People trust you with sensitive information, from employee feedback to customer concerns and health details. Protecting that data shows respect for every respondent and strengthens the connection you’ve built with them. Most security issues trace back to small oversights like shared logins or weak passwords, which makes everyday vigilance just as important as platform security.
We’ll cover two essentials: how SurveyMonkey secures your data, and how to configure your account to keep surveys and responses safe. You’ll see how encryption, audited certifications, and monitoring work behind the scenes. Then we’ll give you a 10-step checklist to protect your account with SSO/2FA, least-privilege roles, retention settings, and bot protection.
What SurveyMonkey does to protect your data
The respondents’ personal information and the responses you collect are yours. Our job is to keep it that way, while providing services that allow you to collect and analyze your responses. Here’s how:
- Certification and compliance. We’re ISO/IEC 27001 certified, so our information security management system is independently audited against a global standard. For eligible Enterprise plans, we offer Health Insurance Portability and Accountability (HIPAA) configurations. We also follow Payment Card Industry Data Security Standard (PCI DSS) requirements for payment-related products. Since we use recognized frameworks, your security team can easily map our controls to your policies. See our security features overview and Trust Center for more details.
- Encryption in transit and at rest. We use Transport Layer Security (TLS) to protect data while it moves between your browser and our servers to block eavesdropping. Advanced Encryption Standard (AES-256) protects data at rest, so stored responses are encrypted. This combination secures the full data lifecycle. See the encryption sections of the SurveyMonkey Security Statement for specifics.
- Access and authentication. Internal access is strictly controlled. We use the least-privilege principle, so people only get the access they need. Admins must use multi-factor authentication (MFA). We review access regularly and remove it immediately when roles change. These controls reduce insider risk and keep access auditable.
- Vulnerability management and testing. Our systems undergo continuous vulnerability scanning, regular internal and external penetration tests, and routine patching. This proactive approach helps us find and fix issues before they impact you.
- Logging, monitoring, and incident response. Centralized logging and alerting help our teams detect suspicious behavior. We have a tested incident response plan that outlines steps for investigation, containment, and customer notification, where appropriate. We are prepared to act quickly and transparently.
- Business continuity and resilience. Encrypted backups and a documented business continuity plan keep services and data available and recoverable, even if the unexpected happens.
Quick Q&A: Is SurveyMonkey safe?
Is my data encrypted end-to-end?
Your data is encrypted in transit with TLS and at rest with AES-256. True “end-to-end” encryption (where only the sender and recipient hold keys) would disable features like collaboration, analysis, and reminders. Our approach balances strong survey data protection with the capabilities teams rely on.
Where is my data stored, and who can access it?
Data is hosted in secure, monitored environments either in our US or EU data centers hosted on AWS. Access is limited by least-privilege roles and reviewed regularly. We also require MFA for administrative access and revoke credentials immediately when roles change. These controls limit who can access what and for how long.
How do you test for vulnerabilities?
We do continuous scanning, periodic external and internal penetration tests, and patching that prioritizes remediation based on risk.
10 ways to strengthen your survey security today
- Use SSO and 2FA for all admins. Enable single sign-on (SSO) and eliminate shared passwords to block most credential-stuffing attempts. Use two-factor authentication (2FA), if your identity provider supports it, to resist phishing. Tie access to least-privilege roles, so each person only gets what they need using our teams roles and permissions controls. This closes the “departed employee” gap—when someone leaves, their access ends automatically.
- Stop sharing logins. Shared credentials hide accountability and complicate offboarding. Create a team account, and assign role-based permissions to each user. If someone leaves, use the account transfer feature to retain surveys and results without keeping their old credentials.
- Set a data retention policy. Decide how long to keep personally identifiable information (PII) and when to anonymize responses. Schedule periodic cleanups, so your database only holds what you need. Less stored data means less to protect.
- Minimize data collection. Only ask for the information you truly need. Avoid collecting sensitive data unless it’s essential for your study. This aligns with institutional review board (IRB) and academic best practices for ethical research. Learn more in our guide to collecting anonymous responses and data collection and privacy policy, as well as East Tennessee State University’s guidelines for minimizing data in research surveys.
- Configure secure collectors. Use invitation-only collectors, when appropriate. Limit multiple responses and add throttling rules to reduce spam. Universities often recommend this when identity matters and to help prevent abuse. See the University of Maine’s and the Ball State University’s guidance.
- Protect against bots and fraud. Turn on CAPTCHA or other anti-bot features, when available. Look for unusual patterns, like identical timestamps, nonsensical text, or duplicate IPs. Review open-panel responses carefully. Learn how to outsmart survey bot respondents.
- Restrict exports. Limit who can download raw data files. Avoid sending CSVs by email; instead, share results in the platform with comments.
- Use strong, unique passwords and a manager. If SSO isn’t an option, require admins to use unique passphrases and a reputable password manager. Rotate credentials when roles change or a new risk emerges.
- Verify the emails tied to your account. Check your admin and recovery emails and keep security contacts current. This prevents hijacked resets, missed alerts, or unverified users gaining access.
- Educate your team and respondents. Phishing is still a top risk. Teach teams not to trust fake “form” links. Make it a policy to never request credentials or payments through a survey. WIRED explains how to spot survey scams and we share tips on avoiding scams.
How SurveyMonkey stands apart on security
Many platforms highlight encryption, compliance, and access controls. We focus on what matters most: how you and your team put security into practice every day.
SurveyMonkey combines enterprise-grade controls with practical guidance that helps teams act securely from day one. Along with encryption in transit and at rest, role-based access, and compliance certifications like SOC 2 Type II and ISO 27001, we provide the everyday steps that make those protections meaningful in practice.
Our approach connects policy to behavior:
- Clear admin guidance for setting up SSO, MFA, and least-privilege roles
- Built-in reminders to manage access and data exports responsibly
- Anti-bot and retention settings that reinforce secure survey management
Where others list what they have, we show you how to use it. That’s the difference between security by default and security in action.
For organizations with higher compliance needs, we also offer HIPAA-enabled and Enterprise Security & Data Protection (ESDP) plans.
Security and compliance resources
- Trust Center — single source for statements, FAQs, and contact options
- Security features — overview of product security and admin controls
- Two-factor authentication — how to enable 2FA for your account
- Avoiding scams — how to spot and report phishing or fraud
- Privacy basics — how we handle personal data and your choices
- Privacy for survey respondents — shareable guidance to include in invitations
Build lasting trust through everyday security
SurveyMonkey manages the hard work of security, including certifications, encryption, monitoring, and tested response plans, so your data stays private and auditable. Your own settings and habits keep that protection complete.
Start now by reviewing your security setup using the 10-step checklist above, then visit our Security Statement for the full details. If you manage a larger team, talk to us about Enterprise security options built for scale. And when you’re ready for next steps, check out our team and roles setup or visit our Trust Center to see how we protect your data end to end.
