Skip to main content

Information Security

Last updated: 27th Jan, 2021

Information security

Our mission is to address the barriers which exclude participation in research, so that we can enable everyone to be heard and work towards more equitable futures. We do this through building tools that help you collect and manage your participant’s data responsibly, equitably and transparently.

Living those values means we need to ensure that we also treat your data responsibly, equitably and transparently.

For us, that means:

  • We don’t, and never will, sell your data.
  • We only ask for what we need to run the service.
  • We don’t use tracking cookies.
  • Your data is your own, Even on a trial account.
  • We believe in data mobility. You can download your data at any time.
  • We keep data for as long as you want us to. And when we delete it, its gone.

Privacy by design and as default is baked into the production of our service. We use the ODI’s Data Ethics Canvas at the inception of any new feature or product to ensure the appropriate considerations are made and that we are using data ethically and responsibly.

We are self-funded, and only accountable to our Customers.

Where is my data stored?

By default, all of your data will be stored and processed within the EU. We do this for two reasons:

  1. We’re based in Europe, and
  2. The EU has the most stringent data protection regulations in the world.

We also have data tenancy options available if you would prefer your data to be stored and processed within the USA.

How we handle your data

ISO 27001 data centres

Our infrastructure runs on Heroku, which is built upon Amazon Web Services (AWS). Heroku delivers a Platform as a Service (PaaS) with exceptional security.

For more information please see the following:

Heroku’s physical infrastructure is hosted and managed within Amazon’s secure data centres and utilise the Amazon Web Service (AWS) technology.

Amazon continually manages risk and undergoes reoccurring assessments to ensure compliance with industry standards.

Amazon’s data centre operations have been accredited under ISO 27001, SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II), PCI Level 1, FISMA Moderate and Sarbanes-Oxley (SOX)

Physical security

We do not have data centres as we are a cloud SaaS provider. Physical security to our servers and to your data is managed by AWS security certifications

Data storage and encryption at rest

Your data is encrypted at rest using AES256 encryption within the Heroku Postgres production tier.


All user passwords are stored using the Bcrypt password hashing function and stored in the database. Bcrypt uses salts and a complex hashing algorithms.

Encryption in transit

All communication between you, your services and Consent Kit, that includes your data, traverses the Internet via encrypted HTTPS traffic using TLS v1.3 where supported. We support older browsers with TLS v1.2.

This encryption during communication ensures information cannot be read or manipulated by unauthorised third parties.

Backups and data retention

We ensure that all data is regularly backed up.

Your data lives in our servers for as long as you need them. When you delete your account all the data is deleted.

Access to data

Consent Kit staff are granted access to systems and data based on their role in the company or on an as-needed basis. SSO and 2FA are used to ensure access is as secure as possible.

Access to customer data by Consent Kit staff is only used to assist with support and to resolve customer issues.

When working on a support issue we do our best to respect your privacy as much as possible and only access the minimum data needed to resolve your issue.

Network and application level security monitoring and protection

We use a third party tool called Sqreen to monitor and protect our infrastructure and application from various threats and to log when these attacks occur.

Sqreen provides us with:

  • Infrastructure protection from automated scanners, bots and targeted attacks. It blocks attacks and alerts in case of critical threats.
  • Protection against data breaches by monitoring and blocking brute force attacks.
  • Automatic monitoring of suspicious behaviours with regards to user accounts. We can react fast in case of account takeovers to protect customers against data theft by blocking credential stuffing or brute force attacks.
  • A runtime protection system that identifies and blocks OWASP Top 10 and business logic attacks in real-time.
  • Security monitoring that allows us to get visibility into our application security, identify attacks and respond quickly to a data breach. Security events are logged and notifications are sent in case of critical attacks to allow for fast remediation.

Sqreen is also deeply integrated into our application helping us protect against the most critical attack categories like SQL injections, cross-site scripting and adds security headers to our application. It blocks attacks in real-time and warns us when attackers start stressing our application.

Communications Security

All Consent Kit’s web application communications are sent using Postmark and are encrypted TLS ensuring messages are encrypted in transit to remote mail servers and ISPs who support TLS.

All our Postmark servers are set up to use DKIM , SPF , and DMARC , allowing us to control our domain’s reputation, reducing the risk of email spoofing and ensuring a high deliverability rate.

How we keep our code secure

Vulnerability management

All vulnerabilities are managed and tracked through a defined set of stages. Once a vulnerability is detected, it is assigned a score, using the CVSS scoring system.

We have an internal SLA that stipulates deadlines for fixing vulnerabilities.

If necessary, a post-mortem is arranged as a learning exercise for our whole company to improve security.

Automatic static code analysis

When code is committed to GitHub, our continuous integration process automatically initiates a series of tests. One such test is automatic static code analysis, configured to find vulnerabilities both in the code and within its dependencies.

Our security monitoring tool also detects vulnerable or out of date dependencies within the application on the server.

Quality Assurance (QA)

Once the code is ready to be tested, it is deployed to our staging environment. This environment is a downscaled version of the production infrastructure and does not contain any production data. Quality assurance is performed in a different domain name to ensure complete separation from production.

We use agile user stories to break up work and these are ranked in importance and risk. All high value and risk stories are reviewed by other members of the team on its own stand-alone Heroku Review App.

Secure software development life cycle (SDLC)

Security is part of our SDLC and influences the product roadmap and specific features. We implement the philosophy of “security by design” where security features are embedded in the product design to ensure, to the best of our abilities, that existing and new functionalities are free of vulnerabilities.

How we secure our business

Mobile device management

All hardware devices (desktops, laptops, phones) that Consent Kit staff use are encrypted to ensure that if stolen or lost they do not present a security risk.

Password managers and policy

To ensure an acceptable level of password security, we have an existing password policy in place. Passwords that are too generic are not allowed while the use of unique passwords per website is strongly advised. We also encourage the use of password managers, for example 1Password, that help make it easier and safer for you to keep track of your credentials.

Multi-factor authentication

The use of multi-factor authentication (MFA) is enforced throughout the main services Consent Kit relies on. MFA is also encouraged by Consent Kit.

MFA is also mandatory for Heroku and GitHub access.

Credit Card Security

When you purchase a paid Consent Kit subscription, your credit card data is not transmitted through nor stored on our systems. All of Consent Kit’s credit card processing is handled securely by Stripe.

Any card data is transmitted to stripe via encrypted HTTPS

Stripe is certified to PCI Service Provider Level 1 — the most stringent level of certification available. You can read more about their privacy and security policies.

Have questions or feedback? Feel free to reach out to us at

Get help

Can't find what you are looking for?