Default data handling practices
At Research Results, Inc., we do our best to balance convenience and access with a high level of security surrounding the data we collect and house on your behalf. We have a large set of policies in place to ensure that your data remains safe. We train all our employees to use industry best practices and to follow our policies. We provide our employees with the necessary tools to meet these standards and we are ISO 27001 certified, which means we are audited yearly to ensure that we follow these policies in practice. There are three definitions that will help our clients understand the major areas where your data is stored and processed.
Decipher Platform – This is our web-based survey data collection and reporting platform. It is a Software as a Service (SaaS) application licensed and maintained by Forsta. We have a dedicated instance of Decipher so the configuration settings described in this document are specific to our dedicated environment. All data at rest and in transit within this platform use widely accepted industry standard encryption. We require multi-factor authentication to access this environment.
Corporate File Share – This is where we store project and business-related data and how that data is shared among our employees. This file share leverages Microsoft Azure Storage, and your data is accessed within our Microsoft Azure Virtual Desktop environment using a mapped drive in Windows Explorer. We control folder access in this environment using our Azure Active Directory permissions. All data at rest and in transit within this platform use widely accepted industry standard encryption.
DisplayR – This is our web-based data reporting platform. It is a Software as a Service (SaaS) application licensed and maintained by DisplayR. This is a shared environment with the necessary segmentation, authentication and authorization in place to ensure confidentiality, integrity and availability. All data at rest and in transit within this platform use widely accepted industry standard encryption. We require multi-factor authentication to access this environment.
Decipher Survey Projects
Portal Archive and Deletion Process
Survey projects are auto archived when a project is both closed and there has been 365 days of prolonged inactivity within a project. Inactivity means that no one has tried to access that project on the Decipher project portal. Once a project enters archived status it is no longer available on our portal, but it is not permanently removed for an additional 365 days. If access to a project is required during that 365-day period after auto-archival, a request needs to be made to a Research Results staff member to unarchive that project. We can run through a process that will restore the project from backup to our portal. As part of this restoration process we will have a discussion with you regarding the long term need for this project to establish a plan for leaving it on the portal.
Long Term Data and Confidential Data Removal
- Prior to permanent deletion of a project, a survey response data file (SPSS format) is downloaded. Any confidential data that is contained within that file is removed and it is saved on our corporate file share. This project field data will be saved indefinitely unless there is a request to remove it or a contractual obligation to remove it.
- All non-survey response confidential data such as broadcast files are removed within one-year of field close and remain in backup for an additional 30 days after removal.
Project Files Stored on our Corporate File Share
A data file is everything from a Decipher data export to data files provided for reporting or tabulation. These files are retained on our corporate file share indefinitely unless they contain confidential data such as PII. If a file contains confidential data, the confidential data is removed from those files within one year of project field close and remains in backup for an additional 30 days after removal.
Support documents are anything from the original survey document to image files, etc. These documents will be kept in place unless there is a request to remove them or a contractual obligation to remove them.
Data Stored for Dashboards, Reports and Tables on DisplayR
We ensure that all data used within this platform has any confidential data (typically PII) removed prior to use in the platform. Data remains in place within this platform if there is a legitimate business need.
We understand that our clients have specific needs that sometimes or possibly all the time need to be applied to their project data. We will always do our best to accommodate those needs. We have mechanisms in place that allow us to make and document exceptions to our default practices. Sometimes we need to shorten timelines and sometimes we need to lengthen them. If you have specific needs that fall outside our standards just reach out to a member of the team and we will start the conversation.