Whether you’re evaluating a survey platform, a CRM, a data analytics tool, or any SaaS product that touches sensitive information, every vendor should be able to answer the following questions. Use this checklist as you navigate the buying process.
1. End-to-end data encryption
Encryption is table stakes — but the details matter. Some vendors encrypt in transit but leave data at rest unprotected. Others require you to opt into encryption or pay for a higher tier to get it. Default, end-to-end encryption should be a baseline requirement, not an upsell.
What to ask: Is data encrypted both at rest and in transit? Is data encrypted by default, or does it require configuration?
Alchemer’s Answer: By default, Alchemer encrypts data at rest and in transit for all customers — no configuration required and no higher tier needed — to protect data from unauthorized disclosure.
2. Data residency and isolation
If your organization operates under GDPR, CCPA, or other regional data privacy laws, you need to know exactly where your data lives. A vendor who can’t tell you which region your data is stored in — or won’t let you choose — is a compliance risk waiting to happen. Push for clear answers on data residency and multi-tenant isolation.
What to ask: Where is my data stored? Can I choose the region?
Alchemer’s Answer: Alchemer provides regional data isolation for privacy. Customers select the region where they want to store and manage their data. Alchemer currently offers data centers in the US, Canada, and EU, and has expanded to Australia to support APAC organizations with local storage that meets data sovereignty requirements.
3. Identity and access management
Weak access controls are one of the most common entry points for breaches. Your vendor should support single sign-on (SSO) via SAML 2.0 or similar standards, multi-factor authentication (MFA), and granular role-based access control (RBAC). If they don’t integrate with your existing identity infrastructure, that’s a red flag.
What to ask: Do you support SSO, MFA, and role-based access control? Can we integrate with our existing identity provider?
Alchemer’s Answer: Alchemer supports single sign-on (SSO) using SAML 2.0, multi-factor authentication (MFA), and role-based access control (RBAC), making it straightforward to manage account access and integrate with your existing identity provider
4. Data retention and deletion policies
Your vendor should make it simple to manage, retain, transfer, and delete your data directly within the platform — no hoops, no support tickets required. The right vendor puts those controls in your hands and won’t access your data without your explicit request and permission.
What to ask: Who controls data retention? Can we delete our data on demand?
Alchemer’s Answer: Customers manage, maintain, retain, transfer, and delete their own data directly within their Alchemer accounts. Alchemer will not access your data without your explicit request and permission.
5. API security and integration controls
If you’re integrating the new platform into your broader tech stack — and you probably will be — the API is a potential attack surface. A secure API should use modern authentication standards (OAuth 2.0, API keys with scoping), support granular permission controls, and be thoroughly documented so your team knows exactly what access is being granted.
What to ask: Do you offer a secure API? What authentication and permission controls does it support?
Alchemer’s Answer: Alchemer’s Open REST API allows for easy and secure integration into business processes and systems, with management of account access permissions and controls built in.
6. Regulatory compliance support
A vendor’s compliance certifications tell you a lot about how seriously they take security. Look for ISO 27001 certification, SOC 2 Type II reports, and specific support for any regulations your industry requires — HIPAA for healthcare, FERPA for education, GDPR for anyone handling EU resident data.
What to ask: What compliance frameworks do you support? Can you help us meet HIPAA, FERPA, GDPR, SOC 2, or other requirements relevant to our industry?
Alchemer’s Answer: Alchemer is ISO 27001 certified and supports HIPAA and FERPA compliance. Customers can create HIPAA- and FERPA-compliant surveys by following Alchemer’s guidelines to enable the appropriate security settings within their accounts.
7. Account management and permissioning
The best platforms put account management directly in your hands. You should be able to add and remove users, assign roles, and adjust permissions quickly and without friction — all from within the platform itself. Granular permissioning ensures the right people have access to the right data, and nothing more. If managing your own account requires a support request or a vendor-side change, that’s a gap worth flagging.
What to ask: How easy is it to manage users, roles, and permissions within the platform? Can we control access at a granular level without needing to involve the vendor?
Alchemer’s Answer: Alchemer gives customers full control over user management directly within the platform. Role-based access control (RBAC) allows you to assign and adjust permissions at a granular level — no vendor involvement required.
8. Proactive security monitoring
Reactive security isn’t enough. Ask vendors how they monitor their systems, how quickly they detect anomalies, and — critically — how they notify customers when something goes wrong. A vendor with a 24/7 Security Operations Center (SOC) and a clear incident response plan is in a very different category from one that relies on automated alerts alone.
What to ask: How do you monitor for threats? Do you have a SOC? How are incidents detected and communicated to customers?
Alchemer’s Answer: Alchemer proactively protects customer accounts through system monitoring, scanning, logging, and alerting with a 24/7 in-house Security Operations Center (SOC). Accounts are further protected with proactive anti-phishing measures to detect suspicious activity and compromised surveys.
How does Alchemer stack up?
Run every vendor through this list. Ask for documentation. Request a security whitepaper. Work with the vendor’s security team directly.
If you’re evaluating a platform to collect customer or employee feedback, Alchemer is built to check every box on this list.
Alchemer is a security-focused company that proactively protects customer accounts and data at every level — with end-to-end encryption by default, regional data residency and isolation, SSO, MFA, RBAC, and a 24/7 in-house Security Operations Center. Customers have full control over their own data retention and deletion, and the platform is backed by ISO 27001 certification with support for HIPAA and FERPA compliance.
View Alchemer’s Security webpage to see how Alchemer protects your customer and employee data.
