SurveyGizmo HIPAA and Safe Harbor Certifications
Alchemer strives to maintain the highest level of data security for our customers. Recent changes to international data transfer laws have led to an update to this page on October 6, 2015.
Updates to Safe Harbor Agreement
On October 6, 2015 the European Court of Justice officially ruled that the Safe Harbor agreement was invalid, meaning companies can no longer use its guidelines to legally transfer data from the European Union to the United States.
Basically this ruling opens the door for EU regulators to override the 15-year-old pact on the grounds that it violates Europeans’ privacy rights “by exposing them to allegedly indiscriminate surveillance by the U.S. government,” according to the Wall Street Journal.
While there are alternative ways to legally transfer data under EU law, they are far more cumbersome and time consuming because regulators must often approve them in advance.
Like all other technology companies in the business of data storage and transfer, Alchemer can no longer transfer data from the EU to the US using Safe Harbor policies.
However, our recent opening of a data storage center in Frankfurt, Germany allows us to store data within the EU, eliminating many of the concerns about data privacy that underpinned the Safe Harbor debate in the first place.
New Alchemer customers interested in keeping their data on a Europe-based server can choose this option during the sign-up process. Existing customers will need to export their surveys and data, open a Alchemer EU account at www.surveygizmo.eu, and migrate the necessary surveys and data into the newly created account.
Still curious? Our support team can answer specific questions via email: email@example.com
In addition to compliance with data privacy laws, we work closely with our customers to comply with HIPAA (Health Insurance Portability and Accountability Act) for our US-based customers.
We have features that allow customers to meet these guidelines, but it’s up to those creating surveys and collecting data to make sure they are using those features correctly.
Please note that if you are transmitting or storing personal health information, or if HIPAA applies to you in any other way, you are obligated to notify us and engage in our HIPAA compliance procedures.
These include signing a business associate agreement with us and ensuring that your account tier includes HIPAA-compliant features such as SSL links.
For more details about which plan types offer SSL links and other HIPAA-compliant features, please see our plans and pricing page.
Data Destruction & Privacy Configuration
Sometimes users have specific data destruction needs, and it’s our goal to offer that option where appropriate.
In many cases, when data is deleted in Alchemer it’s retired and locked away rather than actually destroyed. In most cases this makes the loss retrievable in the event of a mistake (we can’t tell you how many times we’ve had calls that start with “Oh my god, I accidentally…”).
We can, however, comply with a request for total data destruction; you just need to let us know.
Also, in an effort to provide our customers with valuable information, we record a lot of tracking information such as IP address, which can be considered personally identifiable information. If your needs require a custom configuration because of privacy concerns unique to your situation, let us know and we’ll see what we can do.