Discuss Security and Data Privacy

Keeping your data secure, private, and compliant is a top priority at Discuss. Our People Experience Platform not only helps you turn experience into insights but also delivers peace of mind with a secure and privacy-centric approach.

Security Page Hero Image

Delivering Industry-Leading Security Best Practices

ISO

ISO - 27001

Discuss has maintained the ISO 27001 certification since 2019. We continue to demonstrate our commitment to the highest level of trust and have shown our ability to comply with the most stringent international standards and reaffirm the importance of data and privacy protection.

gdpr

GDPR

Our legal and information security teams have carefully analyzed the General Data Protection Regulation (GDPR) and have undertaken the necessary steps to ensure compliance. Discuss also offers processes to protect respondents' data from video blurring and audio distortion to personal data anonymization, and custom data retention rules.

ccpa

CCPA

We are compliant with the California Consumer Privacy Act (CCPA), the most stringent data privacy law in the United States. Discuss does not sell your personal information or your end users’ personal information, and therefore do not offer an opt-out to the sale of personal information.

coppa

COPPA

Discuss is compliant with the Children's Online Privacy Protection Act of 1998, which prohibits unfair or deceptive acts with the collection, use, and/or disclosure of personal information from and about children on the Internet.

Take control of your data security

Access Control

Users are in control of who has access to their projects and project materials. We support team-level and project-level access with role-based access controlled by the project owner. Project owners also manage project privacy, allowing them to share insights with their larger organization or keep findings private to a core team.

Anonymization

Any project owner working in any country can choose to have their recordings blurred to prevent identification via a setting in their project’s Settings page. Once a video is blurred, it cannot be reversed. Voice modulation in recordings is also available to further protect respondent privacy.

Data Retention

In general, we store project data like video recordings, transcripts, highlight reels, stimuli, and reports, for a period of three years, or as directed by customer organizational administrators. Respondent data, including PII, is deleted automatically after six months to allow for tracking of repeat participations.

Single Sign On

We integrate with all single sign on (SSO) identity providers using the SAML 2.0 protocol to put account provisioning, de-provisioning, and password protection in the hands of clients.

Privacy Controls

Our meeting room is designed with privacy in mind. Role-based permissions, authentication requirements, a waiting room, and moderator controls prevent unauthorized access and inappropriate activity within the meeting room.

Platform Security and Management

Data Hosting & Encryption

To ensure the integrity and confidentiality, all data is encrypted in transit and at rest using HTTPS. Our application servers and data is hosted on Amazon Web Services and stored in Viginia, USA.

Data Breach Management

We have a protocol in place for how to keep your data safe and secure if something goes wrong.

Proactive Monitoring and Alerting

Our meeting room is designed with privacy in mind. Role-based permissions, authentication requirements, a waiting room, and moderator controls prevent unauthorized access and inappropriate activity within the meeting room.

Reliability and Backup

We use AWS automated backups and manual snapshots to prevent data loss before significant infrastructure change events.

Disaster Recovery

Our recovery plans identify the resources and specify actions required to help minimize losses in the event of service disruption.

Auditing

Annually, Discuss conducts an independent third-party review of its security policies, standards, operations, and procedures related to the Services provided to Customers

Server and Database Hosting and Encryption

Our application servers and databases are hosted on Amazon Web Services. Data is stored in Virginia, USA. Live video conversations are served from a network of data centers, selected in real time to maximize the streaming experience and minimize latency. Regional media zones are in place to prevent streaming data from leaving the EU or US in case of a failover event.

All data is encrypted in transit and at rest. 

Meeting Room Privacy

Our meeting room is designed with privacy in mind. Role-based permissions, authentication requirements, a waiting room, and moderator controls prevent unauthorized access and inappropriate activity within the meeting room.

Observer session links are encrypted to prevent unauthorized viewing of sessions. 

Moderators must be logged into the platform and have access to the project in order to join a meeting room. Translators must also be logged in.

Respondents do not have to be registered users of Discuss to join a meeting room. We gather active consent to our terms of service and privacy policies prior to allowing them to join a meeting room. The consent of all meeting attendees is stored and auditable per GDPR requirements.

Meeting Room Controls

Moderators choose which respondents to invite into the meeting room, preventing unauthorized access. Moderators also control who is allowed to share their screen, and only moderators and technical support can display stimuli and manage the interactive whiteboard. 

Long-running meeting rooms are automatically closed to prevent unauthorized access, and video recordings are only available to authenticated, authorized users.

Data Collection

We collect first name, email, phone number, and IP for respondents.  This information is used to filter appropriate people into marketing studies, and connect with them for a specific meeting. The data is purged after the project is completed.

Data Processing

If a meeting moderator records their interview, the following data may be recorded:

  • User’s webcam, including face
  • Audio
  • Screensharing
  • Visual / auditory stimuli 
  • Whiteboard responses
  • Group and private chat messages

Customers may then conduct further processing on their interview data, including:

  • Viewing or downloading machine or human transcripts
  • Video clipping and editing
  • Highlight reel creation
  • Viewing and exporting answers to discussion guide questions across an interview or a project
  • Viewing, completing, and exporting Key Takeaways answers after an interview or a project
  • Sharing or exporting full video recordings, video clips, or highlight reels
  • Uploading a final report with project learnings
  • Importing related video recordings for inclusion in the project

Single Sign-On (SSO)

We integrate with all single sign on (SSO) identity providers using the SAML 2.0 protocol to put account provisioning, de-provisioning, and password protection in the hands of clients.

Proactive Monitoring and Alerting

We have proactive logging, monitoring and alerting processes in place to detect attempted fraud, malicious behavior, and system errors. This allows us to instantly act on emerging issues, ensuring business continuity and security. 

Access Control

Users are in control of who has access to their projects and project materials. We support team-level and project-level access with role-based access controlled by the project owner. Project owners also manage project privacy, allowing them to share insights with their larger organization or keep findings private to a core team. 

Data Retention

In general, we store project data like video recordings, transcripts, highlight reels, stimuli, and reports, for a period of three years, or as directed by customer organizational administrators. Respondent data, including PII, is deleted automatically after six months to allow for tracking of repeat participation.

Pseudonymization

When the country of a meeting room is set to Germany, names and phone numbers are automatically anonymized in the meeting room. German market researchers are reminded to gather consent before turning recording on, and to inform German data subjects that they should not say their names or other identifying information in the interview.

German video recordings are automatically blurred in post-processing, preventing the identification of respondents but retaining the analysis and insights features associated with the recordings. 

Any project owner working in any country can choose to have their recordings blurred to prevent identification via a setting in their project’s Settings page. Once a video is blurred, it cannot be reversed. 

Voice modulation in recordings is also available to further protect respondent privacy.

Schedule a demo with someone from our team to lean more about our industry leading security and data protection capabilities.

Get A Free Trial of Self Captures!

Click the button below to get a free trial of our unmoderated feedback tool, Self Captures.

discuss_io-self_captures-700x540