We are compliant with the California Consumer Privacy Act (CCPA), the most stringent data privacy law in the United States. Discuss does not sell your personal information or your end users’ personal information, and therefore do not offer an opt-out to the sale of personal information.
Discuss is compliant with the Children's Online Privacy Protection Act of 1998, which prohibits unfair or deceptive acts with the collection, use, and/or disclosure of personal information from and about children on the Internet.
3 more topics
- Product Security
- Audit Logs
Discuss ensures complete visibility and accountability through our centralized logging system that captures all system and infrastructure activity, all information is securely recorded and easily accessible for compliance and auditing purposes, by logging all activity, we can proactively identify and address any potential security threats, ensuring the highest level of security for our customers.
Discuss.io offers role-based access control, allowing organization administrators and project owners to assign and restrict user access based on their specific roles and responsibilities. This helps ensure that users only have access to the data and features necessary for their tasks, enhancing overall security and data protection.
1 more topic
- Data Security
- Data Encrypted At-Rest
All data is stored at-rest within Amazon Web Services RDS, ElastiCache, and S3 systems, which are all configured using standard AWS encryption-at-rest protocols. Additionally, all passwords are stored in the database using a one-way bcrypt hash, providing an added layer of security with AES-256 encryption.
- Data Encrypted In-Transit
All traffic is encrypted using the latest and most secure encryption standard, TLS 1.2, to ensure that our customers' sensitive information is protected from any potential threats.
1 more topic
Discuss.io maintains project data for three years and automatically deletes respondent data, including PII, after six months, ensuring compliance with data retention policies while safeguarding participant privacy and supporting repeat participation tracking. If you require custom data retention for your projects, please contact your account manager who will be happy to assist and accommodate your needs.
3 more topics
- Incident Management & Response
- Data Breach Notification
At Discuss.io, we prioritize effective incident management and response, ensuring rapid identification, containment, and resolution of security events. Our dedicated team follows a comprehensive Incident Response Plan (IRP) to minimize the impact of any incidents and safeguard customer data.
- Incident Response Plan (IRP)
Discuss.io's Incident Response Plan (IRP) is designed to provide a structured and effective approach to handling security incidents. It outlines the roles, responsibilities, and procedures required to address potential threats, ensuring swift action, clear communication, and continuous improvement to protect our customers and their data.
- Availability & Reliability
- Data Redundancy
Discuss.io safeguards data redundancy through robust, multi-Availability Zone storage solutions, ensuring data integrity and continuous accessibility in the face of potential disruptions.
- Infrastructure Redundancy
Discuss.io maintains infrastructure redundancy to ensure service availability and minimize the risk of data loss, utilizing multiple availability zones and backup mechanisms to safeguard against system failures and disruptions.
- Organizational Security
- Confidentiality Agreements
All employees, contractors, and contingent workers are required to sign confidentiality agreements before accessing sensitive customer data. These agreements emphasize the importance of protecting customer data and ensure that team members understand their obligations in safeguarding this information.
- Employee Background Checks
To ensure the trustworthiness of our team members, Discuss conducts background checks on all employees, contingent workers, and contractors as permitted by law. This process includes verification of employment history, education, and criminal records.
3 more topics
- Business Continuity
- Business Continuity Plan
We maintain Business Continuity Plans (BCPs) to minimize disruptions and ensure a timely and orderly recovery of business processes, operations, and technology components.
- Disaster Recovery Plan
Our disaster recovery strategy encompasses comprehensive recovery procedures, designed to minimize downtime and swiftly restore system functionality in the face of unforeseen events.
1 more topic
- Multi-Tenant Architecture
We employ a multi-tenant architecture designed to optimize efficiency while ensuring the security and privacy of our clients' data. This approach enables us to serve multiple customers on a single platform, with strict data segregation and access controls in place. Discuss separates Customer Data using logical identifiers. Customer Data is tagged with a unique customer identifier that is assigned to segregate Customer Data ownership. The Discuss API is designed and built to identify and allow authorized access only to and from Customer Data identified with customer specific tags. These controls prevent other customers from having access to Customer Data.
- ISO 27001 - Data Center
The Discuss platform is hosted on Amazon Web Services (“AWS”) in the United States of America and protected by the security and environmental controls of Amazon. The production environment within AWS where the Discuss platform and Customer Data are hosted are logically isolated in a Virtual Private Cloud (VPC). Customer Data stored within AWS is encrypted at all times. AWS does not have access to unencrypted Customer Data. More information about AWS security is available at https://aws.amazon.com/security/ and https://aws.amazon.com/compliance/shared-responsibility-model/. For AWS SOC Reports, please see https://aws.amazon.com/compliance/soc-faqs/
1 more topic
- Threat Management
- Penetration Testing
We take proactive measures to identify and address potential vulnerabilities in our platform by regularly conducting comprehensive penetration testing. Any security gaps are promptly remediated, protecting our customers' data and maintaining the integrity of our platform.
- Vulnerability Scanning
Vulnerability scans (authenticated and unauthenticated) and penetration tests are performed against internal and external networks and applications on production systems that process, store, or transmit Customer Data.
Sign up to see the rest of Discuss's posture and unlock unlimited access.
Unlimited access to the directory allows you to review and compare thousands of security postures sourced from around the web.