Built with Security in Mind
Our product offering operates on the premise of highly accurate data, as such security forms a core part of our business. To that end we employ several strategies and policies which aim to ensure our code and back end application does no harm to your website and provides highly accurate and secure data.
Trusted by Thousands Every Day
Our backend infrastructure and code snippets are deployed on literally thousands of sites every day. For this reason security sits as our top priority during every update release and monthly review.
We require authentication for all management and data access features. Pages intended to be public are served over an SSL encrypted connection but do not require account authentication. All management and reporting features must be trusted by a validated account which is authenticated over an SSL encrypted connection.
We do not enforce password complexity requirements but recommend the following:
Passwords should be a minimum of 8 characters and include a mix of uppercase, lowercase and symbols and numbers. We also permit account access via Facebook and Google+ verification.
Passwords are hashed and stored in a secure SQL database. No plain text passwords are stored.
Multiple invalid login attempts are monitored and will result in account lockout. Account access may be restored with email verification.
We encourage users to periodically update passwords and never use a password shared with another website.
Session Management and Tracking
Each time a user visits our site a unique session identifier is created which allows us to collect anonymous website tracking statistics. We utilize Google analytics for tracking. Examples of information collected include:
- Date and Time of Visit
- IP Address
- Browser and Operating System
- Screen Resolution and Device Type
- Interactions with Content
- IP Geolocation
All direct survey/quiz results are posted using 256bit Rapid SSL encryption updated to use the strongest ciphersuites available.
Each user is assigned access to only a single authenticated account. No users including our staff may access multiple user accounts under a single login. Standard and premium accounts provide only a single type of user account. This account provides full reporting and edit permissions to the authenticated account. Enterprise accounts are split into Administrator and Report roles. Administrators have full edit and reporting permissions and may access account and billing information. Report roles are limited to reporting features.
We maintain extensive logs in order to review and improve security as well as performance. We log the following:
- Account Creation
- Quiz Creation
- Quiz Publish
- Quiz Update
- Quiz Archiving
- Quiz Responses
- Account Upgrade/Downgrade
We record digital fingerprint, IP, browser tag and other related meta fields in our logs. At no time will these logs be made public.
The following describes the types of information collect during various interactions with our services.
During either Facebook, Google or form account registration with Quiz Maker we may collect personally identifying information such as IP address, First, Last name and more.
We collect information such as IP, location, timing and website visitor metrics in order to provide both security and reporting features to quiz creators. We also use engagement metrics in order to deliver the most popular content to our website visitors.
To delete the information that we have stored about you and your respondents, use the following instructions:
Security Development Cycle
The Quiz Maker development cycle incorporates security as a primary and ongoing focus. The following provides a brief overview of the development cycle.
- Initial security requirements defined
- Function development
- Threat model analysis, security risks and vulnerabilities analysed
- Peer code review
- Security testing and vulnerability assessment
- Feedback based review and refinement
We utilize automated code vulnerability assessments to find common bugs. Each new feature and update undergoes rigorous testing and review on our dedicated testing platform prior to publishing. Manual code reviews are undertaken by peers. We periodically conduct third party security assessments utilizing various vendors
Bug Feedback Policy
We encourage our users to conduct security assessments but ask to be notified beforehand. We proactively pursue and monitor attacks daily. We consider user feedback integral to the development of our platform and will work with site visitors and customers to ensure the security of our platform and your data.
Access to customer information is restricted within our business to the bare minimum of staff required. Access is granted only when it is required in order to support or perform core duties. We rely upon this information in order to evaluate usage trends and form plans for the development of new features. Sensitive information is never shared with anyone outside our business including third party contractors. We will never share or sell or otherwise disclose any data collected for any purpose. Employees are subject to disciplinary action, including but not limited to termination if found to have breached allocated access.
Back End Infrastructure
We utilize the services of Liquid Web to maintain co-location dedicated servers in Michigan and Arizona. Our data centre facilities include:
- 24/7/365 hardware support
- Military grade redundant power grid
- 24/7/365 dedicated onsite security officer
- Motion detecting cameras
- 22 ton up flow cooling
- Tier-1 6 way redundant 1Gbps bandwidth
Our servers operate on Windows Server 2012 and have full disk encryption enabled. Nightly backups of code and data are stored offsite. Servers are patched automatically and reviewed regularly.
Incident Response and Uptime Record
Our security staff receive SMS notifications of outage and security related issues. Third party checks for service availability are performed every 15s. Average response time to outages is less than 5 minutes. We have maintained 100% uptime for a period of 18 months.
Credit Card Payments
Quiz Maker utilizes secure Stripe payment processing for online credit card transactions. Stripe provide secure payment processing for many of the webs largest sites including Kickstarter, Pinterest and shopify.
- Payments are fully automated with an immediate response.
- Your complete credit card number cannot be viewed by Quiz Maker or any outside party.
- All transactions are performed under 256 Bit SSL Certificate.
- All transaction data is encrypted for storage within Stripes bank-grade data centre, further protecting your credit card data.
- Stripe is an authorised third party processor for all major banks.
- Stripe at no time touches your funds; all monies are directly transferred from your credit card to the merchant account held by Quiz Maker.
Quizzes deemed to be offensive, illegal or defamatory may be removed at our sole discretion. If you have a complaint about a specific quiz please contact us via the link below and make sure you send us the link.