SurveyMonkey

Publisher Attestation: The information on this page is based on a self-assessment report provided by the app developer on the security, compliance, and data handling practices followed by this app. Microsoft makes no guarantees regarding the accuracy of the information.

Last updated by the developer on: December 16, 2019

General information

Information provided by SurveyMonkey to Microsoft:

Information Response
App name SurveyMonkey
ID WA104381088
Office 365 clients supported Microsoft Teams
Partner company name SurveyMonkey
URL of partner website https://www.surveymonkey.com
URL of Teams application info page https://help.surveymonkey.com/articles/en_US/kb/Microsoft-T...
URL of Privacy Policy https://www.surveymonkey.com/mp/legal/privacy-policy/
URL of Terms of Use https://www.surveymonkey.com/mp/legal/terms-of-use/

Feedback

Questions or updates to any of the information you see here? Contact us!

How the app handles data

This information has been provided by SurveyMonkey about how this app collects and stores organizational data and the control that your organization will have over the data the app collects.

Data access using Microsoft Graph

List any Microsoft Graph permissions this app requires.

Permission Type of permission (Delegated/ Application) Is data collected? Justification for collecting it? Is data stored? Justification for storing it? Azure AD App ID
Group.ReadWrite.All delegated No To provide a list of groups/channels to share a survey with

Non-Microsoft services used

If the app transfers or shares organizational data with non-Microsoft service, list the non-Microsoft service the app uses, what data is transferred, and include a justification for why the app needs to transfer this information.

All non-Microsoft services OII is transferred to What OII is transferred? Justification for transferring OII?
Only MS user id is stored in SurveyMonkey in order to associate responses and surveys with the team user. For teams we use the Microsoft Teams javascript SDK in the create, take survey and survey results task module modal.

Data access via bots

If this app contains a bot or a messaging extension, it can access end-user identifiable information (EUII): the roster (first name, last name, display name, email address) of any team member in a team or chat it's added to. Does this app make use of this capability?

Justification for accessing EUII? Is EUII stored in database(s)? Justification for storing EUII?
We make a call to v3/conversations/{id}/pagedmembers to check that the app is added to a team and get the member count. It is for internal tracking of usage, we only look at the size of the chat roster, other info is ignored. Yes, the size of the chat is stored (a single integer)

Telemetry data

Does any organizational identifiable information (OII) or end-user identifiable information (EUII) appear in this application's telemetry or logs? If yes, describe what data is stored and what are the retention and removal policies?

EUII - A success/fail log is created whenever a survey gets a response, and we try to send that response to Teams via the connector, this log includes user_id, survey_id, integration_id (which in the database can be used to look up MS Team ID, MS User ID)

Organizational controls for data stored by partner

Describe how organization's administrators can control their information in partner systems? e.g. deletion, retention, auditing, archiving, end-user policy, etc.

Our primary data center is located in Las Vegas, NV and our secondary data center is located in Santa Clara, CA. SurveyMonkey owns and operates all of its servers and infrastructure at these locations. We also have Canadian data residency available for certain SurveyMonkey Enterprise customers located in Canada. All data is encrypted at rest using TDE with AES256 and data in transit is encrypted using TLS 1.2.

SurveyMonkey uses central user authentication to maintain identity and access management. This system manages all authentication and authorization to any and all corporate, and production infrastructure, systems and services. Strict access policies are maintained and reviewed on a quarterly basis. The reviews include but are not limited to: user access lists, policy groups and 3rd party access reviews. To access our production environment (i.e. to get a privileged account), one needs to obtain manager approval, complete a number of required trainings, and obtain approval from our security team. At that time, an additional VPN account is provisioned, which differentiates the ‘normal’ account from a ‘privileged’ account.

Only company-issued devices are allowed to access our production network. All wireless vendor defaults are changed prior to installation, including but not limited to default wireless encryption keys, passwords, and SNMP community strings. 2FA and VPN are required to do so remotely. We have a separate wifi network for guest access at our corporate offices.

All services, protocols, and allowed ports must have a documented business justification and approval, including the use of security features implemented for those protocols considered insecure. Routers and firewalls are configured to limit the IP disclosure to unauthorized or unintended parties and limit inbound internet access to IP addresses within the DMZ Firewall and router rulesets are reviewed at least every six months.

Human review of organizational information

Are humans involved in reviewing or analyzing any organizational identifiable information (OII) data that is collected or stored by this app?

Yes

Feedback

Questions or updates to any of the information you see here? Contact us!

Information from the Microsoft Cloud App Security catalog appears below.

View in a new tab

Feedback

Questions or updates to any of the information you see here? Contact us!