Security Statement

Effective Date: April 1, 2025

PsychData is owned and operated by Divergent Web Solutions, LLC (“PsychData,” “we,” or “us”). We are committed to providing secure online research services, ensuring that our customers’ (“Members”) data is protected to the highest possible standard. This document outlines our current security practices but is not a guarantee of absolute security.

  1. Hosting and Third-Party Services
    1. Amazon Web Services (AWS)
      • Our platform is hosted on AWS, which provides robust physical and virtual security measures, including redundancy and failover capabilities. AWS maintains multiple industry-recognized certifications (e.g., SOC 2, ISO 27001) that support a secure infrastructure.
      • By leveraging AWS in U.S.-based data centers, we help ensure data locality, performance, and adherence to relevant compliance standards.
    2. Postmark (Email Delivery)
      • We use Postmark to deliver email communications such as survey invitations and system notifications. Postmark employs encryption in transit (TLS) and maintains its own security standards.
      • While we control the email content, Postmark is responsible for final delivery. For more details, see Postmark’s Security Practices.
    3. Stripe (Payment Processing)
      • Payment transactions are processed via Stripe, a PCI Service Provider Level 1, ensuring sensitive billing information is handled securely. PsychData does not store or process credit card details on our servers.
      • For information on Stripe’s security, visit Stripe’s Security Page.
  1. Data Security and Backups
    • Encryption: We protect data transmitted to and from the platform using HTTPS/TLS. Where applicable, at-rest data in AWS services is also encrypted.
    • Password Storage: User passwords are stored with one-way salted hashing, meaning we never store plaintext passwords. If a user forgets a password, a secure reset process must be followed.
    • Regular Backups: We perform frequent, automated backups of user data within AWS to support data recovery in case of hardware failures or other incidents. However, no backup system is infallible, and permanent data loss remains possible in extreme scenarios.
    • Retention and Restoration: Our backup and restoration procedures aim to minimize downtime, but we cannot guarantee data will always be fully recoverable (e.g., in severe cyberattacks or catastrophic events).
  1. Survey Data and Sensitive Information
    • Prohibited Sensitive Data: Our service is not intended to collect high-risk personal data (e.g., Social Security numbers, credit card details) without a clear legal basis and a written agreement. Survey creators must ensure compliance with relevant data-protection laws.
    • No Plaintext Credentials: PsychData does not store user passwords in plaintext. If a password is forgotten, a password reset (or alternative login method) is required.
    • User Responsibility: Survey creators are responsible for the legality of the data they collect, including compliance with privacy regulations and institutional guidelines.
  1. Operational Security Practices
    • Vulnerability Scanning: We run regular automated vulnerability scans against our infrastructure and applications. Detected issues are prioritized and remediated to maintain a secure environment.
    • Production Access Controls: Access to production environments is restricted via role-based permissions and secured accounts. All administrative actions are logged for traceability.
    • Staff Training and Internal Access: Employees receive security and privacy training, and only those with a legitimate need can access sensitive systems or data. Unauthorized access or misuse is subject to disciplinary action.
  1. Compliance and Certifications
    • AWS Compliance: Our hosting provider, AWS, maintains certifications like SOC 2, ISO 27001, PCI DSS, FedRAMP, and HIPAA/HITECH, supporting a secure hosting environment. For more details, see AWS Compliance.
    • Postmark: Provides secure email services with industry-standard practices. Visit Postmark Security.
    • Stripe: Certified as a PCI Level 1 Service Provider for handling payment data. See Stripe Security.
  1. Additional Security Measures
    1. Passkey Login
      • In addition to traditional passwords, we support passkey login for users who prefer modern authentication methods. Passkeys reduce reliance on passwords and can help mitigate certain attack vectors. We also verify new accounts by sending email confirmations to ensure valid, authorized registrations.
    2. User-Managed Exports
      • While we back up your data, we encourage you to export critical survey results or other information for your own local backups. This extra layer of redundancy can further reduce the risk of permanent data loss.
    3. IRB / Research Compliance
      • Many of our customers conduct human-subjects research under Institutional Review Boards (IRBs) or similar oversight bodies. We aim to provide a secure platform, but each researcher must ensure their projects comply with any applicable IRB or regulatory requirements.
    4. Log Retention
      • We retain application and system logs for a minimum of 15 days, enabling us to investigate suspicious activity or potential security incidents. Access to logs is restricted to authorized personnel for legitimate operational or security purposes.
  1. Responsible Disclosure

We encourage responsible disclosure of any potential vulnerabilities. If you discover a security issue, please notify us immediately at [email protected]. We take all such reports seriously and will investigate promptly. By working with the security community, we help keep our platform safe for everyone.

  1. Disclaimer of Absolute Security

Though we employ industry-standard measures (e.g., encryption, backups, vulnerability scanning), no security system can be guaranteed entirely free from vulnerabilities or breaches. External factors—such as malicious attacks, zero-day exploits, or major service outages—may compromise availability or confidentiality. By using our platform, you acknowledge that absolute security cannot be assured.

  1. Ongoing Commitment

We continuously assess and update our security posture, adapting to emerging threats and industry best practices. PsychData remains dedicated to protecting the confidentiality, integrity, and availability of your data. We encourage users to adopt strong security practices for their accounts and data, including passkey login where feasible.

Disclaimer: This Security Statement is provided for informational purposes only and does not create any warranty or legally binding obligation. For specific legal terms, please consult our Terms of Agreement and Privacy Policy. If you have additional questions regarding our security practices, contact us at [email protected].

Last Updated: April 1, 2025