SurveyHost Policies and Legal Information

SurveyHost Confidentiality and Security

At Apian Software, we are committed to providing the highest levels of security and confidentiality for your survey project.

• SurveyHost Confidentiality Policy
• SurveyHost Uptime and Security

SurveyHost Confidentiality Policy

We understand that survey data can be quite sensitive, covering issues from employee morale to future product development. In addition, the survey data and your project content are your intellectual property, so we take the following steps to protect them:

• Within Apian, only the SurveyHost staff has access to data on the server.
• We will not publish a link to your project unless you request it, so only people to whom you provide the URL will be able to see the survey.
• Access logs and instant reports are password protected unless otherwise requested.
• Data and reports are only provided to contacts you authorize.
• Data and other information is only provided to prearranged contacts, and only retained by the SurveyHost staff as an archive. Archives will be destroyed if requested.

Client company names may be included in marketing materials, but specific contact information is considered confidential. Email addresses or other respondent information provided (i.e. for piping or email invitations) are confidential. Details of your project, including hosting inquiries and project quotes are also considered confidential.

We are always happy to sign a Non-Disclosure Agreement before receiving your survey materials. For more details, please see our privacy policy.

SurveyHost Uptime and Security

Apian Software uses dedicated servers at a premier managed host for its Web survey hosting. The data center provides 100% network uptime through a redundant network architecture, redundant Internet connectivity through multiple providers, and both battery and generator backup. Technicians monitor the servers and network 24/365, and are available on-site to perform routine maintenance after hours or address any issues when they occur. Data center access is restricted to background screened personnel and uses biometric as well as password protocols to regulate access. For additional details on the data center, contact sales@apian.com.

Within the data center, Apian uses high-speed dual processor servers to ensure quick processing of survey responses. A hardware firewall screens incoming requests before they reach the "hardened" server processing your survey responses. Data is protected by RAID arrays, Executive Software's Un-Delete, and regular backups. Apian's survey processing engine and server architecture were designed to maximize security and to virtually eliminate the impact of one survey's load on another. Projects do not share data files or database entries. There are continuous automatic software monitors on server performance as well as routine reviews by Apian staff of performance logs.

Apian's Seattle staff connects to the Web servers through a virtual private network (VPN) which encrypts all project files while in transit. Within Apian's network, access to survey projects is restricted using group permissions policies. SurveyHost projects are further protected by archiving for a minimum of one year (deleted upon request). You are primarily responsible for the safety of your data after downloading, or after the close of your project. Please back up and archive according to your own policies. Our archive is for secondary backup purposes only.

For our clients downloading data, 128bit SSL encryption protects your files through the SurveyHost Client Access consoles. In addition to the full access console for our primary contact, reports can be configured with protected log-ins to monitor response rates and tabulations. SurveyHost also offers SSL encryption for the surveys themselves, protecting respondents' submissions between their desktops and our servers.

SurveyHost Acceptable Uses Policy

The following policies apply to all projects hosted on SurveyHost.com. In addition, you will be asked to sign our Hosting Agreement. If we are sending emails on your behalf, there is a contract governing that relationship as well.

The client is solely responsible for ensuring that all surveys are in compliance with legal requirements for collection of information on the Internet. Any information presented on this site is offered with no assurance of accuracy or completeness.

Content and Activity Levels

Apian Software reserves the right to refuse surveys which are considered inappropriate or offensive. We limit use of the surveyhost.com URL to surveys we'd be happy to have our mothers see. Reasons include, but are not limited to:

• Trademark or other intellectual property infringements
• "Hate," or bigoted content
• Pornography

For surveys targeting children as respondents, Apian Software will only host questionnaires which do not collect individually identifiable information as defined by the Children's Online Privacy Protection Act. See Privacy Issues or the FTC web site for more information on COPPA. Client is solely responsible for ensuring compliance.

Apian Software reserves the right to suspend or terminate surveys as needed. Reasons may include:

• Very high response rate without prior arrangement (over 10,000 responses per week)
• Response rate surges which affect overall server performance (typically caused by the client sending an extremely large number of e-mail invitations without coordinating with the SurveyHost staff, or by public dissemination of the URL of a survey with an incentive)
• Respondent complaints (such as for unsolicited email invitations)

Depending on the nature of the issue, we will notify you of the problem, discuss possible alternative solutions, or suspend/terminate the survey at our sole discretion.

E-mail Invitations

Acceptable Lists:

We recognize e-mailed invitations to respondents as a valuable complement to survey hosting, however due to the proliferation of unsolicited e-mails or "Spam" there are special conditions on this service. Note that these restrictions are to comply with the policies of "upstream" service providers who provide connections to SurveyHost.com, and therefore are restrictions you will encounter in almost any mailing. If you find any of this too restrictive for your project, please note that we can host your survey without sending out your emails. You can send emails yourself, and then need only worry about your organization's email policies.

For internal surveys of employees and students:

• E-mail invitations and follow-up reminders may be sent
• All messages will include as a footnote:
  This message is being sent on behalf of your employer [NAME] by SurveyHost.com, an independent web survey hosting service. If this message is being sent in error please contact e-mails@surveyhost.com with the address of the survey."

For surveys of customers or other mailing lists (your own, not purchased):

• E-mail invitations may be sent (one-time mailings only)
• Lists must be "opt-in" only: respondent must have explicitly requested to receive this type of notice. "Opt-out" lists where they have to uncheck a box, or lists compiled with emails given as part of placing an order, do not meet this requirement.
• All messages will include as a footnote:
  This is a one-time noncommercial mailing being sent on behalf of [COMPANY] based on interest you have expressed in their products or services. If you would like to be removed from their list please contact [CLIENT CONTACT], or if this message is being sent in error please contact e-mails@surveyhost.com with the address of the survey."

SurveyHost will not send mailings to purchased or "third-party" lists.

Returned Messages and Inquiries:

It is very common for mailing lists to have a wide range in the number of invalid addresses (from 2% to over 20%), so bounce processing is done at our hourly rates. This can be as a simple forwarding of the problem messages, or a compiled list and re-sending to corrected addresses. Correction or removal of invalid addresses is required for SurveyHost to send reminder messages.

Respondent inquiries about the survey are routinely forwarded to a contact you specify.

Emails and Spam

This page offers some information on emailing for your reference, if you are sending your own email invitations to your survey. If SurveyHost is sending email invitations for you, please see the SurveyHost Acceptable Uses Policy for details on mailing lists.

Just because it's a survey invitation doesn't mean it isn't Spam.

Yes, you have the best intentions and may even be giving away a prize, but at this point Internet users have been so deluged with junk e-mail that anything which has not been explicitly requested may be considered Spam and therefore objectionable.

At the moment all bulk messages are seen in similar lights, so the effects of sending unsolicited messages can include:

• Termination of your ISP account for violation of your service provider's Acceptable Uses Policy
• Association of your e-mail address/domain as a spammer, which can result in blockage of inbound messages by ISPs
• Negative sentiment toward yourself and/or client
• Lawsuits for violating anti-spam laws (Washington State has one in place, and more are coming)

Safe lists are your own employee lists and opt-in or opt-out lists (make sure you trust your vendor though). Opt-in means the people in the database have requested to be on the list, while opt-out lists consist of people who were given the opportunity to mark a "no contact" box but didn't. It is also critical to have a removal mechanism if you do repeat mailings.

Organizations promoting ethical e-mailing (or just anti-Spam)

Several of the sites below are valuable resources for monitoring legislation, and also provide a useful look into the anti-Spam perspective. See also SurveyHost's Acceptable Uses Policy if you are planning on having us e-mail your invitations.

• Coalition Against Unsolicited Commercial Email
  http://www.cauce.org/
• JunkBusters
  http://www.junkbusters.com/
• Fight Spam on the Internet
  http://spam.abuse.net/
• SpamCop
  http://spamcop.net/
• Washington State UCE Legislation
  http://www.wa.gov/ago/junkemail/

Privacy Issues

Internet privacy is a cultural and legal minefield which is continuing to evolve, so it is critical to keep an eye on developments. Privacy issues deal with "individually identifiable information" such as name, address, telephone, and e-mail address, as well as peripheral information if it is linked to individually identifiable data.

View the Apian/Surveyhost privacy policy

Fueling Concerns

One of the biggest culprits is Spam. Because of the proliferation of unsolicited commercial e-mails, people are hesitant to reveal contact information to anyone they don't trust.

There are also regular flare-ups of public concern about security, largely fueled by a lack of knowledge about what can and cannot be collected without ones knowledge.

Laws in Effect

In the United States, the Children's Online Privacy Protection Act (COPPA) went into effect on April 20, 2000. This law is designed to protect the safety of children under 13, as well as to insulate them from aggressive marketing efforts. While it is still legal to collect individually identifiable information from children, the law requires explicit parental consent in advance, and that consent may be withdrawn at any time. Complete information on the law is available at the FTC Web site www.ftc.gov, and includes an excellent document on compliance.

In Europe, they passed a European Union Data Protection law several years ago which addresses the collection, transfer and storage of data from EU citizens. Detailed information is available at the EU's official site http://ec.europa.eu/justice_home/fsj/privacy/. Differences in US and EU approaches to privacy policies led to the "safe harbor" framework, which assures EU organizations that your company's practices comply with their requirements. More information is available at http://www.export.gov/safeharbor/

Privacy Policies

A privacy policy is simply a legal statement of what you plan to do with the information you’re collecting. If you’re not sure about your policies then don’t write a statement--you’re better off making no promises than with broken ones which provide a nice basis for a lawsuit against you. Here's a rough checklist for a policy, but anything you post should really be run past your lawyer.

How are you using the data?

• Is the data for an absolute one-time use for the exact purpose stated in the questionnaire?
• Might you yourself use the data for another purpose at a later time? (for example, data collected from one survey used to invite respondents to another study)
• Are you an intermediary for a client?
• Would you ever trade, sell, or give the list to a third party?

Sections to include:

• How problems will be remedied
• All the data being collected (including hidden fields, cookies and server logs)
• How data will be used (with any relevant rights reserved)
• If data is being passed to a client, what is being passed, their policy, and your limitations

Government Sites for Privacy Legislation

Europe

http://ec.europa.eu/justice_home/fsj/privacy/
European Union's official Web site, including information on EU legislation.

US Federal Trade Commission

Federal Trade Commission
United States' consumer protection branch, and the best source for information on children's privacy legislation.

Private Organizations for Information, News, or Membership

Center for Democracy and Technology

http://www.cdt.org/

Electronic Privacy Information Center

http://www.epic.org/

Privacy.org

http://privacy.org

PrivacyExchange

http://www.privacyexchange.org

TRUSTe

http://www.truste.org