Security Statement

Name: PaperSurvey.io
Brand: PaperSurvey.io
Rating: 4.8 (28 reviews)

Effective date: March 11, 2026

It is extremely important for us to protect your information and your customers' information. We know you have questions about how we protect this information, so details about some frequently requested information about the information security of PaperSurvey are provided below.

Data Centers

We store our data and databases securely in DigitalOcean LLC datacenters in Amsterdam, Netherlands.

DigitalOcean datacenters are co-located in some of the most respected datacenter facility providers in the world. DigitalOcean leverages all of the capabilities of these providers including physical security and environmental controls to secure our infrastructure from physical threat or impact. Each site is staffed 24/7/365 with on-site physical security to protect against unauthorized entry. DigitalOcean's infrastructure maintains ISO 27001 and SOC 2 Type II certifications.

Development

Our development team uses secure coding techniques and best practices focused on the top ten OWASP. Developers are formally trained in secure web application development methods.

Development, testing, and production environments are separated. All changes are peer reviewed and logged for performance, audit, and forensic purposes prior to deployment into the production environment.

Encryption

We encrypt your data in transit using secure TLS 1.2+ cryptographic protocols. All data is also encrypted at rest, including uploaded files, survey responses, and backups.

Authentication Security

We support multiple authentication methods to protect your account:

Two-factor authentication (2FA): TOTP-based authentication with recovery codes. Team administrators can enforce 2FA for all team members.
Passkeys (WebAuthn/FIDO2): Passwordless login using hardware security keys, biometrics, or device authenticators.
SAML 2.0 SSO: Single Sign-On is available for Enterprise Plus customers, enabling integration with your organization's existing identity provider.
Session security: All active sessions are invalidated immediately upon password change. A short grace period after login reduces unnecessary re-authentication prompts.

Rate Limiting and Abuse Prevention

All authentication endpoints, including login, two-factor authentication, registration, and password reset, are rate-limited to prevent brute-force and credential stuffing attacks. Repeated failed attempts result in temporary lockouts.

Security Audit Logs

Key security events are logged and retained, including:

Successful and failed login attempts
Password changes and account setting updates
Two-factor authentication events (enable, disable, use)
Data exports and bulk deletions
Unauthorized access attempts

These logs are available to authorized personnel and can be shared with customers in the event of a security incident affecting their account.

Breach Notification

Despite best efforts, no method of transmission over the Internet and no method of electronic storage is perfectly secure. We cannot guarantee absolute security. However, if PaperSurvey learns of a security breach, we will notify affected users so that they can take appropriate protective steps. Our breach notification procedures are consistent with our obligations under applicable country level, state and federal laws and regulations, as well as any industry rules or standards applicable to us. We are committed to keeping our customers fully informed of any matters relevant to the security of their account and to providing customers all information necessary for them to meet their own regulatory reporting obligations.

Uptime

We strive for 99.9% uptime across all our products and to support that, we employ a variety of tools to accurately monitor and report on any anomaly that could impact the delivery of our services.

Logging and monitoring

Application and infrastructure systems log information to a centrally managed log repository for troubleshooting, security reviews, and analysis by authorized personnel. Logs are preserved in accordance with regulatory requirements. We will provide customers with reasonable assistance and access to logs in the event of a security incident impacting their account.

Backups

Automatic database and filesystem backups are made several times a day. All backups are encrypted using public-private key encryption and stored in multiple geographical locations. The private keys are stored on offline data storage that may only be accessed in case of a critical incident or a customer request to restore data. Backups are stored for 6 months, allowing full restoration from any point in time. If you have accidentally removed survey data, it may be restored for an additional cost within the 6-month window.

Data Retention Policy

Survey data deleted by users is soft-deleted and held for 90 days before permanent removal, allowing accidental deletions to be recovered. After 90 days, data is permanently removed from production systems.

Encrypted offsite backups are retained for up to 6 months as part of our disaster recovery procedures. After 6 months, backups are automatically purged.

Reporting Security Issues

We understand that security is essential in maintaining the trust you place in us to provide products and services to you. Although our team works vigilantly to help keep customer information secure, we recognize the important role that security researchers and our user community play in helping to keep our users secure. If you are a security researcher and have discovered a security vulnerability in our website or service, we ask for your help in disclosing it to us in a responsible manner. If you discover a vulnerability or are a customer who is concerned your account has been compromised, please notify us via hello@papersurvey.io.

Data Removal

If you wish to stop using our services, you may delete all your surveys from our platform, or delete your entire account. Deleting your account removes all associated surveys, responses, uploaded files, and team data from our production systems.

When you delete a survey or your account, data is immediately removed from our production databases. Encrypted offsite backups may retain deleted data for up to 6 months as part of our disaster recovery procedures, after which they are automatically purged.