Security and privacy are our number one priority.
Our policies are below. If you need more information – please get in touch.
Maybe you like the idea of Customer Thermometer but wanted to make sure we know what we’re doing behind the scenes? You’ve come to the right place.
Like many Software as a Service vendors, the Customer Thermometer application runs on dedicated UK servers. Other than IP address resolution, this is the only place where any uniquely identifiable customer data is stored or processed outside of our credit card processing.
Our datacenter is ISO 27001 and ISO 9001 accredited.
Firewalls on all servers are set to default-deny. The only services that are allowed are SSH (via a non-standard port) and HTTP/HTTPS (web servers only).
Database connections are only accepted from other Customer Thermometer servers on the internal network.
All communication with servers (outside of public HTTP/HTTPS access) is over encrypted secure shell (SSH) and only between a handful of white labeled IP addresses.
Data encryption in transit
The Customer Thermometer web application runs over Transport Layer Security (TLS).
Transport Layer Security is a protocol that ensures privacy between communicating applications and their users on the Internet. When a server and client communicate, TLS ensures that no third party may eavesdrop or tamper with any message.
TLS is the successor to Secure Sockets Layer (SSL) and protects against the likes of The Heartbleed Bug.
Our implementation of TLS has been independently reviewed and awarded an A-grade. This screenshot was taken in January 2020. You can see this review by doing a live test at SSLLabs here.
What about the Heartbleed and Logjam vulnerabilities?
Both of these have been addressed. You can confirm this with our Qualsys SSL report.
Secure password storage
All user passwords are hashed and salted.
Encrypted application pages
User access to your Customer Thermometer account is always via a secure HTTPS connection.
A secure API
Reporting data accessed remotely can only be done via your API string and only via HTTPS.
Storage and usage of your respondents’ data
Survey data is owned by the account holder. Not only that, but Customer Thermometer treats your Thermometers, Lists, Blasts and results privately. We do not sell them to anyone and we do not use the survey responses you collect for our own purposes, unless you’ve made your survey responses public (via our real time reporting widgets) and given us permission to cite them.
We safeguard respondents’ email addresses. In many cases, Customer Thermometer works by sending surveys via email. In order to do this, account holders upload lists of email addresses for intended recipients. In this instance, Customer Thermometer acts solely as a custodian of the email data. We do not sell these email addresses and we use them only as directed by you and in accordance with this policy.
Data collected through Thermometer surveys is owned solely by the Thermometer sender. By default, the data is only accessible by providing a username and password and logging into the application. Customer Thermometer will never access this data (unless authorised) or use any of the data collected.
We keep your data securely. Customer Thermometer is committed to protecting the security of your data. We use a variety of security technologies and procedures to help protect your personal information from unauthorised access, use or disclosure. For example, we store the personal information you provide in computer servers with limited access that are located in controlled facilities.
Customer Thermometer will never share any customer contact data uploaded to the Customer Thermometer application with third parties.
Customer Thermometer staff will never access any customer contact data uploaded to the Customer Thermometer application, unless specifically authorised to do so by the account holder. Even then, strict controls are in place to ensure security and integrity.
Survey data is stored on dedicated servers, located in the UK.
Domain Name Service (DNS): Our DNS is managed by the fastest, most reliable DNS network in the world. They currently offer DNS services to approximately 600,000 domains on the Internet and handle 5 billion requests each day.
Application redundancy: standby servers, ready for failover in the event of hardware failure of our live database or application servers.
Secure remote offsite database backup every hour.
Our system status page is kept updated with releases and outages. Our last unplanned (partial) outage was 5 October 2015.
GDPR and Data protection
PCI compliance & Credit card processing
Our credit card processors, Recurly & Stripe are certified to PCI Service Provider Level 1. This is the most stringent level of certification available.
Customer Thermometer does not hold credit card numbers or billing information on its servers. Our staff do not have access to credit card numbers.