Security

We take security and privacy seriously and follow standard practices for hosting, encryption, and access control to keep your customer data protected.

All of BetterFeedback's application and data infrastructure is hosted across multiple providers, including OVH Cloud (Poland), Hetzner GmbH (Germany) and Vercel (Global). These platforms offer highly scalable cloud computing solutions with robust security and privacy features built-in.

For more specific details regarding the security measures of these providers, please refer to the following resources:

• OVH Cloud: https://www.ovhcloud.com/en-gb/personal-data-protection/security/
• Hetzner: https://www.hetzner.com/unternehmen/zertifizierung
• OpenAI: https://openai.com/security
• LiveKit: https://livekit.io/legal/security
• Vercel: https://vercel.com/legal/terms#security-and-compliance

All our infrastructure is within our virtual private cloud (VPC) with production access restricted to operations support staff only. This allows us to leverage complete firewall protection, private IP addresses and other security features.

Customer data is stored in multi-tenant datastores. We have individual datastores for each customer. The data is stored in Germany.

BetterFeedback uses AI to generate follow-up questions during surveys and to classify response sentiment after completion. AI processing is performed via the OpenAI API.

Training data. Survey content sent to the OpenAI API is not used to train OpenAI models. This is the default OpenAI API policy and applies to all our API calls. See OpenAI's data usage policy for current terms, including OpenAI's standard 30-day retention for abuse monitoring.

Free-text responses. Customer responses are sent to OpenAI as provided. If a customer voluntarily types personal information (for example, their email address) into a free-text answer, that information will be transmitted as part of the response text. Merchants are advised not to design surveys that solicit personal information in free-text fields.

AI outputs. AI-generated follow-up questions are displayed to the survey respondent during the conversation. Sentiment classifications and AI Insights derived from responses are visible only to the authenticated merchant operating the survey.

All data sent to or from BetterFeedback is encrypted in transit using 256 bit encryption. Our API and application endpoints are TLS/SSL only and score an "A+" rating on Qualys SSL Labs' tests. This means we only use strong cipher suites and have features such as HSTS and Perfect Forward Secrecy fully enabled. We also encrypt data at rest using an industry-standard AES-256 encryption algorithm.

Access to customer data is limited to authorized employees who require it for their job. BetterFeedback is served 100% over https. BetterFeedback runs a zero-trust corporate network. There are no corporate resources or additional privileges from being on BetterFeedback's network. We have 2-factor authentication (2FA), and strong password policies on GitHub, Google, and BetterFeedback to ensure access to cloud services is protected.

We do not store or collect your payment card details (full card number, CVV). That sensitive information is handled entirely by our third-party Merchant of Record and payment processor, Paddle. Paddle is responsible for processing your payment information and is required to adhere to the standards set by PCI-DSS (Payment Card Industry Data Security Standard). This standard, managed by the PCI Security Standards Council, ensures the secure handling of payment data globally.

The payment processor we work with is Paddle. Their Privacy Policy can be viewed at: https://www.paddle.com/legal/privacy