SurveyMonkey Logo
  • Surveys
  • SurveyMonkey

    Create & send surveys with the world’s leading online survey software

  • Enterprise

    Empower your organization with our secure survey platform

  • Integrations & Plug-ins

    Bring survey insights into your business apps

  • Specialized products
  • Audience

    Collect survey responses from our global consumer panel

  • CX

    Understand & improve customer experience (NPS®)

  • Engage

    Understand & increase employee engagement

  • TechValidate

    Create marketing content from customer feedback

  • Apply

    Collect, review & manage applications online

  • Wufoo

    Gather data & payments with online forms

  • GetFeedback

    Customer feedback for Salesforce

View all products
Survey Types
  • Customer Satisfaction
    Customer Loyalty
    Event Surveys
  • Employee Engagement
    Job Satisfaction
    HR Surveys
  • Market Research
    Opinion Polls
    Concept Testing
  • People Powered Data for business
  • Customers

    Win more business with Customer Powered Data

  • Employees

    Build a stronger workforce with Employee Powered Data

  • Markets

    Validate business strategy with Market Powered Data

  • Solutions for teams
  • Customer Experience

    Delight customers & increase loyalty through feedback

  • Human Resources

    Improve your employee experience, engagement & retention

  • Marketing

    Create winning campaigns, boost ROI & drive growth

  • Education

    Elevate your student experience and become a data-driven institution

Explore more survey types
  • Resources

    Best practices for using surveys & survey data

  • Curiosity at Work

    Our blog about surveys, tips for business, & more

  • Help Center

    Tutorials & how-to guides for using SurveyMonkey

Explore our 180+ survey templates
Plans & Pricing
Log inSign up free
SurveyMonkey logo
  • Overview

  • Terms of Use

  • Governing Services Agreement

  • Service-Specific Terms

  • Privacy Basics

  • Privacy Notice

  • Cookies

  • Cookies Used on Survey Pages

  • Acceptable Uses Policy

  • Security

  • General

Did you know?

63% of people consider a company's privacy and security history before using their products or services.

Legal sidebar stats

EU Data Transfer Statement and Subprocessor List

LAST UPDATED: October 10, 2022

Momentive provides its products around the world, and uses global subprocessors to help us provide those products and services. In our contract with you, we commit that every transfer of personal data to us is compliant with data protection laws. We also ensure that when we transfer personal data onward, the recipient protects the personal data with safeguards that are no less onerous than the standard that we apply to personal data in our control.

To assist you in determining that there is an adequate level of protection for personal data transferred to Momentive and onward - taking into account the July 16, 2020 judgment of the EU Court of Justice (“CJEU”) in Case C-311/18, Data Protection Commissioner v Facebook Ireland Limited and Maximilian Schrems (“Schrems II”) and the European Data Protection Board’s (“EDPB”) guidance on supplementary measures - we provide some information below about how your information is protected as it travels.

For more information about how we process personal data generally, please see our Privacy Notice.

Jump to:

Part I: Transfers to Momentive

  • Step 1: Description of Transfer
  • Step 2: Legal Regime in Destination Country
  • Step 3: Supplementary Measures
  • Step 4: Assess the risk of harm to which a data subject may be exposed
  • Step 5: Conclusion

Part II: Onward Transfers to Subprocessors

  • Subprocessors used to provide SurveyMonkey
  • Subprocessors used to provide Audience/Market Research
  • Subprocessors used to provide GetFeedback Digital
  • Subprocessors used to provide GetFeedback Direct
  • Subprocessors used to provide Wufoo
  • Subprocessors used to provide TechValidate
  • Subprocessors used to provide Customer Experience (CX)
  • Subprocessors used to provide SurveyMonkey Apply
  • Subprocessors used to provide Engage

Part 1: Transfers to Momentive

data-transfer-flow-for-Legal-Center

Step 1: Description of Transfer

Parties and Transfer Mechanism 

If you are a US Customer, your contract will include a Data Protection Addendum (“DPA”) with Momentive’s US entity: Momentive Inc. If you have users in the European Economic Area (“EEA”) or the United Kingdom (“UK”) and therefore require a transfer mechanism for user data to Momentive, you can request that we add EU and/or UK Standard Contractual Clauses (“SCCs”).

If you are a Customer based in the EEA or UK, your contract will include a Data Protection Addendum (“DPA”) with Momentive’s Irish entity: Mometive Europe UC. Since the transfer from you to Momentive is between European entities  for which no transfer mechanism is needed (or that have recognized each others’ adequacy status), no other transfer mechanisms are needed.

If you are a Customer based outside of the US, EEA, or UK - but you have users in the EEA or UK and need to ensure there is a transfer mechanism for onward transfer - your contract will include a DPA with Momentive’s Irish entity, Mometive Europe UC, and you can request that we add EU and/or UK SCCs.

Purpose

You transfer personal data to Momentive so that we may process the personal data for the following purposes:

  • Providing the platform services
  • Customer support
  • Fraud and abuse monitoring
  • Security and engineering support 
  • Product development
  • Sales and marketing support
  • Employee and contingent worker management

You should evaluate if you transfer data for any differing purposes.

Personal Data

The Customer personal data transferred to Momentive can contain as much or as little personal data as you decide to provide in your questions in surveys, forms, and questionnaires. As a platform we assume that a large variety of personal data - including potential special category data - is collected by you. 

Information we collect is specified in section 2 of our Privacy Notice.

Step 2: Legal Regime in Destination Country

As noted above, you will contract with a Momentive entity in the US or Ireland - depending on your location. Based on advice from outside counsel specialized in data protection and analysis of the laws to which Momentive is subject, we believe the risk associated with the legal regime in the US to be low, and the risk associated with the legal regime in Ireland to be of no material risk to the data subject. See the section ‘Supplementary Measures: Organizational’ below for more information on US law specifically.

Step 3: Supplementary Measures

Even where there is low or no material risk due to the legal regime in the destination country, Momentive has implemented supplementary measures to further safeguard personal data. The supplementary measures are divided into three categories: (i) contractual; (ii) organizational; and (iii) technical safeguards. 

Contractual

As described above, Momentive will agree to enter into SCCs with Customers. The Schrems II judgment indicates that parties may use SCCs and (where appropriate) additional safeguards for transfer of personal data from the United Kingdom and the European Economic Area (“European Data”) to the United States. If you have entered into an agreement with or are otherwise obtaining services from Momentive that will require Momentive to process personal data of European data subjects, Momentive will (as appropriate depending on the Momentive entity you are contracting with): 

  • (i) enter into appropriate processor to processor Standard Contractual Clauses with each subprocessor who is located in a country which does not have adequate protection (as defined under GDPR) where the subprocessing results in onward transfers outside the EU or the UK; or 
  • (ii) will agree to be bound directly by the Standard Contractual Clauses and supplemental clauses outlining the organizational and technical measures Momentive has in place to protect personal data of European data subjects. 

For more information about our agreement to be bound by the Standard Contractual Clauses, please see the Terms of Use (for self-serve customers), the Governing Services Agreement (for SurveyMonkey Enterprise or GetFeedback Digital customers), or such other agreement you may have negotiated with Momentive.

Organizational

The CJEU’s concerns about transfers of data to the United States were based on the US government’s collection of data under US Executive Order 12333 (“EO 12333”) and under Section 702 of the Foreign Intelligence Surveillance Act (“FISA § 702”), especially “upstream” surveillance under FISA § 702.  The risks posed by these US legal provisions either do not apply to Momentive’s processing of personal data or can be sufficiently mitigated by organizational safeguards that Momentive offers.

Momentive is not eligible to receive “upstream” or bulk surveillance orders under FISA § 702. Momentive Inc. acts, in part, as an electronic communications service (“ECS”) and also potentially a remote computing service (“RCS”) (as defined in Sections 2510 and 2711 of Title 18 USC., respectively) in connection with certain services or product features we provide to Customers.  Momentive Inc. thus is among the large group of companies upon which the United States government could serve a targeted directive under FISA § 702.  However, as the US government has interpreted and applied FISA § 702, Momentive is not eligible to receive the type of order that was of principal concern to the CJEU in the Schrems II decision—i.e., a  FISA § 702 order for “upstream” surveillance.  As the US government has applied FISA § 702, it uses upstream orders only to target traffic flowing through internet backbone providers that carry Internet traffic for third parties (i.e., telecommunications carriers).  For example, see the report of the Privacy and Civil Liberties Oversight Board, Report on the Surveillance Program Operated Pursuant to Section 702 of the Foreign Intelligence Surveillance Act (July 2, 2014), pp. 35-40, available at https://fas.org/irp/offdocs/pclob-702.pdf.  Momentive does not provide such Internet backbone services, as we only carry traffic involving our own customers.  As a result, we are not eligible to receive the type of order principally addressed in, and deemed problematic by, the Schrems II decision.

Momentive has not received any directive under FISA § 702, and we are unlikely to receive any. As of the date of this statement, Momentive has not received any directive under FISA § 702 and has no reason to believe that such a directive would be made to Momentive.  The personal data Momentive processes for our customers –feedback data – is highly unlikely to be relevant to the foreign intelligence activities governed by FISA § 702.  Moreover, in the event any such personal data were relevant to such an investigation, the government is more likely to seek such data through other forms of legal process (such as a search warrant approved by a judge) that do satisfy the high standards for government access to data described in the Schrems II decision.  This is because it would be much faster and easier for the government to seek an order or warrant under something other than FISA § 702 than to put in place the mechanisms required for the government to serve directives on Momentive under FISA § 702.

Momentive does not assist — and cannot be ordered to assist — US authorities in their collection of information under Executive Order 12333. Momentive does not and will not provide any assistance to US authorities conducting surveillance under EO 12333.  EO 12333 does not provide the US government the ability to compel companies to provide assistance with those activities, and Momentive will not do so voluntarily.  As a result, Momentive does not, and cannot be ordered to, take any action to facilitate the type of bulk surveillance under EO 12333 the Schrems II decision deemed problematic.

Technical

Momentive provides a range of technical measures that further defeat the core deficiencies cited in the Schrems II decision referred to above (bulk surveillance under FISA § 702 and bulk interceptions under EO 12333).  

Momentive encrypts all data at rest in our data centres using AES 256 based encryption. Additionally, Momentive encrypts all data in motion using (i) RSA with 2048 bit key length based certificates generated via a public Certificate Authority, for communications with entities outside Momentive’s data centres, and (ii) RSA 256 certificates generated via Internal Certificate Authority, for all the data within the data centre.  These encryption efforts are aimed at prevention of unauthorised acquisition of data in an intelligible form and prevention of unauthorised wiretapping / tampering when data is in transit between two end-points. 

Some Momentive Customers (for example, Customers of GetFeedback Digital) have their data stored only in the European Union. In those instances the data is not stored in the US and only very minimal access to that data occurs in the United States for limited purposes (for example, to provide Customer support on request, for follow the sun security support and/or limited engineer resourcing to resolve technical issues/bugs or build out systems).

Momentive also maintains strict administrative, technical, and physical procedures to protect information stored on its servers. Access to personal information is limited through login credentials to those employees who require it to perform their job functions. Momentive implements data minimization techniques to limit the amount of personal data which is transferred from the EU to third party jurisdictions to include, where appropriate, pseudonymization or deidentification of data. In addition, Momentive uses access controls such as multi-factor authentication, Single Sign On, access on an as-needed basis, strong password controls, and restricted access to administrative accounts.  

Additionally, as an ECS/RCS, Momentive is subject to the US Electronic Communications Privacy Act, 18 USC. § 2701, et seq.  (“ECPA”), which provides protection to Momentive’s Customers.  For example, ECPA prohibits governmental entities from seeking information about Customers of services like Momentive unless such governmental entities first obtain appropriate legal process, including a court order or search warrant for information other than basic subscriber information.  Likewise, both FISA and ECPA provide Momentive’s Customers with redress against the US government (including monetary damages or disciplinary actions against the relevant governmental authorities) if it improperly obtains information about them (see 18 USC. § 2712).

Further, Momentive’s long time outside legal counsel is experienced in responding to US governmental requests for user data, including US national security requests under FISA § 702.  It is Momentive’s policy to escalate any such requests to Momentive’s own internal compliance team and, as necessary, to such outside counsel for review.  Where appropriate, Momentive intends to use available legal mechanisms to challenge demands for data access using FISA § 702 (including any non-disclosure provisions or orders attached thereto) in the unlikely event Momentive receives such a demand.  The demand would then receive review by a US tribunal (the FISA Court). 

Momentive also recognizes that an order to provide data access under FISA § 702 would require Momentive to notify our Customers that we could no longer comply with the Standard Contractual Clauses, allowing them to terminate their agreement with us and suspend data flows to us.  We have never needed to issue such a notice.

Step 4: Assess the risk of harm to which a data subject may be exposed

Taking into account the above analysis, we believe the risk of harm to the data subject is not material.

Step 5: Conclusion

The table below summarizes our transfer impact assessment conclusion.

“Non-material” risk means that personal data is transferred to a jurisdiction that has been considered adequate by the European Commission (and so the legal protections are equivalent to legal protections in Europe), and that there are contractual, technical, and organizational measures in place to further protect the data.

“Low” risk means that personal data is transferred to a jurisdiction with a GDPR Chapter V mechanism other than adequacy. While the legal protections are not necessarily equivalent to legal protections in Europe, the transfer is still legally-compliant and is bolstered by contractual, technical, and organizational measures in place to further protect the data.

SenderRecipientTransfer DestinationTransfer MechanismRisk
US Customer with users in EU or UKMomentive Inc.USSCCs + supplementary measuresLow
EEA or UK Customer Momentive Europe UCIrelandAdequacy + supplementary measuresNon-material
Non-US/EEA/UK Customer with users in EU or UKMomentive Europe UCIrelandSCCs + supplementary measuresNon-material

Part II: Onward Transfers to Subprocessors

data-flow-for-subprocessor-transfer-legal-center

Subprocessors are Momentive vendors that process your users’ personal data in order to help Momentive provide the service to you. All Momentive subprocessors are bound by contract to protect the personal data with safeguards that are no less onerous than the standard that we apply to personal data in our control.

When Momentive transfers personal data to subprocessors, we conduct a Transfer Impact Assessment (“TIA”) similar to the steps outlined above. We do this to ensure that your personal data is protected at each step, as required by data protection law and our contract with you. We have provided a summary of the salient points of the TIA for each subprocessor below.

Please note that not all subprocessors are used in the provision of all of our Services. Our subprocessor list is segmented into specific Momentive services. 

If you wish to receive email notifications of updates to our Subprocessor List, please subscribe here.

Subprocessors used to provide SurveyMonkey

SubprocessorPurposePersonal DataLocation and Assessment of Legal Regime RiskTransfer MechanismSupplementary Measures: Contractual, Organizational, and Technical
Amazon Web Services (“AWS”)Data storage services for storing assets and database hosting; Content distribution network (“CDN”) services; storage used to support data analysis features (OpenSearch).Personal Data
Names of Individuals (First and/or Last Names)
   
Any unique identifier that can be used to tie to a particular person in the real world
  
Vehicle registration plate number 
 
Data of Birth 
 
Email Address 
  
Phone Number   

Physical Address (i.e. 123 Fake St) 
  
ZIP/Postal Code  

Apartment Numbers (i.e. Address Line 2)   

IP address 
   
 IMSI/IMEI numbers  

MAC address  

Insurance details   

Family members and Dependents 
 
Sensitive Personal Data  can be included in survey response or form data and so AWS may store any of the following:  
 
Government/National ID (e.g. SSN, SIN), Driver's License number, Passport number  

Username and password, Authentication credentials  

Financial and Payment information (account log‐in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account)  

Geolocation  

Race/ethnicity  

Religious/Political/Trade Union Affiliation 
  
Sex life or Sexual Orientation
   
Health data (incl. prescription medications, medical procedures and tests, diagnoses, medical practitioners and area of practice, health card numbers etc.)   

Biometrics (e.g. fingerprints, voice recordings, photos)   

Genetic data
  
Salary/Income (or ranges of same) 
 
 Customer survey responses (responses received by a customer to the survey they create within Momentive accounts)  

Credit score/record   
Communications - the contents of a consumer’s private communications, unless the company is the intended recipient of the communication 
 
 Criminal record  

Quasi identifiers: This could include data which is not personal unless linked to other data e.g. web identifiers, device information, browser data and other metadata which may in some cases be linkable to other categories of data listed above.
United States - low

Canada - non-material

Ireland - non-material
SCCs
Please see AWS’s commitments to data control, data privacy, and security.

Specifically, Momentive uses the latest generation of EC2 which automatically gain the protection of the AWS Nitro System. Using purpose-built hardware, firmware, and software, AWS Nitro provides unique and industry-leading security and isolation by offloading the virtualization of storage, security, and networking resources to dedicated hardware and software. This enhances security by minimizing the attack surface and prohibiting administrative access while improving performance. 

All data in transit between our secure datacenter facilities, availability zones, and regions is encrypted automatically at the hardware level. Momentive also utilizes AWS Key Management Services to control and manage our own keys within FIPS-140-2 certified hardware security modules. Regardless of whether data is encrypted or unencrypted, we will always work vigilantly to protect data from any unauthorized access. 

Our security team has carried out a comprehensive review of all AWS cloud infrastructure services and changes are kept under continual review. 

Momentive encrypts all data at rest in our data centres using AES 256 based encryption. Additionally, Momentive encrypts all data in motion using (i) RSA with 2048 bit key length based certificates generated via a public Certificate Authority, for communications with entities outside Momentive’s data centres, and (ii) RSA 256 certificates generated via Internal Certificate Authority, for all the data within the data centre.  

These encryption efforts prevent the acquisition of data in an intelligible form This also deters wiretapping between the two end-points while such data is in transmission or in storage.
Microsoft (Sharepoint)Internal document repositoryCustomer Data as requested to provide Professional Services (eg: survey design and response analysis)USA - lowSCCsPlease see Microsoft Cloud Transfer Whitepaper and security documentation. 
Momentive Affiliates (Momentive Inc., Momentive Australia Pty Limited)Customer and product support services; product development, infrastructure, and technology services.Respondent: Contact Information, Usage Information, Device Information, Cookie and other tracking informationAustralia - low

USA - low
SCCsPlease see description above and our Security Statement and GDPR Whitepaper.
Momentive Affiliates (Momentive Canada Inc., Momentive UK Ltd.)Customer and product support services; product development, infrastructure, and technology services.Respondent: Contact Information, Usage Information, Device Information, Cookie and other tracking informationCanada - non-material

UK - non-material
AdequacyPlease see description above and our Security Statement and GDPR Whitepaper.
Salesforce (including Sales Cloud, Service Cloud, Community Cloud, Chatter, Salesforce Platform, Customer Data Platform, Marketing Cloud, Mulesoft, and Tableau CRM)Customer SupportNames of Individuals (First and/or Last Names) , Email, Phone Number, Content of communications sent during provision of Customer SupportUSA - lowSCCsPlease see Salesforce’s Security Whitepaper, security certifications, DPA FAQ, and Trust and Compliance documentation.
SnowflakeStorage of usage data for analytics and product development.IP Address, Email address (first and last name), Quasi identifiersRespondent IDUSA - lowSCCsMomentive data is stored encrypted at rest on AWS S3. Snowflake uses strong AES 256 bit encryption with a hierarchical key model. Snowflake implements a comprehensive monitoring and logging system.

Snowflake is ISO 27001 and SOC 2 certified and these certifications have been reviewed by the Momentive security team in full as part of our risk review. 

Employees are provided with both Security and Privacy Awareness Training overview which they are required to complete at hire and then on an annual basis thereafter. In addition, as needed, other quarterly training on featured security and privacy related topics and role specific training for personnel whose role responsibilities require additional security procedures are provided. 

Access to any production environment is based on least privileged access rules and role based access controls and deprovisioning is similarly managed and monitored. 
See Snowflake’s documentation for more information: Data Security and Trust Center.
SparkpostEmail delivery service.Email address, meta data (open clicks, date stamps)USA - lowSCCsSee: Security Program - SparkPost

SparkPost maintains Customer Data in an encrypted format at rest and in transit using SSL, HTTPS, and opportunistic TLS as applicable.

Customer Data is encrypted when in transit between Customer and SparkPost Services using HTTPS. Customer Data is encrypted when in transit between SparkPost and Recipient using opportunistic TLS.

SparkPost conducts various third-party audits to attest to various frameworks including SOC 2 Type II and regular application vulnerability and penetration testing.

SparkPost does not store the message body of an Email after it has either been delivered to the Recipient or has bounced or otherwise been rejected by the mailbox provider, which typically occurs within seconds. In the event of a rejection or bounce, SparkPost will retain the message body for a limited period of time to allow for the Email transmission to be retried. If the transmission is still unsuccessful, the message body is permanently deleted. 

SparkPost only stores Recipient Personal Data in raw form for a limited amount of time after the transmission of an Email to a Recipient. After the initial retention period, the Personal Data is pseudonymized through a one-way hash and is only stored in its pseudonymized form. For more information about this process please see the Sparkpost Data FAQs available here. 
SplunkSoftware for searching, monitoring, and analyzing machine-generated data.Respondent ID, Respondent email address, First and last name, phone number, Browser information, Open text response dataUSA - lowSCCsPlease see Splunk’s security documentation and compliance certificates.
TwilioSMS delivery.Respondent phone number, Content of SMS communicationsUSA - lowSCCsPlease see Twilio’s security certification, security statement,  and security overview.
UpworkSupport team task augmentation (contractors).Names of Individuals (First and/or Last Names) , Email, Phone Number, Content of communications sent during provision of Customer SupportPhilippines - lowSCCsPlease see Upwork’s security page, in addition to the information below.

Momentive employs remote desktop control over contracted support agents. All personnel handling personal data are subject to confidentiality obligations. Anti-malware and malicious software detection controls are in place to ensure no unauthorised access to data can take place, and all data are encrypted when transferred over public networks. 

There are also specific data handling procedures in place which ensure strict ‘need to know’ access controls are in place, as well as policies which ensure the deletion of the data after use. Further access controls also require specific identification of the terminal user on the relevant systems, as well as requiring identification codes and password complexity standards for anyone who needs to access the data. VPNs, two-factor authentication and role-based access are also baked into the main access control procedures.
 
During transmission, data are subject to various strict transmission controls including procedures preventing the data from being read, copied, altered or deleted while in transit. Encryption technologies and the use of firewalls are in place to protect gateways and firewalls through which the data travels, and VPN connections safeguard the data connection to internal networks. Infrastructure is constantly monitored (e.g. through ICMP-Ping at network level), and the end-to-end security monitoring takes place to ensure the completeness and correctness of all transfers. 

All encryption solutions are deployed with no less than a 128-bit key for symmetric encryption and a 1024 (or larger) bit key length for asymmetric encryption. 

Input control ensures that it is possible to check and establish whether and by whom Personal Data has been input into data processing systems or removed.
 
Such controls include authentication and logging. Vulnerability management is in place to detect and immediately remedy any system vulnerabilities. 
Data destruction procedures also ensure that data subject to the transfer are secured and not held for any longer than necessary to achieve the purposes of customer support.
Xoriant, InfoSol, Tredence, Impetus, Valuelabs Data & Analytics team task augmentation (contractors).Data as listed for SnowflakeUSA - lowSCCsAll the security controls available and listed above for Snowflake are utilized to ensure least privileged access for our third party contractors. We utilize remote desktop security as well as the other security controls which apply to any internal Momentive systems. See our security statement for further details. 

Subprocessors used to provide Audience/Market Research

SubprocessorPurposePersonal DataLocation and Assessment of Legal Regime RiskTransfer MechanismSupplementary Measures: Contractual, Organizational, and Technical
AWSSee aboveSee aboveSee aboveSee aboveSee above
MicrosoftSee aboveSee aboveSee aboveSee aboveSee above
Momentive Affiliates (Momentive Inc., Momentive Australia Pty Limited)See aboveSee aboveSee aboveSee aboveSee above
Momentive Affiliates (Momentive Canada Inc., Momentive UK Ltd.)See aboveSee aboveSee aboveSee aboveSee above
SalesforceSee aboveSee aboveSee aboveSee aboveSee above
SnowflakeSee aboveSee aboveSee aboveSee aboveSee above
SparkpostSee aboveSee aboveSee aboveSee aboveSee above
SplunkSee aboveSee aboveSee aboveSee aboveSee above
TwilioSee aboveSee aboveSee aboveSee aboveSee above
UpworkSee aboveSee aboveSee aboveSee aboveSee above
Xoriant, InfoSol, Tredence, Impetus, Valuelabs See aboveSee aboveSee aboveSee aboveSee above

Subprocessors used to provide GetFeedback Digital 

SubprocessorPurposePersonal DataLocation and Assessment of Legal Regime RiskTransfer MechanismSupplementary Measures: Contractual, Organizational, and Technical
AWSSee aboveSee aboveSee aboveSee aboveSee above
GoogleOpen-text response translation feature requested by a subset of GetFeedback Digital customers. Survey Response data. This may or may not include personal data, depending on the types of questions in the survey and how the respondent chooses to answer the questions.USA - lowSCCshttps://cloud.google.com/security/
Momentive Affiliates (Momentive Inc., Momentive Australia Pty Limited)See aboveSee aboveSee aboveSee aboveSee above
Momentive Affiliates (Momentive Canada Inc., Momentive UK Ltd.)See aboveSee aboveSee aboveSee aboveSee above
ScaleGridDatabase hostingNames of Individuals (First and/or Last Names)   

Any unique identifier that can be used to tie to a particular person in the real world  

Vehicle registration plate number  

Data of Birth  

Email Address   

Phone Number   

Physical Address (i.e. 123 Fake St)   

ZIP/Postal Code  

Apartment Numbers (i.e. Address Line 2)  
 
IP address 
   
 IMSI/IMEI numbers  

MAC address  

Insurance details   

Family members and Dependents  

Sensitive Personal Data  can be included in survey response or form data and so AWS may store any of the following:   

Government/National ID (e.g. SSN, SIN), Driver's License number, Passport number  

Username and password, Authentication credentials  

Financial and Payment information (account log‐in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account)  

Geolocation  

Race/ethnicity  

Religious/Political/Trade Union Affiliation   

Sex life or Sexual Orientation   

Health data (incl. prescription medications, medical procedures and test, diagnoses, medical practitioners and area of practice, health card numbers etc.)  
 
Biometrics (e.g. fingerprints, voice recordings, photos) 
  
Genetic data  

Salary / Income (or ranges of same)  
 
Customer survey responses (responses received by a customer to the survey they create within Momentive accounts)  

Credit score / record   

Communications - the contents of a consumer’s private communications, unless the company is the intended recipient of the communication  
 
Criminal record  

Quasi identifiers: This could include data which is not personal unless linked to other data e.g. web identifiers, device information, browser data and other meta data which may in some cases be linkable to other categories of data listed above. 
Ireland - non-materialData is not transferred out of Europe.https://mongodb.scalegrid.io/hubfs/Whitepaper-ScaleGrid-Infrastructure-Security.pdf

Subprocessors used to provide GetFeedback Direct

SubprocessorPurposePersonal DataLocation and Assessment of Legal Regime RiskTransfer MechanismSupplementary Measures: Contractual, Organizational, and Technical
AWSSee aboveSee aboveSee aboveSee aboveSee above
Functional Software Inc. (Sentry) Applications error capturing (site health monitor). Direct identifying information (e.g. name, email address, telephone)
Indirect identifying information (e.g. job title, gender, date of birth)
Device identification data and traffic data (e.g. IP addresses, MAC addresses, web logs, browser agents)
Any personal data supplied by end users of the Service.
USA - lowSCCsSee Sentry’s security page for more details.
GoogleHosts survey assets and respondent assets, NLP for respondent data, respondent data hosted on Google platform for searching/indexing dashboards. Survey Response data. This may or may not include personal data, depending on the types of questions in the survey and how the respondent chooses to answer the questions.USA - lowSCCshttps://cloud.google.com/security/
Heroku (if you utilize GetFeedback Direct’s EU Data Center, Heroku is not a subprocessor)Application host and data store that runs on AWS.See ‘Amazon/AWS’ aboveUSA - lowSCCsPlease see Heroku’s security certifications and Trust and Compliance documentation.
IPdataGeolocation lookup for RespondentsIP addressUSA - lowSCCsPlease see IPdata’s Privacy Policy for more information.
Momentive Affiliates (Momentive Inc., Momentive Australia Pty Limited)See aboveSee aboveSee aboveSee aboveSee above
Momentive Affiliates (Momentive Canada Inc., Momentive UK Ltd.)See aboveSee aboveSee aboveSee aboveSee above
SalesforceSee aboveSee aboveSee aboveSee aboveSee above
SplunkSee aboveSee aboveSee aboveSee aboveSee above

Subprocessors used to provide Wufoo

SubprocessorPurposePersonal DataLocation and Assessment of Legal Regime RiskMechanism of TransferSupplementary Measures: Contractual, Organizational, and Technical
AWSSee aboveSee aboveSee aboveSee aboveSee above
MicrosoftSee aboveSee aboveSee aboveSee aboveSee above
Momentive Affiliates (Momentive Inc., Momentive Australia Pty Limited)See aboveSee aboveSee aboveSee aboveSee above
Momentive Affiliates (Momentive Canada Inc., Momentive UK Ltd.)See aboveSee aboveSee aboveSee aboveSee above
SalesforceSee aboveSee aboveSee aboveSee aboveSee above
SnowflakeSee aboveSee aboveSee aboveSee aboveSee above
SparkpostSee aboveSee aboveSee aboveSee aboveSee above
SplunkSee aboveSee aboveSee aboveSee aboveSee above

Subprocessors used to provide TechValidate

SubprocessorPurposePersonal DataLocation and Assessment of Legal Regime RiskTransfer MechanismSupplementary Measures: Contractual, Organizational, and Technical
AWSSee aboveSee aboveSee aboveSee aboveSee above
Engine YardWebsite hosting tool and cloud application management.See ‘AWS’ aboveUS - lowSCCsEngine Yard is contractually committed to:  host data at a secure facility (such as AWS) with data center access restrictions, monitoring, security staff, and other commercially reasonable physical security measures; maintain restricted network access, firewalls, server hardening measures, user authentication protocols, event logging, and other commercially reasonable system and network security measures designed to protect the security of personal data; encrypt personal data where feasible and commercially reasonable in accordance with industry standards for encryption at rest and in transit; and grant access on the principle of least privilege on a role basis and subject to authorization and deactivation practices of Momentive.
MicrosoftSee aboveSee aboveSee aboveSee aboveSee above
Momentive Affiliates (Momentive Inc., Momentive Australia Pty Limited)See aboveSee aboveSee aboveSee aboveSee above
Momentive Affiliates (Momentive Canada Inc., Momentive UK Ltd.)See aboveSee aboveSee aboveSee aboveSee above
SalesforceSee aboveSee aboveSee aboveSee aboveSee above

Subprocessors used to provide Customer Experience (CX)

SubprocessorPurposePersonal DataLocation and Assessment of Legal Regime RiskTransfer MechanismSupplementary Measures: Contractual, Organizational, and Technical
AWSSee aboveSee aboveSee aboveSee aboveSee above
Engine YardSee aboveSee aboveSee aboveSee aboveSee above
MicrosoftSee aboveSee aboveSee aboveSee aboveSee above
Momentive Affiliates (Momentive Inc., Momentive Australia Pty Limited)See aboveSee aboveSee aboveSee aboveSee above
Momentive Affiliates (Momentive Canada Inc., Momentive UK Ltd.)See aboveSee aboveSee aboveSee aboveSee above
SalesforceSee aboveSee aboveSee aboveSee aboveSee above

Subprocessors used to provide SurveyMonkey Apply

SubprocessPurposePersonal DataLocation and Assessment of Legal Regime RiskTransfer MechanismSupplementary Measures: Contractual, Organizational, and Technical
AWSSee aboveSee aboveSee aboveSee aboveSee above
Bridgewater LabsTask augmentation (engineering contractors)All possible personal data categories collected in SM Apply forms. Canada - non-materialSCCsAll the security controls available and listed above for AWS are utilized to ensure least privileged access for our third party contractors. We utilize remote desktop security as well as the other security controls which apply to any internal Momentive systems. See our security statement for further details. 
MicrosoftSee aboveSee aboveSee aboveSee aboveSee above
Momentive Affiliates (Momentive Inc., Momentive Australia Pty Limited)See aboveSee aboveSee aboveSee aboveSee above
Momentive Affiliates (Momentive Canada Inc., Momentive UK Ltd.)See aboveSee aboveSee aboveSee aboveSee above
SalesforceSee aboveSee aboveSee aboveSee aboveSee above

Subprocessors used to provide Engage

SubprocessorPurposePersonal DataLocation and Assessment of Legal Regime RiskTransfer MechanismSupplementary Measures: Contractual, Organizational, and Technical
AWSSee aboveSee aboveSee aboveSee aboveSee above
MicrosoftSee aboveSee aboveSee aboveSee aboveSee above
Momentive Affiliates (Momentive Inc., Momentive Australia Pty Limited)See aboveSee aboveSee aboveSee aboveSee above
Momentive Affiliates (Momentive Canada Inc., Momentive UK Ltd.)See aboveSee aboveSee aboveSee aboveSee above
SalesforceSee aboveSee aboveSee aboveSee aboveSee above

Community:

Developers

Facebook

Twitter

Linkedin

Our Blog

Instagram

Youtube

About Us:

Leadership Team

Board of Directors

Investor Relations

App Directory

Newsroom

Office Locations

Imprint

Careers

Sitemap

Help

Log In

Sign Up

Policies:

Terms of Use

Privacy Notice

California Privacy Notice

Acceptable Uses Policy

Security Statement

GDPR Compliance

Email Opt-In

Accessibility

Cookies Notice

Use Cases:

Online Polls

Facebook Surveys

Survey Template

Scheduling Polls

Google Forms vs. SurveyMonkey

Employee Satisfaction Surveys

Free Survey Templates

Mobile Surveys

How to Improve Customer Service

AB Test Significance Calculator

NPS Calculator

Questionnaire Templates

Event Survey

Sample Size Calculator

Writing Good Surveys

Likert Scale

Survey Analysis

360 Degree Feedback

Education Surveys

Survey Questions

NPS Calculation

Customer Satisfaction Survey Questions

Agree Disagree Questions

Create a Survey

Online Quizzes

Qualitative vs Quantitative Research

Customer Survey

Market Research Surveys

NPS Survey

Survey Design Best Practices

Margin of Error Calculator

Questionnaire

Demographic Questions

Training Survey

Offline Survey

360 Review Template


English
SurveyMonkey is brought to you by momentive.ai. Shape what's next with AI‑driven insights and experience management solutions built for the pace of modern business.
Copyright © 1999-2023 Momentive
BBB credentials logo
TrustedSite logo