Data Protection at Attest
We do not collect and we do not permit our customers to collect any personally identifiable data about survey respondents, whether those respondents are from audiences provided via the Attest platform or from the customer’s own audience.
The only information our customers receive about survey respondents (aside from their survey responses) is the anonymous demographic grouping, for example, age, gender and region.
The only personally identifiable data Attest will process in accordance with a customer’s contract is information relating to the customer’s or, where the customer is an organisation, its users, for example: each user’s name, email address and information relating to their use of the Attest platform.
Information Security at Attest
Attest is committed to maintaining appropriate technical and organisational measures to protect against unauthorised or unlawful processing of confidential data. Our technical infrastructure, including databases, is hosted on Amazon Web Services (‘AWS’), which means we inherit the robust security structure and mechanisms that are maintained by AWS. You can read about AWS compliance here.
We’ve set out some responses to frequently asked questions below.
Password security and authentication for logging into Attest
Users are authenticated via username and password combination. These are checked against our own credential store which is stored in our database. We have applied a secure password policy for our customers, which is in accordance with the National Institute of Standards and Technology (NIST) and any new passwords are automatically cross-checked against a database of compromised passwords before they’re accepted.
All systems used by Attest employees are configured with SAML login where permitted, backed by their email account which is subject to strict password content and re-set policies. Access to all systems and email accounts are removed on notice of termination or the employees’ last day.
All data in transit is encrypted using TLS 1.2.
All data is encrypted at rest. We use industry standard AES-256 encryption.
All of our web applications enforce the use of HTTPS.
All database data and backups are encrypted.
Data is stored in our database services which are managed by AWS and located in Dublin, Ireland. Data storage on local machines is not permitted.
We use service providers who are located outside of the UK and European Union, primarily USA based SaaS companies. We only do so when adequate contractual provisions are in place between us and the service provider, including ensuring that Standard Contractual Clauses are in place following the removal of the US privacy shield adequacy decision and UK’s departure from the European Union.
Attest undertakes daily security scans against our systems for new vulnerabilities. Any new vulnerabilities discovered are patched within 24 hours of discovery. Attest also undertakes an annual penetration testing, with any remediation actions identified built into our Engineering team’s workload in accordance with priority and urgency.
Intrusion Detection / Prevention
Attest employs the security principle of defense in depth, and in production zero trust networks. With regards to cloud data loss prevention, Attest employs Web Application Firewalls, and Content Distribution Networks as means of protecting their web assets from Data Loss.
We run a Cloud based Intrusion Detection System alongside antivirus detection on our production environment, underpinning all of this is a well defined and tested security incident response process. Attest utilises a 24/7 automated security monitoring application to monitor our infrastructure in real time against new exploits.
Updates and Backups
Our databases are backed up daily and stored for two weeks.
Our Kafka cluster is backed up to Amazon S3 as soon as new data is available.
All Attest employees and contractors are required to sign standardised employment or contractor agreements prior to their start date, which contain detailed confidentiality provisions.
Attest does not yet itself hold any security certifications (ISO, SOC, etc.). Our platform is built on infrastructure provided by AWS.
PCI ComplianceSome of our customers may make payments by credit card via our website. We use a third party payment provider to process these payments, Braintree. Braintree securely stores and processes card data on our behalf, which significantly reduces our PCI compliance requirements as it means we don’t store or have access to any card information. We are still required to complete a Self-Assessment Questionnaire, and we do this annually.