Data Protection We offer two different styles of survey to our customers: Text-based surveys: these can be sent to survey respondents from Attest’s audience base (“Attest Survey Respondents”) and/or survey respondents that you directly invite to respond to your survey(s) (“Own Audience Respondents”); and Video Response surveys: these can currently only be sent to Attest Survey Respondents in the UK and/or US. What personal data is collected from survey respondents? Text-based surveys (Attest Survey Respondents): We do not collect or permit our customers to collect any personal data from Attest Survey Respondents. Customers will only receive survey responses and anonymous demographic data, for example, age, gender and region. Text-based surveys (Own Audience Respondents): You are able to allocate a pseudonymised Unique/Respondent ID to Own Audience Respondents and their survey URLs, allowing you (but not Attest) to identify respondents. You may also upload demographic data for Own Audience Respondents to the Attest Platform. Video Response survey: You will receive video and audio recordings which are regarded as personal data, and anonymous demographic data. For more information about what personal data you can and cannot collect from Attest Survey Respondents, please see section 4 of our Acceptable Use Policy. What personal data does Attest collect from customers? Attest only processes the personal data necessary to manage our customers’ accounts and platform usage. If you have an account with Attest, we will process your name, email address and information relating to how you use the Attest Platform. For more information about what personal data we collect and process, please see our Privacy Policy. Information Security Attest is committed to maintaining appropriate technical and organisational measures to protect against unauthorised or unlawful processing of confidential data. Our technical infrastructure, including databases, is hosted on Amazon Web Services (“AWS”), which means we inherit the robust security structure and mechanisms that are maintained by AWS. You can read about AWS compliance here. We’ve also set out an overview of our security measures below but if you have further questions, please reach out to your Attest contact. MeasureDescriptionMeasures of encryption of dataAll data is encrypted at rest. We use industry standard AES-256 encryption.All data in transit is encrypted using TLS 1.2.All of our web applications enforce the use of HTTPS.All database data and backups are encrypted.Measures for ensuring physical security of locations at which personal data are processedOur technical infrastructure, including databases, is hosted on Amazon Web Services (AWS), which means we inherit the robust security structure and mechanisms that are maintained by AWS. You can read about AWS compliance at https://aws.amazon.com/compliance/programs/.Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems, data and services and managing incidentsAll Attest employees and contractors are required to sign standardised employment or contractor agreements prior to their start date, which contain detailed confidentiality provisions.All Attest employees complete mandatory training, including data protection and cybersecurity training.Our databases are backed up daily and stored for two weeks.Our Kafka cluster is backed up to Amazon S3 as soon as new data is available.We have a documented incident response plan that would be followed in the case of a technical incident, which ensures that a team involving both a legal representative and customer representative are involved from the beginning to manage communications and notifications. Where the issue is one that may have an impact on customers, customers would be notified.Measures for user identification and authorisationCustomers: Users are authenticated via username and password combination. These are checked against our own credential store which is stored in our database. We have applied a secure password policy for our customers, which is in accordance with the National Institute of Standards and Technology (NIST) and any new passwords are automatically cross-checked against a database of compromised passwords before they’re accepted.Customers are also able to set up 2-step verification on their accounts: https://intercom.help/attest/en/articles/4859091-log-in-a nd-2-step-verification.Attest Employees: All systems used by Attest employees are configured with SAML login where permitted, backed by their email account which is subject to strict password content and re-set policies. Access to all systems and email accounts are removed on the employee’s final working day.Measures for the protection of data during transmissionAll data in transit is encrypted using Transport Layer Security (TLS 1.2).Measures for the protection of data during storageData is stored in our database services which are managed by AWS and located in Dublin, Ireland. Data storage on local machines is not permitted.Measures for ensuring system configuration, including default configurationAttest has in place an Access Control Policy which stipulates access controls, including system configuration.Measures for internal IT and IT security governance and managementAttest has an IT Security Policy and related documentation which is managed by our IT Manager and Legal Team.Measures for ensuring data minimisationAttest only collects the minimum personal data required for the purpose of the processing.Attest also completes detailed reviews of any new suppliers and/or any processing activities by third parties to ensure that only minimal data is processed.Measures for ensuring accountabilityData protection impact assessments and privacy reviews are completed by the Attest Legal Team when new systems which process Respondent Personal Data are introduced.Measures for allowing data portability and ensuring erasureAttest allows customers to export their survey responses from the Attest platform during the course of a customer’s subscription and encourages customers to download their survey data on an ongoing basis.Attest also has a process that is managed by the Attest Legal Team which allows data subjects to exercise their privacy rights, as set out in Attest’s privacy policy. Reporting Illegal Content to Attest Attest is considered a “Hosting Service” under the Digital Services Act (the “DSA”). In compliance with the DSA, we provide our customers with the ability to report content that they access through the Attest Platform and consider either to be illegal or in breach of our Online Terms and/or our Acceptable Use Policy (“AUP”). Submitting your report Please follow the steps below to report content on the Attest platform that you consider either to be illegal or in breach of our Online Terms: All reports should be submitted via email to [email protected] and should contain the following information: Description of the content: Please provide a description of the content, including the survey GUID number if available to you. Please also confirm whether you found the content that you are reporting in a text-based survey, or a video survey. Basis of your report: Please explain why you consider the content to be a breach of Attest’s Online Terms or AUP and/or illegal, including references to any applicable laws and/or criminal actions. Please include the following confirmation in your email to us: “I confirm that I am making this report in good faith and believe that the content that I am reporting is either a breach of Attest’s Online Terms, AUP and/or an applicable law”. Contact information: Please provide your preferred email address so that we can follow up with you on the status of your report. Reviewing your report Our team will complete an initial review of your report and will follow up with you by email if we need further information. We will then review the reported content against our Online Terms and our AUP and/or any applicable laws. Please note that this process may be updated from time to time so that we can ensure our continued compliance with the DSA and any other applicable laws. Questions If you have any questions about this process, please contact [email protected].