Where data lives and how we protect it.
SurveyGenie runs on Vercel for the application edge and serverless functions, with Neon Postgres (US region) as the primary database. Rate-limiting and ephemeral caching run on Upstash Redis. LLM calls route through the Vercel AI Gateway, which keeps provider credentials off our application servers.
- ✓Encryption in transit: TLS 1.3 terminated at the Vercel edge. HSTS enabled.
- ✓Encryption at rest: Neon encrypts the database and backups at rest (AES-256 equivalent).
- ✓DDoS protection: handled by the Vercel platform at the edge.
- ✓Observability: Sentry for application error tracking; Vercel logs for request-level telemetry.
- ○Backups: Neon runs standard provider backups. Custom retention schedules and tested-restore runbooks are on the roadmap.
You own your data. Period.
Research data you create on SurveyGenie — your surveys, your responses, your analyses — is yours. We process it on your behalf to operate the service. We do not sell it, license it, or use it to train models without your explicit opt-in.
Response data is retained on all plans until you delete it. Account deletion removes all customer data within 30 days. No auto-purge based on age.
Default: United States. EU residency is on the roadmap for Enterprise customers.
CSV and Google Sheets on every plan. SPSS/Stata on Research. API access on Research. No vendor lock-in.
You can delete any survey, response, or your entire account from within the app. Deletions propagate to backups within 30 days.
AI and your data: when you use AI features, your content is processed through the Vercel AI Gateway to model providers under agreements that prohibit using customer data to train foundation models. You can disable AI features account-wide from admin settings.
Who can get in, and how.
- ✓Email + Google sign-in: supported on all tiers via NextAuth. Passwords hashed with bcrypt.
- ○Two-factor authentication (2FA): on the roadmap. TOTP-based.
- ○Role-based access (RBAC): on the roadmap. Workspaces and owner/admin/editor/viewer roles coming with team plans.
- ○SAML SSO / SCIM (Enterprise): on the roadmap. Okta, Microsoft Entra, Google Workspace.
- ○Audit logs (Enterprise): on the roadmap.
SurveyGenie is a small team and production access follows least-privilege. Only a small, named group of engineers can access production systems. No one has standing production database access — changes go through reviewed migrations.
Security that protects your data quality.
Most platforms treat data quality as a feature you buy at the enterprise tier. Our philosophy is the opposite — panel quality controls should ship with the product. We're rolling these out in stages.
Available on every tier, including free.
Planned for Pro. Detects duplicate devices and farms.
Straight-lining detection, response-time outliers, improbable-answer clusters.
Device + identity verification on panelist onboarding, ongoing attention checks.
Regulatory posture & roadmap.
| Framework | Status | Notes |
|---|---|---|
| GDPR (EU) | Roadmap | DPA in drafting · contact security@ for current status. |
| CCPA / CPRA (California) | Roadmap | Consumer access & deletion supported in-app. Formal DPA in drafting. |
| SOC 2 Type II | Roadmap | Preparation planned. Target report: Q4 2026. |
| ISO 27001 | Roadmap | Evaluating depending on Enterprise demand. |
| HIPAA | Not applicable | We do not accept PHI. Do not submit health data via SurveyGenie. |
| PCI-DSS | Roadmap | Will be SAQ-A once Stripe payments go live · we never see card numbers. |
Enterprise prospects can request our draft DPA and sub-processor list directly from security@surveygenie.ai.
Who else touches your data.
Our current production stack:
| Provider | Purpose | Location |
|---|---|---|
| Vercel | Application hosting, edge, serverless functions | Global edge · US primary |
| Neon | Postgres database | US |
| Upstash | Redis for rate limiting & ephemeral cache | US |
| Vercel AI Gateway | LLM inference routing (no training on customer data) | US |
| Resend | Transactional email | US |
| Sentry | Application error monitoring | US |
| Stripe | Payments (once live) | US / EU |
We notify Enterprise customers of sub-processor changes by email with advance notice.
Found a vulnerability? Tell us first.
We welcome good-faith security research. If you discover a vulnerability, please report it privately before public disclosure — we commit to responding within 48 hours, acknowledging fixes with credit (if desired), and never pursuing legal action against researchers who follow this policy.
- surveygenie.ai and all subdomains
- Our API endpoints
- Mobile web experience
- Authentication, session, data access
- Volumetric DoS/DDoS
- Social engineering of staff
- Physical attacks
- Third-party services (report to provider)
A formal bug bounty program is on the roadmap — for now we offer recognition (hall of fame) and occasional swag/rewards for material findings.