Contents
01 Data compliance: Where do you start? 02 What are your responsibilities if you use Typeform? 03 How we handle compliance and data security at Typeform04 Data compliance is part of the customer experienceImagine meeting someone amazing. A real meet-cute situation: eyes lock across a crowded room, an instant connection, the whole shebang. They ask for your number, and you do the awkward, “I’ll text you so you have it” thing.
You’re hopeful. You’re energized. You knew it was worth coming out tonight. You’re mentally picking out your outfit for that date, thinking about which restaurant sounds best.
Then they say, “OK, great. I’ll send your number over to my friend as well. You know, just in case things don’t work out with us.”
Wait…what?
Latest posts on Tips
Too often, that’s what companies do with our data. Sometimes they share our data deliberately, but often it’s done out of ignorance of what’s legally ok and what’s not.
This is specifically important when setting up and running surveys.
Every time you collect customer responses you risk violating data regulations, which could result in scary fines or damage to your brand. This isn’t just an issue for big businesses either. While those multi-million dollar fines are the ones that hit the headlines, small businesses must also comply with data regulations—or face fines that really do some damage.
So far, so stressful, right? But the good news is that this doesn’t have to be complicated. With just a little forethought, you can gather data while staying on the right side of regulations and keeping your customers’ trust.
Data compliance: Where do you start?
Your business is subject to data privacy regulations if you’re collecting any kind of data. Here are five simple steps to keep you compliant.
1. Know which frameworks and guidelines apply
This can be confusing because there's a lot of overlap between the different regulations. As a general rule of thumb, though—when in doubt, do more. Here’s a quick breakdown of the regulations most likely to affect your survey data:
GDPR
What it is
You’ve probably heard of this one, but just in case: The General Data Protection Regulation is a European Union regulation designed to improve European citizens' data security and privacy.
What it specifies
Companies must obtain informed consent when collecting personal data.
People have the right to access and update their personal data or request that companies delete it.
Organizations must implement appropriate security measures to safeguard personal data.
See how we apply GDPR at Typeform on our website.
Who it applies to
GDPR is a European regulation, so it applies to you if your business is based in Europe or if you collect any data from European citizens.
What it means for your surveys
While the EU offers extensive resources for you to check your GDPR Compliance, here’s a handy checklist if you want an abbreviated version:
Check if you have a reasonable legal basis for processing personal data.
(In terms of surveys, this usually means you have the person’s consent. Make sure you ask for their consent before gathering their personal data. Giving consent must be opt-in, not opt-out—meaning the default option is collecting no personal data.)
Only collect personal data relevant and necessary for the specific purpose of your survey.
Explain to your respondents exactly how and why you’ll be using their personal data, and ensure you don’t accidentally use it in any other ways.
Store and process personal data securely.
Keep respondents’ personal data accurate and up to date.
Delete individuals’ personal data when you no longer need it.
Reminder: Following these steps is a good start, but there’s a bit more to it. We strongly recommend that you review the EU guidelines for more detail.
ISO 27001 (and 27701)
What it is
ISO 27001 is an international standard that certifies whether or not your company manages information securely. GDPR doesn’t have a certifying body, so if you want to prove your company is doing data compliance right, this is the certificate you need.
There’s also ISO 27701, which is an add-on to ISO 27001. Where ISO 27001 focuses on data security, 27701 is all about data privacy.
What it specifies
To get ISO 27001 certification, you’ll need to prove you have:
Systematically examined your company’s information security risks
Put together a comprehensive suite of information security controls
Created a data management process to ensure you’ll continue to comply with these security controls over time
Who it applies to
This standard applies to anyone who wants to prove they follow rigorous data security standards.
What it means for your surveys
If you want to reassure respondents that their data is safe, accessible, and compliant with international data security standards, you might want to consider getting both ISO 27001 and 27701 certifications. (We did! The documentation to prove it can be found here on request.)
CCPA
What it is
The CCPA is California’s answer to GDPR. It isn’t relevant to every company, but if there’s a chance you might survey anyone in California, you need to know about it.
What it specifies
The CCPA gives Californians:
The right to know what personal information companies are collecting about them and what'll happen with their data
The right to delete that information
The right to opt out of the sale or sharing of their data
The right to correct their data if it’s wrong
The right to limit how companies use their data
Who it applies to
Unlike GDPR, which applies to all companies that work with data from the EU, regardless of where they’re based, the CCPA only applies to for-profit companies that do business in California and fit one or more of the following characteristics:
Have a gross annual revenue of over $25 million
Buy, sell, or share the personal information of 100,000 or more California residents, households, or devices
Derive 50% or more of their annual revenue from selling California residents’ personal information
What it means for your surveys
If you’re surveying less than 100,000 California residents (or earning less than $25 million), you’re in the clear. However, we’d urge you to err on the side of caution by making sure that you:
Always default to ‘opt out’
Tell your survey respondents why and how you’re collecting their data
Store that data securely and delete it promptly after you analyze it
HIPAA
What it is
HIPAA is the gold standard for medical data compliance in the US.
What it specifies
HIPAA is pretty complex, but its main terms are fairly straightforward:
The Privacy Rule: Companies must keep medical data private and allow people to access and update their protected health information.
The Security Rule: Organizations that store medical data electronically must take the appropriate precautions to secure it.
The Breach Notification: If your company’s data gets hacked, lost, or stolen, you must immediately notify the people involved, the HIPAA Secretary, and on some occasions, the media.
Who it applies to
If you’re in the healthcare sector (or you’re a contractor for a company in the healthcare sector) and deal with medical information from US citizens, then HIPAA applies to you. The term used for a company subject to HIPAA is a “covered entity.” There’s a handy tool on the Centers for Medicare & Medicaid Services website to help you understand if your business is a covered entity that must comply with HIPAA.
HIPAA applies to the medical data of US citizens, meaning that if your company processes medical information about even one US citizen, HIPAA applies, no matter where you’re based (or where said citizen lives).
What it means for your surveys
If you ask for medical information, tread carefully. Ensure all data is anonymized and stored securely. Consider where you analyze your survey data, who has access, and how to protect confidential information. Shameless plug: Typeform can help—our forms are HIPAA compliant.
If you’re working with any kind of medical info, you might need to sign a Business Associate Agreement (BAA) for Typeform to process your data even if you aren’t a medical entity. Not to worry—Typeform’s data-protection standards are HIPAA compliant, and we currently provide a BAA for customers on our Enterprise plan.
If this is all feeling a little overwhelming, you’re not alone. According to the 2023 IT Benchmark Report from compliance software firm Hyperproof, 51% of compliance professionals say they struggle to identify their company’s critical risks. The compliance issues affecting your company depend on your location, industry, and how you want to handle data.
TL;DR? Ask for permission, don’t ask for more data than you need, and seek professional compliance advice if you’re in any doubt whatsoever.
2. Centralize all of your data privacy policies
So, you’ve considered the regulations that might affect your survey data. However, handling data correctly isn’t enough—you’ll also need to communicate your policies clearly.
A word of caution: Avoid scattering different disclaimers around your website. It’s way too hard to keep track of them all. Instead, publish a centralized privacy policy you can easily maintain and update as data regulations change.
At Typeform, we use a typeform (we know, total surprise) to create an easy-to-navigate, central policy hub to communicate all of our policies around data security with our users and customers.
Quick tip: Avoid using legal jargon in your privacy policy. Keep it simple so you don’t frustrate customers or employees. Then, offer a legal version if needed—that’s what we do.
3. Be transparent
It’s a lose-lose situation if you’re secretive about how you use survey data. The common sense rule? Don’t do anything with data that you’d be embarrassed to tell other people. We all understand that companies need user data to run their businesses—we just don’t like feeling exploited.
Be upfront with your customers and survey respondents. At a minimum, you must let them know:
How you’re going to store their data so it’s secure
Exactly what you’re going to do with their answers
How they can modify or delete their data
Here’s an example from our privacy policy, where we explain what we do with the personal data we collect when somebody signs up for Typeform:
What are you doing with all the data, and why do you do it?
Fulfilling our end of the deal so that you can use our service
Sending you emails or other communications
Using your browsing behavior on our sites (see cookie policy) for profiling purposes. This lets us send you better ads or personalized content.
Signing you in from third parties (social media platforms, etc.)
Complementing data we have from third parties (requires individual opt-ins) to send you better ads or personalized content
Investigating things to prevent fraud, spam, phishing, and other no-no activities
Dissociating you (the person) from you (the profile) to analyze user trends and get better at what we do
Keeping our business operations running
4. Less is more
Collect the minimum amount of data you need for your surveys. If in doubt, leave it out! Do you really need their addresses? Do you even need their last names? Don’t collect data because it might be useful later. Only collect the information you need to answer the business questions you’re tackling with each specific survey.
5. Get legal help
As you might have noticed, compliance is a little tricky—and getting it wrong can be expensive and damaging. If you regularly send out surveys and work with customer data, consider hiring a compliance consultant or creating an in-house compliance department. Regulatory frameworks change too fast to keep up, and new standards arise all the time. Investing in compliance expertise is a great way to prevent painful mistakes down the road.
What are your responsibilities if you use Typeform?
If you send out a survey or form using Typeform, you are responsible for the data you collect. You choose who you send the form to and what you ask them.
That means that you need to:
Obtain informed consent from your respondents
Ensure that your respondents know about our Terms of Service and Privacy Policy
Store the data you collect responsibly
Let your respondents know what type of data you will collect from them (email address, name, etc.)
Tell them how you will use the data once you have it
Give them a way to get in contact with you if they’d like to ask questions, modify their data, or delete it
Delete any data promptly if your respondents ask
To obtain informed consent, try:
Using a Statement question field before you dive into the questions to inform your respondents about how you’ll use their info
Adding a Legal question field to let people explicitly agree or disagree with how you’ll store and use their data
Including information on your Welcome Screen about how you’ll process the data
Also, if you’re sending your typeform via email, use your email copy to clarify how you’ll use the data—and make it clear that they’re agreeing to these terms if they complete the embedded survey.
Curious about what we do with our own customer and survey data? Here’s the full answer.
How we handle compliance and data security at Typeform
Why we value security
As you can tell, we take data compliance very seriously here at Typeform. Your data’s confidentiality, integrity, and availability are critical.
To make sure we comply with the toughest regulatory requirements, including those affecting global multinationals, we’ve been audited and certified for the following compliance regulations:
ISO 27001
ISO 27701
SCO2
GDPR
HIPAA
PCI
OWASP
NIST
FIPS
Our policies and dedication to transparency
If you want to get into the details, you can find a full list of our data security and privacy policies here (both in legal jargon and plain English).
In broad strokes:
1. When you use a typeform, the data you collect is yours.
We don’t peek. We also don’t share it with third parties, with two exceptions:
Amazon Web Services (AWS), our infrastructure provider, stores and manages our data
Cloudflare, our Content Delivery Network or CDN, allows us to provide our service faster, better, and more securely by helping us cache content, prevent abuse, and provide DNS service and traffic management.
Note: All our data is encrypted in transit and at rest, so not even our providers can access it.
2. We handle our customer data with care.
When you give us your data, we’re careful about what we do with it.
We prevent third-party access to your information by encrypting your data in transit (end-to-end, including within the virtual private cloud at AWS) using secure Transport Layer Security (TLS) cryptographic protocols (TLS 1.2). We use Advanced Encryption Standard (AES) with a 256-bit key to encrypt data at rest, including the backups of the information. (Read more about security here.)
All Typeform employees adhere to strict confidentiality agreements.
3. We’re compliant with all the major data security regulations.
4. We have a data security culture.
To ensure we practice what we preach, we’ve created a comprehensive set of information security policies following the ISO 27001 standard. This guides our employees and contractors in making the right security decisions.
Examples include our:
Robust password policy
Policies on data protection and classification of information
Emphasis on security in communications
Continuity and contingency plans
Acceptable use policy on workstations and mobile devices
Strict backup policy
We also have non-disclosure agreements (NDAs) with all employees and contractors, and run regular security awareness training courses within the company.
Data compliance is part of the customer experience
Today’s customers have come to demand an outstanding experience—and that includes treating their confidential information with the utmost respect. Nothing will ruin the trust you’ve built with your customers faster than being careless with their data.
That’s why we’ve made Typeform so mindful of security and compliance. If you use our forms, you can rest easy—your customers’ data is safe. You can trust our surveys for collecting healthcare data, financial transactions, and everything in between.
Want to know more about survey compliance? Here’s your next stop: Enjoy this full guide about how we do security at Typeform.