63% of people consider a company's privacy and security history before using their products or services.
SurveyMonkey provides its services around the world with its global subprocessors. In our contract with you, we commit that every transfer of personal data to us is compliant with applicable data protection law. We only transfer personal data onward to subprocessors that protect your personal data with safeguards as onerous as the safeguards we apply to the personal data in our control.
In addition, the supplementary measures we have taken align with the July 16, 2020 judgment of the EU Court of Justice (“CJEU”) in Case C-311/18, Data Protection Commissioner v Facebook Ireland Limited and Maximilian Schrems (“Schrems II”) and the European Data Protection Board’s (“EDPB”) guidance on supplementary measures. Detailed information is provided below.
If you are a US Customer, your contract will include a Data Protection Addendum (“DPA”) with SurveyMonkey's US entity: SurveyMonkey Inc. If you have users in the European Economic Area (“EEA”), the United Kingdom (“UK”), or Switzerland and therefore require a transfer mechanism for user data to SurveyMonkey, you can request that we add the relevant transfer mechanisms. (If you are a self-serve Customer, please note that our online DPA contains these transfer mechanisms automatically).
In addition to the Standard Contractual Clauses ("SCCs") and as a secondary measure, SurveyMonkey Inc. also self-certifies under the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework and the Swiss-U.S. Data Privacy Framework Principles. This means that the European, British, and Swiss data protection authorities have deemed our processing “adequate” under Article 45(3) of the GDPR.
If you are a Customer based in the EEA, UK, or Switzerland your contract will include a Data Protection Addendum (“DPA”) with SurveyMonkey's Irish entity: SurveyMonkey Europe UC. Since the transfer from you to SurveyMonkey is between European entities for which no transfer mechanism is needed (or that have recognized each others’ adequacy status), no other transfer mechanisms are needed.
If you are a Customer based outside of the US, EEA, UK, or Switzerland - but you have users in the EEA, UK, or Switzerland and need to ensure there is a transfer mechanism for onward transfer - your contract will include a DPA with SurveyMonkey's Irish entity, SurveyMonkey Europe UC, and you can request that we add the relevant transfer mechanism. (If you are a self-serve Customer, please note that our online DPA contains these transfer mechanisms automatically).
You transfer personal data to SurveyMonkey so that we may process the personal data for the following purposes:
You should evaluate if you transfer data for any differing purposes.
The Customer personal data transferred to SurveyMonkey can contain as much or as little personal data as you decide to collect in your questions in surveys, forms, and questionnaires. Because of the nature of the platform we assume that a large variety of personal data - including potential special category data - is collected by you.
As noted above, you will contract with a SurveyMonkey entity in the US or Ireland - depending on your location. Based on advice from outside counsel specialized in data protection and analysis of the laws to which SurveyMonkey is subject, we believe the risk associated with the legal regime in the US to be low, and the risk associated with the legal regime in Ireland to be of no material risk to the data subject. See the section ‘Supplementary Measures: Organizational’ below for more information on US law specifically.
Even where there is low or no material risk due to the legal regime in the destination country, SurveyMonkey has implemented supplementary measures to further safeguard personal data. The supplementary measures are divided into three categories: (i) contractual; (ii) organizational; and (iii) technical safeguards.
As described above, SurveyMonkey will agree to enter into SCCs with Customers. The Schrems II judgment indicates that parties may use SCCs and (where appropriate) additional safeguards for transfer of personal data from the United Kingdom, Switzerland, and the European Economic Area (“European Data”) to the United States. If you have entered into an agreement with or are otherwise obtaining services from SurveyMonkey that will require SurveyMonkey to process personal data of European data subjects, SurveyMonkey will (as appropriate depending on the SurveyMonkey entity you are contracting with):
The CJEU’s concerns about transfers of data to the United States were based on the US government’s collection of data under US Executive Order 12333 (“EO 12333”) and under Section 702 of the Foreign Intelligence Surveillance Act (“FISA § 702”), especially “upstream” surveillance under FISA § 702. The risks posed by these US legal provisions either do not apply to SurveyMonkey's processing of personal data or can be sufficiently mitigated by organizational safeguards that SurveyMonkey offers.
In addition, on 10 July 2023, the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework. The adequacy decision concludes that the United States ensures an adequate level of protection – compared to that of the EU - for personal data transferred from the EU to US companies participating in the EU-U.S. Data Privacy Framework.
The adequacy decision follows the US' signature of an Executive Order on ‘Enhancing Safeguards for United States Signals Intelligence Activities', which introduced new binding safeguards to address the points raised by the Court of Justice of the European Union in its Schrems II decision of July 2020. Notably, the new obligations were geared to ensure that data can be accessed by US intelligence agencies only to the extent of what is necessary and proportionate, and to establish an independent and impartial redress mechanism to handle and resolve complaints from Europeans concerning the collection of their data for national security purposes (See: https://ec.europa.eu/commission/presscorner/detail/en/qanda_23_3752).
SurveyMonkey is not eligible to receive “upstream” or bulk surveillance orders under FISA § 702. SurveyMonkey Inc. acts, in part, as an electronic communications service (“ECS”) and also potentially a remote computing service (“RCS”) (as defined in Sections 2510 and 2711 of Title 18 USC., respectively) in connection with certain services or product features we provide to Customers. SurveyMonkey Inc. thus is among the large group of companies upon which the United States government could serve a targeted directive under FISA § 702. However, as the US government has interpreted and applied FISA § 702, SurveyMonkey is not eligible to receive the type of order that was of principal concern to the CJEU in the Schrems II decision—i.e., a FISA § 702 order for “upstream” surveillance. As the US government has applied FISA § 702, it uses upstream orders only to target traffic flowing through internet backbone providers that carry Internet traffic for third parties (i.e., telecommunications carriers). For example, see the report of the Privacy and Civil Liberties Oversight Board, Report on the Surveillance Program Operated Pursuant to Section 702 of the Foreign Intelligence Surveillance Act (July 2, 2014), pp. 35-40, available at https://fas.org/irp/offdocs/pclob-702.pdf. SurveyMonkey does not provide such Internet backbone services, as we only carry traffic involving our own customers. As a result, we are not eligible to receive the type of order principally addressed in, and deemed problematic by, the Schrems II decision.
SurveyMonkey has not received any directive under FISA § 702, and we are unlikely to receive any. As of the date of this statement, SurveyMonkey has not received any directive under FISA § 702 and has no reason to believe that such a directive would be made to SurveyMonkey. The personal data SurveyMonkey processes for our customers –feedback data – is highly unlikely to be relevant to the foreign intelligence activities governed by FISA § 702. Moreover, in the event any such personal data were relevant to such an investigation, the government is more likely to seek such data through other forms of legal process (such as a search warrant approved by a judge) that do satisfy the high standards for government access to data described in the Schrems II decision. This is because it would be much faster and easier for the government to seek an order or warrant under something other than FISA § 702 than to put in place the mechanisms required for the government to serve directives on SurveyMonkey under FISA § 702.
SurveyMonkey does not assist — and cannot be ordered to assist — US authorities in their collection of information under Executive Order 12333. SurveyMonkey does not and will not provide any assistance to US authorities conducting surveillance under EO 12333. EO 12333 does not provide the US government the ability to compel companies to provide assistance with those activities, and SurveyMonkey will not do so voluntarily. As a result, SurveyMonkey does not, and cannot be ordered to, take any action to facilitate the type of bulk surveillance under EO 12333 the Schrems II decision deemed problematic.
SurveyMonkey provides a range of technical measures that further defeat the core deficiencies cited in the Schrems II decision referred to above (bulk surveillance under FISA § 702 and bulk interceptions under EO 12333).
SurveyMonkey encrypts all data at rest in our data centres using AES 256 based encryption. Additionally, SurveyMonkey encrypts all data in motion using (i) RSA with 2048 bit key length based certificates generated via a public Certificate Authority, for communications with entities outside SurveyMonkey's data centres, and (ii) RSA 256 certificates generated via Internal Certificate Authority, for all the data within the data centre. These encryption efforts are aimed at prevention of unauthorised acquisition of data in an intelligible form and prevention of unauthorised wiretapping / tampering when data is in transit between two end-points.
Some SurveyMonkey Customers (for example, Customers of GetFeedback Digital) have their data stored only in the European Union. In those instances the data is not stored in the US and only very minimal access to that data occurs in the United States for limited purposes (for example, to provide Customer support on request, for follow the sun security support and/or limited engineer resourcing to resolve technical issues/bugs or build out systems).
SurveyMonkey also maintains strict administrative, technical, and physical procedures to protect information stored on its servers. Access to personal information is limited through login credentials to those employees who require it to perform their job functions. SurveyMonkey implements data minimization techniques to limit the amount of personal data which is transferred from the EU to third party jurisdictions to include, where appropriate, pseudonymization or deidentification of data. In addition, SurveyMonkey uses access controls such as multi-factor authentication, Single Sign On, access on an as-needed basis, strong password controls, and restricted access to administrative accounts.
Additionally, as an ECS/RCS, SurveyMonkey is subject to the US Electronic Communications Privacy Act, 18 USC. § 2701, et seq. (“ECPA”), which provides protection to SurveyMonkey's Customers. For example, ECPA prohibits governmental entities from seeking information about Customers of services like SurveyMonkey unless such governmental entities first obtain appropriate legal process, including a court order or search warrant for information other than basic subscriber information. Likewise, both FISA and ECPA provide SurveyMonkey's Customers with redress against the US government (including monetary damages or disciplinary actions against the relevant governmental authorities) if it improperly obtains information about them (see 18 USC. § 2712).
Further, SurveyMonkey's long time outside legal counsel is experienced in responding to US governmental requests for user data, including US national security requests under FISA § 702. It is SurveyMonkey's policy to escalate any such requests to SurveyMonkey's own internal compliance team and, as necessary, to such outside counsel for review. Where appropriate, SurveyMonkey intends to use available legal mechanisms to challenge demands for data access using FISA § 702 (including any non-disclosure provisions or orders attached thereto) in the unlikely event SurveyMonkey receives such a demand. The demand would then receive review by a US tribunal (the FISA Court).
SurveyMonkey also recognizes that an order to provide data access under FISA § 702 would require SurveyMonkey to notify our Customers that we could no longer comply with the Standard Contractual Clauses, allowing them to terminate their agreement with us and suspend data flows to us. We have never needed to issue such a notice.
Taking into account the above analysis, we believe the risk of harm to the data subject is not material.
The table below summarizes our transfer impact assessment conclusion.
“Non-material” risk means that personal data is transferred to a jurisdiction that has been considered adequate by the European Commission (and so the legal protections are equivalent to legal protections in Europe), and that there are contractual, technical, and organizational measures in place to further protect the data.
“Low” risk means that personal data is transferred to a jurisdiction with a GDPR Chapter V mechanism other than adequacy. While the legal protections are not necessarily equivalent to legal protections in Europe, the transfer is still legally-compliant and is bolstered by contractual, technical, and organizational measures in place to further protect the data.
|Sender||Recipient||Transfer Destination||Transfer Mechanism||Risk|
|US Customer with users in EU or UK||SurveyMonkey Inc.||US||SCCs + supplementary measures (with a secondary measure of certification to the DPF)||Non-material|
|EEA or UK Customer||SurveyMonkey Europe UC||Ireland||Adequacy + supplementary measures||Non-material|
|Non-US/EEA/UK Customer with users in EU or UK||SurveyMonkey Europe UC||Ireland||SCCs + supplementary measures||Non-material|
Subprocessors are SurveyMonkey vendors that process your users’ personal data in order to help SurveyMonkey provide the service to you. All SurveyMonkey subprocessors are bound by contract to protect the personal data with safeguards that are no less onerous than the standard that we apply to personal data in our control.
When SurveyMonkey transfers personal data to subprocessors, we conduct a Transfer Impact Assessment (“TIA”) similar to the steps outlined above. We do this to ensure that your personal data is protected at each step, as required by data protection law and our contract with you. We have provided a summary of the salient points of the TIA for each subprocessor below.
Please note that not all subprocessors are used in the provision of all of our Services. Our subprocessor list is segmented into specific SurveyMonkey services.
If you wish to receive email notifications of updates to our Subprocessor List, please subscribe here.