing of confidential data. Our technical infrastructure, including databases, is hosted on Amazon Web Services (‘AWS’), which means we inherit the robust security structure and mechanisms that are maintained by AWS. You can read about AWS compliance here

We’ve set out some responses to frequently asked questions below.

Password security and authentication for logging into Attest


Users are authenticated via username and password combination. These are checked against our own credential store which is stored in our database. We have applied a secure password policy for our customers, which is in accordance with the National Institute of Standards and Technology (NIST) and any new passwords are automatically cross-checked against a database of compromised passwords before they’re accepted. 

Attest Employees

All systems used by Attest employees are configured with SAML login where permitted, backed by their email account which is subject to strict password content and re-set policies. Access to all systems and email accounts are removed on notice of termination or the employees’ last day.

Data Encryption

All data in transit is encrypted using TLS 1.2. 

All data is encrypted at rest. We use industry standard AES-256 encryption.

All of our web applications enforce the use of HTTPS.

All database data and backups are encrypted. 

Data Storage

Data is stored in our database services which are managed by AWS and located in Dublin, Ireland. Data storage on local machines is not permitted.

Data Transfer

We use service providers who are located outside of the UK and European Union, primarily USA based SaaS companies. We only do so when adequate contractual provisions are in place between us and the service provider, including ensuring that Standard Contractual Clauses are in place following the removal of the US privacy shield adequacy decision and UK’s departure from the European Union.

Vulnerability Testing

Attest undertakes daily security scans against our systems for new vulnerabilities. Any new vulnerabilities discovered are patched within 24 hours of discovery. Attest also undertakes an annual penetration testing, with any remediation actions identified built into our Engineering team’s workload in accordance with priority and urgency.

Intrusion Detection / Prevention

Attest employs the security principle of defense in depth, and in production zero trust networks. With regards to cloud data loss prevention, Attest employs Web Application Firewalls, and Content Distribution Networks as means of protecting their web assets from Data Loss.

We run a Cloud based Intrusion Detection System alongside antivirus detection on our production environment, underpinning all of this is a well defined and tested security incident response process. Attest utilises a 24/7 automated security monitoring application to monitor our infrastructure in real time against new exploits.

Updates and Backups

Our databases are backed up daily and stored for two weeks.

Our Kafka cluster is backed up to Amazon S3 as soon as new data is available.


All Attest employees and contractors are required to sign standardised employment or contractor agreements prior to their start date, which contain detailed confidentiality provisions. 

Security Certifications

Attest does not yet itself hold any security certifications (ISO, SOC, etc.). Our platform is built on infrastructure provided by AWS. 

PCI ComplianceSome of our customers may make payments by credit card via our website. We use a third party payment provider to process these payments, Braintree. Braintree securely stores and processes card data on our behalf, which significantly reduces our PCI compliance requirements as it means we don’t store or have access to any card information. We are still required to complete a Self-Assessment Questionnaire, and we do this annually.