Security

How we protect your data and what to do if you find a vulnerability

At Surveyz, security is not an afterthought — it is built into every layer of the platform. We take the protection of your survey data and personal information seriously. This page explains what we do to keep your data safe and how you can report a security concern.

Infrastructure & Hosting

Surveyz is hosted on Microsoft Azure in the South Africa North region (Johannesburg), keeping your data on South African soil. Azure provides enterprise-grade physical security, redundancy, and compliance certifications including ISO 27001 and SOC 2.

🔒

Encryption in Transit All connections use TLS 1.2 or higher. HTTP requests are automatically redirected to HTTPS. No unencrypted data transmission is permitted.

🗄️

Encryption at Rest All database storage is encrypted at rest using AES-256. Backup data is also encrypted and stored in geographically redundant locations.

🌍

South African Data Residency Primary data storage is in Microsoft Azure South Africa North. Your survey data stays in SA by default, supporting POPIA compliance.

🛡️

DDoS Protection Azure's built-in DDoS protection shields the platform from network-level attacks, ensuring availability during high-traffic events.

Authentication & Access

JWT tokens — authentication uses signed JSON Web Tokens with short expiry windows
OAuth 2.0 — sign-in via Google or Microsoft uses the OAuth 2.0 Authorization Code flow with a confidential server-side client secret; we never see your OAuth provider password
Password hashing — passwords are hashed using BCrypt with per-user salts; plaintext passwords are never stored
CSRF protection — anti-forgery tokens protect all state-changing operations
Rate limiting — authentication endpoints are rate-limited to prevent brute-force attacks
Correlation cookies — OAuth flows use SameSite=Lax correlation cookies to prevent CSRF during sign-in

Application Security

Input validation — all user inputs are validated on both client and server; parameterised queries prevent SQL injection
Content Security Policy — CSP headers restrict script and resource loading to approved origins, reducing cross-site scripting (XSS) risk
CORS policy — cross-origin resource sharing is restricted to approved origins only
Dependency scanning — third-party dependencies are monitored for known vulnerabilities via automated tooling
Secrets management — API keys and credentials are stored in environment variables or deployment configuration; not committed to source control
Honeypot fields — public-facing forms include hidden honeypot fields to detect and block automated spam submissions

Payment Security

All payments are processed by PayFast, a South African PCI-DSS compliant payment gateway. Surveyz does not store, transmit, or process card numbers. PayFast handles all card data within their PCI-DSS certified environment.

Access Controls

Survey data is scoped per account — users can only access their own surveys and responses
Internal system access follows the principle of least privilege
All access to production systems is logged and auditable
Employee access to customer data requires explicit authorisation and is audited

Monitoring & Incident Response

We continuously monitor the platform for anomalous activity, failed authentication attempts, and potential security threats. In the event of a confirmed security incident:

Affected systems are isolated immediately
The scope of impact is assessed within 24 hours
Affected customers are notified as soon as practically possible
Incidents involving personal information are reported to the Information Regulator within the timeframes required by POPIA

Responsible Disclosure

We welcome reports from security researchers and the community. If you discover a vulnerability in Surveyz, please report it to us responsibly before public disclosure so we can address it promptly.

Report a Vulnerability

Email: security@surveyz.co.za

Please include: a description of the vulnerability, steps to reproduce, potential impact, and your contact information. We will acknowledge reports within 2 business days and aim to resolve critical issues within 7 days.

Please do not access, modify, or delete data belonging to other users during your research. Testing should be limited to accounts and data you own. Automated scanning that could affect platform availability is not permitted without prior written consent.

Your Role in Security

Security is a shared responsibility. Here is how you can help keep your account safe:

Use a strong, unique password for your Surveyz account
Do not share your account credentials with others
Log out from shared or public computers
Be cautious of phishing emails — Surveyz will never ask for your password via email
Report suspicious activity to security@surveyz.co.za