Find the best survey software for you!
(Along with a checklist to compare platforms)
Take a peek at our powerful survey features to design surveys that scale discoveries.
Explore Voxco
Need to map Voxco’s features & offerings? We can help!
Find the best customer experience platform
Uncover customer pain points, analyze feedback and run successful CX programs with the best CX platform for your team.
We’ve been avid users of the Voxco platform now for over 20 years. It gives us the flexibility to routinely enhance our survey toolkit and provides our clients with a more robust dataset and story to tell their clients.
Steve Male
VP Innovation & Strategic Partnerships, The Logit Group
Explore Regional Offices
Find the best survey software for you!
(Along with a checklist to compare platforms)
Take a peek at our powerful survey features to design surveys that scale discoveries.
Explore Voxco
Need to map Voxco’s features & offerings? We can help!
Find the best customer experience platform
Uncover customer pain points, analyze feedback and run successful CX programs with the best CX platform for your team.
We’ve been avid users of the Voxco platform now for over 20 years. It gives us the flexibility to routinely enhance our survey toolkit and provides our clients with a more robust dataset and story to tell their clients.
Steve Male
VP Innovation & Strategic Partnerships, The Logit Group
Explore Regional Offices
Find the best survey software for you!
(Along with a checklist to compare platforms)
Take a peek at our powerful survey features to design surveys that scale discoveries.
Explore Voxco
Need to map Voxco’s features & offerings? We can help!
Find the best customer experience platform
Uncover customer pain points, analyze feedback and run successful CX programs with the best CX platform for your team.
We’ve been avid users of the Voxco platform now for over 20 years. It gives us the flexibility to routinely enhance our survey toolkit and provides our clients with a more robust dataset and story to tell their clients.
Steve Male
VP Innovation & Strategic Partnerships, The Logit Group
Explore Regional Offices
Voxco is committed to protecting and respecting your privacy. When you visit our website, use our products and services, or interact with Voxco, we may collect and process information about you (‘personal data’). Our goal is to provide a secure environment while also being mindful of application performance and the overall user experience.
Voxco clients use our software to gather survey answers from individuals. Our team takes additional proactive measures to ensure a secure infrastructure environment.
All of our products are provided through a self-service platform, whereby our clients decide what data to collect, how to manage the data, and which of their system users should have access to it.
In this regard, our clients, who own and control the data they collect, are the Data Controllers. At the same time, Voxco is the Data Processor (we only process personal data based on direct and specific instructions from our clients).
If you participated in a web or mobile survey from one of our clients, the survey footer might state ‘powered by Voxco,’ and the data may be hosted on a Voxco-provided server environment.
Please note that regardless of those aspects, the Voxco client is solely responsible for all decisions regarding any personal data they collect about or from you in the survey. For information on how a Voxco client intends to use your data (and to see their privacy policy), please contact the Voxco client from whom you received the survey invitation.
Furthermore, Voxco may aggregate and/or compile anonymous data for statistical purposes. This information could be collected from forms on our website or clients’ websites.
Voxco Insights complies with General Data Protection Regulation (GDPR), and our survey software users can create and send GDPR-compliant data collection surveys. To aid this process, we have established a sophisticated process to ensure all data being collected using our platform is fully GDPR compliant, including data portability, data protection, consent, and other compliance features.
Voxco Insights has received the Service Organization Controls (SOC 2) audit certification. Our platform has undergone periodic SOC 2 audits and is monitored for unauthorized access and service availability twenty-four hours a day.
The audits are conducted by an independent accounting firm and thus signify that the data center security and operational procedures have been reviewed and tested by third-party. It validates that the controls and processes have been designed appropriately and are operating effectively, in addition to protecting and safeguarding customer’s equipment and data.
This document defines the procedures & internal controls related to Voxco’s platform. The system components required to support the Survey platform services include infrastructure, software, people, procedures, and data described as follows:
Voxco leverages several hosting providers to manage the infrastructure. These include:
Microsoft Azure- Europe
RapidScale- United States, IBM- Canada, NTT (data dimension)- Asia Pacific
Voxco leverages world-class third-party applications, services, and platforms to support its secure development and delivery of services:
Voxco staff in the following key functional areas support the scope of services and controls described in this report:
Board of Directors: A board charter outlines the roles and responsibilities of the board.
With independent members with diverse expertise and significant industry experience, the board has the independence and expertise required to provide its oversight of risk and internal controls and steer the organization toward a sustainable future through sound governance. The board of directors meets quarterly.
R&D, customer services, IT, and security: responsible for the development and the day-to-day operations and security of Voxco’s Survey Platform and services, including changes in accordance with Voxco’s change management policy and appropriate communications with customers.
Voxco has an acting CISO responsible for overseeing, implementing, maintaining, communicating, and assessing security policies, standards, and controls.
The acting CISO works with a cross-functional Voxco team and external security resources.
Voxco maintains a set of information security policies that detail logical access, change management, incident management, vulnerability and endpoint security, risk management, data communication standards, and expectations of employees. Employees must acknowledge their understanding and adherence to the employee manual code of conduct and applicable policies upon hiring and as required thereafter.
Customer data is managed, processed, and stored in accordance with applicable data protection regulations and any specific requirements established in customer contracts. To protect data processed within its platform, Voxco restricts access rights for granting access to the production environment to authorized IT and customer service personnel only and uses encrypted storage and communication channels/protocols to authenticate the application over the Internet. Data processed may include:
Voxco has designed its policies and processes to provide a secure environment for its systems and for the data that is processed, in line with its objectives and based on commitments to customers, laws, and regulations. On any operational requirements, Voxco has established its services. These commitments may include service levels related to system uptime and issue response and resolution times.
As applicable, Voxco’s service and security commitments are documented and communicated in agreements with customers or other material (e.g., via terms of service, master agreements, service level agreements, data processing agreements, and training/reference material, as the case may be).
Internal controls are in place to support Voxco’s service and security commitments. These may include but are not limited to the following:
The control environment elements at Voxco lay the foundation for the specific control activities.
Elements of the control environment include integrity and ethical values, management’s commitment to competence, and oversight. providing direction. and supporting relevant HR policies and practices.
Integrity and ethical values are essential elements of Voxco’s control environment affecting the design, administration, and monitoring of other components. Voxco has the following controls in place to incorporate ethical values throughout the organization:
Voxco has established the following controls to incorporate its commitment to competence throughout the organization:
Voxco has established the following controls to reflect its operating philosophy throughout the
organization:
Voxco has established HR practices regarding employee hiring, orientation, training, evaluation, counseling, promotion, compensation, and discipline. Voxco has established the following controls to ensure policies and procedures are adequately communicated throughout the organization:
Voxco leverages various communication methods and approaches to ensure the right information is shared with the right internal and external stakeholders as appropriate, consistently, and in a timely manner. Among them:
Voxco maintains a cross-functional risk management approach to assess and manage risks that could affect the organization’s ability to provide security services to its customers (user entities).
The process includes considering the inventory of system components, related risks, management’s risk thresholds, and associated mitigation plans. Risk mitigation strategies can include prevention and detection through the implementation of internal controls and the transference through appropriate insurance policies (i.e., Voxco holds cyber insurance).
While risks may be registered or updated at any time and risk reviews are conducted quarterly, a risk assessment is conducted annually. Some examples of internal or external risks considered include:
A security policy is also maintained and available to staff. to ensure that team members understand their role and responsibility in reducing the risk of compromise and exercising appropriate security measures to protect systems and data.
Voxco uses various tools, reports, and processes to monitor the production environment systems. The team reviews alerts and reports and will record/resolve exceptions to normal processing activities as required. An annual internal assessment of the appropriateness and effectiveness of controls in mitigating the risks assessed.
In addition, penetration tests are conducted annually, with results documented and findings reviewed and actioned as required for correction.
Voxco has deployed system protection and monitoring tools to alert designated personnel when certain metric thresholds are met. Corrective actions may be initiated through meetings, calls, and other communication channels. Issues noted that require changes to be made to the production platform are tracked via Voxco’s ticketing system and adhere to the change management policy until deployment and resolution.
Management’s close involvement in Voxco’s day-to-day operations helps identify significant variances from expectations regarding internal control activities, and Management reviews incident reports on a periodic basis.
Decisions for addressing any identified deficiencies are made based on whether the incident was Isolated or required a change with respect to tools, procedures, or personnel. In addition, any new applicable laws and regulations and related impacts are reported to management for review and action if required. The Management Committee identifies and evaluates new partnership relationships.
An internal ticket tracking tool documents and tracks issues and incidents identified through monitoring. Corrective actions, if necessary, are documented and tracked within the internal tracking tool.
Voxco has defined a policy that addresses incidents’ management and resolution.
There are no production servers or systems on the premise to support the Survey Platform or service. All infrastructure and software that support platform operations are in the cloud, hosted at various cloud service providers (depending on the geography served). The offices hold no critical systems or data related to the Survey Platform, and the office networks have no special privileges to any Survey Platform systems or services (e.g., no IP whitelisting, etc.).
In any case, Voxco offices are only accessible via key card access. The facility also has cameras installed throughout.
Users of the system or application must be identified and authenticated before using system resources. Employee access to the production environment is controlled by privileges assigned to their user, role, or group. Passwords must conform to Voxco’s password and authentication policy and are enforced through group policies where applicable.
Remote access to the production environment is tightly restricted to authorized personnel only. Access to the production systems is via a VPN and requires two-factor authentication (2FA), a user ID, and a strong password.
Onboarding and offboarding procedures related to access are implemented to ensure new employees receive only the accesses they require to perform their functions and to ensure that departed employees’ access is revoked without undue delay.
Beyond these onboarding and offboarding procedures, annual user access reviews are conducted to assess the appropriateness of the system access and permission levels and, when necessary, make corrections or modifications based on the principle of least privilege.
Endpoint security software and firewalls protect servers, laptops, workstations, and the network. Storage on laptops and workstations that access production is also encrypted. Installing applications on systems is restricted to change implementation and system administration personnel.
Voxco’s policies prohibit any transmission of sensitive data unless the data is encrypted. Only required services are exposed to the internet.
The corporate network is separate from the development and production networks. Firewalls are enabled, and access is through connections secured via SSL/TLS channels. Network Time Protocol (NTP) servers are configured on IT infrastructure components to maintain proper time synchronization.
Customers have channels to raise and report issues and incidents. in the event of an incident impacting the system, the data, or services, Voxco has an established Incident Management policy to guide personnel in reporting and to respond appropriately. Critical incidents are communicated to affected clients within the established timeline.
In addition, scanning tools are deployed to assess and report potential vulnerabilities. Alerts raised by Voxco’s systems and by its protective and detective tools are investigated by designated personnel, involving the incident response team if necessary.
If required, action is taken to remediate in accordance with the patch management policy and incident response procedures, as needed (logged and tracked in the ticketing system through to resolution). Major incidents are communicated monthly to management, and root causes are shared with senior management for critical incidents. As required, senior management reviews the resolution of critical incidents.
Backups of production critical data and systems are configured, taken, and stored on a daily basis. Backup and restorability are tested annually, either scheduled or due to a requirement to restore for another purpose. Data backups are encrypted during creation, and backups are stored offsite at subservice organizations.
Voxco maintains a documented Change Management Policy to guide personnel in documenting and implementing application changes. changes to consider might come from various sources. including the product roadmap, the risk management process, and responses to critical incidents, issues, or problems that might arise. Change management guidelines include documentation requirements, development standards and practices, test planning and execution, and approvals.
Voxco uses a ticketing system to document changes. Changes are outlined at the level required, ultimately documented, and reviewed in line with an agile approach, with iterations updated based on feedback throughout the development cycle.
Code reviews and tests are conducted for updates. Development and testing are performed in environments separate from the production environment. Changes follow the approved change management flow prior to production deployment per the change management policy. Deployment is handled by a group separate from the development team, and the ability to deploy changes into production is restricted to this authorized personnel only.
Version control software is used to maintain source code versions through the development process to production, and access to source code is restricted to authorized personnel.
As the production environment is hosted by various cloud providers and as notifications from the platform are sent out via Twilio’s SendGrid, each acts as a subservice organization to Voxco. To validate that each subservice organization with a critical role to play in Voxco’s Survey Platform operations has implemented controls upon which Voxco relies and that Voxco has implemented controls upon which the subservice organization might rely, Voxco management obtains and reviews their independent SOC 2 reports or a similar industry standard (for example, ISO 27001) on an annual basis. This review helps provide comfort that shared responsibilities are covered and helps identify any exceptions that may require further investigation and discussion. Contracts with relevant service providers also include exit clauses.
Voxco’s internal controls consider the controls implemented at key subservice organizations to evaluate the internal controls of subservice organizations upon which some of Voxco’s control objectives depend.
In the design of its internal control, Voxco management determined that certain criteria can only be achieved if the subservice organizations implement appropriate complementary controls. These expected complementary subservice organization’s controls (CSOC) are presented in Section IV with the relevant criteria.
Meeting overall service and control objectives is a shared objective between Voxco and its customers. As Voxco’s services were designed assuming that some policies, procedures, and controls must be implemented by its customers (aka user entities), the effectiveness of the controls described in this report assumes that some internal controls are in place at each of Voxco’s user entities.
Voxco management has determined that certain applicable trust services criteria, as indicated in section IV, can be met only if complementary user-entity controls (CUEC) are suitably designed and operating effectively at the user entities. It is the responsibility of each Voxco user entity and their auditors to ensure that appropriate review procedures and controls are in place at the user entity level to complement the system of controls in place over the information systems functions being performed by Voxco.
We do not knowingly provide this website for anyone under 16. Those under 16 years of age should not use our website.
We may provide links to other (non-Voxco) websites as a service to our website visitors. Any such links are provided solely for your convenience. Voxco is not responsible for any third-party websites’ privacy practices or content. We encourage you to read our privacy policy before providing any personal data.
Voxco reserves the right to modify this privacy policy at any time. Any future changes we make to our privacy policy will be posted on this page on our website (www.voxco.com). If we make changes, we will modify the date with the “Last Updated” date at the top of our privacy policy.
Keeping our clients’ data secure is our top priority at Voxco. Our goal is to provide a secure environment while also being mindful of application performance and the overall user experience. If you have any concern relating to vulnerability or other security concerns, send an email to …
We use cookies in our website to give you the best browsing experience and to tailor advertising. By continuing to use our website, you give us consent to the use of cookies. Read More
Name | Domain | Purpose | Expiry | Type |
---|---|---|---|---|
hubspotutk | www.voxco.com | HubSpot functional cookie. | 1 year | HTTP |
lhc_dir_locale | amplifyreach.com | --- | 52 years | --- |
lhc_dirclass | amplifyreach.com | --- | 52 years | --- |
Name | Domain | Purpose | Expiry | Type |
---|---|---|---|---|
_fbp | www.voxco.com | Facebook Pixel advertising first-party cookie | 3 months | HTTP |
__hstc | www.voxco.com | Hubspot marketing platform cookie. | 1 year | HTTP |
__hssrc | www.voxco.com | Hubspot marketing platform cookie. | 52 years | HTTP |
__hssc | www.voxco.com | Hubspot marketing platform cookie. | Session | HTTP |
Name | Domain | Purpose | Expiry | Type |
---|---|---|---|---|
_gid | www.voxco.com | Google Universal Analytics short-time unique user tracking identifier. | 1 days | HTTP |
MUID | bing.com | Microsoft User Identifier tracking cookie used by Bing Ads. | 1 year | HTTP |
MR | bat.bing.com | Microsoft User Identifier tracking cookie used by Bing Ads. | 7 days | HTTP |
IDE | doubleclick.net | Google advertising cookie used for user tracking and ad targeting purposes. | 2 years | HTTP |
_vwo_uuid_v2 | www.voxco.com | Generic Visual Website Optimizer (VWO) user tracking cookie. | 1 year | HTTP |
_vis_opt_s | www.voxco.com | Generic Visual Website Optimizer (VWO) user tracking cookie that detects if the user is new or returning to a particular campaign. | 3 months | HTTP |
_vis_opt_test_cookie | www.voxco.com | A session (temporary) cookie used by Generic Visual Website Optimizer (VWO) to detect if the cookies are enabled on the browser of the user or not. | 52 years | HTTP |
_ga | www.voxco.com | Google Universal Analytics long-time unique user tracking identifier. | 2 years | HTTP |
_uetsid | www.voxco.com | Microsoft Bing Ads Universal Event Tracking (UET) tracking cookie. | 1 days | HTTP |
vuid | vimeo.com | Vimeo tracking cookie | 2 years | HTTP |
Name | Domain | Purpose | Expiry | Type |
---|---|---|---|---|
__cf_bm | hubspot.com | Generic CloudFlare functional cookie. | Session | HTTP |
Name | Domain | Purpose | Expiry | Type |
---|---|---|---|---|
_gcl_au | www.voxco.com | --- | 3 months | --- |
_gat_gtag_UA_3262734_1 | www.voxco.com | --- | Session | --- |
_clck | www.voxco.com | --- | 1 year | --- |
_ga_HNFQQ528PZ | www.voxco.com | --- | 2 years | --- |
_clsk | www.voxco.com | --- | 1 days | --- |
visitor_id18452 | pardot.com | --- | 10 years | --- |
visitor_id18452-hash | pardot.com | --- | 10 years | --- |
lpv18452 | pi.pardot.com | --- | Session | --- |
lhc_per | www.voxco.com | --- | 6 months | --- |
_uetvid | www.voxco.com | --- | 1 year | --- |