Discuss.io Security and Data Privacy

Discuss.io is GDRP and ISO 27001 Compliant

Data privacy and information security is a top priority at Discuss.io. We follow industry best practices in data collection and storage and have robust business processes in place to prevent unauthorized access, modification, or removal of data. We are GDPR-compliant and ISO-27001 certified.

Server and Database Hosting and Encryption

Our application servers and databases are hosted on Amazon Web Services. Data is stored in Virginia, USA. We are a member of the EU-US and Swiss-US Privacy Shield program governing the transfer of data outside the European Economic Area. Privacy Shield was the subject of a recent court ruling, which impacted thousands of tech companies working in the EU.  We remain compliant with the guidelines of Privacy Shield and will work to provide new agreements and methods that give our clients and research participants the privacy and security they deserve. 

Live video conversations are served from a network of data centers, selected in real time to maximize the streaming experience and minimize latency. Regional media zones are in place to prevent streaming data from leaving the EU or US in case of a failover event.

All data is encrypted in transit and at rest. 

Meeting Room Privacy

Our meeting room is designed with privacy in mind. Role-based permissions, authentication requirements, a waiting room, and moderator controls prevent unauthorized access and inappropriate activity within the meeting room.

Observer session links are encrypted to prevent unauthorized viewing of sessions. 

Moderators must be logged into the platform and have access to the project in order to join a meeting room. Translators must also be logged in.

Respondents do not have to be registered users of Discuss.io to join a meeting room. We gather active consent to our terms of service and privacy policies prior to allowing them to join a meeting room. The consent of all meeting attendees is stored and auditable per GDPR requirements.

Meeting Room Controls

Moderators choose which respondents to invite into the meeting room, preventing unauthorized access. Moderators also control who is allowed to share their screen, and only moderators and technical support can display stimuli and manage the interactive whiteboard. 

Long-running meeting rooms are automatically closed to prevent unauthorized access, and video recordings are only available to authenticated, authorized users.

Data Collection

We collect first name, email, phone number, and IP for respondents.  This information is used to filter appropriate people into marketing studies, and connect with them for a specific meeting. The data is purged after the project is completed.

Data Processing

If a meeting moderator records their interview, the following data may be recorded:

  • User’s webcam, including face
  • Audio
  • Screensharing
  • Visual / auditory stimuli 
  • Whiteboard responses
  • Group and private chat messages

Customers may then conduct further processing on their interview data, including:

  • Viewing or downloading machine or human transcripts
  • Video clipping and editing
  • Highlight reel creation
  • Viewing and exporting answers to discussion guide questions across an interview or a project
  • Viewing, completing, and exporting Key Takeaways answers after an interview or a project
  • Sharing or exporting full video recordings, video clips, or highlight reels
  • Uploading a final report with project learnings
  • Importing related video recordings for inclusion in the project

Single Sign-On (SSO)

We integrate with all single sign on (SSO)identity providers using the SAML 2.0 protocol to put account provisioning, de-provisioning, and password protection in the hands of clients.

Proactive Monitoring and Alerting

We have proactive logging, monitoring and alerting processes in place to detect attempted fraud, malicious behavior, and system errors. This allows us to instantly act on emerging issues, ensuring business continuity and security. 

Access Control

Users are in control of who has access to their projects and project materials. We support team-level and project-level access with role-based access controlled by the project owner. Project owners also manage project privacy, allowing them to share insights with their larger organization or keep findings private to a core team. 

Data Retention

In general, we store project data like video recordings, transcripts, highlight reels, stimuli, and reports, for a period of 3 years, or as directed by customer organizational administrators. Respondent data, including PII, is deleted automatically after six months to allow for tracking of repeat participation.


When the country of a meeting room is set to Germany, names and phone numbers are automatically anonymized in the meeting room. German market researchers are reminded to gather consent before turning recording on, and to inform German data subjects that they should not say their names or other identifying information in the interview.

German video recordings are automatically blurred in post-processing, preventing the identification of respondents but retaining the analysis and insights features associated with the recordings. 

Any project owner working in any country can choose to have their recordings blurred to prevent identification via a setting in their project’s Settings page. Once a video is blurred, it cannot be reversed. 

Voice modulation in recordings is also available to further protect respondent privacy.

Schedule a demo with someone from our team to lean more about our industry leading security and data protection capabilities.

Customer Experience Update