Trust centre

Compliance Infrastructure security Application security Organisational security Incident response

Compliance

  • General Data Protection Regulation (GDPR) Compliance

    We comply with the General Data Protection Regulation (GDPR), ensuring that user data is collected, stored, and processed with the highest level of privacy and security.

  • ISO 27001 Information Security Management Certification

    We are ISO 27001 certified, demonstrating our commitment to information security management practices and ensuring that our systems are secure and compliant with international standards.

  • ISO 9001 Quality Management Certification

    We are ISO 9001 certified, confirming our commitment to quality management systems and continuous improvement across all our operations.

Infrastructure security

  • Secure EU-based data centre

    Our services are hosted in securely in the European Union, providing enhanced privacy protections under GDPR.

  • Amazon Web Services (AWS) cloud security

    AWS provides a secure, scalable, and reliable environment for hosting our services. We leverage AWS’s robust security features to ensure our infrastructure remains protected from threats.

  • End-to-end data encryption

    All data, both at rest and during transmission, is encrypted using industry-standard protocols to protect user privacy and prevent unauthorised access.

  • Firewall protection and DDoS mitigation

    We use firewalls and DDOS protection mechanisms to defend against unauthorised access and to protect our platform from malicious traffic and disruptions.

  • Daily data backups

    We perform daily backups of all data to ensure business continuity and provide data recovery in case of accidental loss or system failures.

Application security

  • Continuous vulnerability scanning

    Our systems are actively scanned for vulnerabilities to identify and address potential security risks before they can be exploited.

  • Prompt security updates and patch management

    We ensure prompt application of security updates and patches, addressing vulnerabilities in a timely manner and consistent with Cyber Essentials requirements.

  • Annual penetration testing

    We are subject to an annual penetration test to evaluate the effectiveness of our security defenses and identify potential weaknesses that could be exploited by attackers.

  • Secure software development policy

    Our development process follows security best practices to ensure that security is built into every stage of our product lifecycle, from design to deployment.

  • Secure authentication

    Online Surveys uses a secure authentication process, issuing a single-use URL to users via email for login. For users with multi-factor authentication (MFA) enabled on their email client, this adds an extra layer of protection for accessing Online Surveys.

Organisational security

  • Information Security Management System (ISMS)

    Jisc operates an ISMS, which integrates key processes and policies used to manage the security of Online Surveys and other Jisc services. This system ensures that security risks are consistently identified, assessed, and mitigated across all areas of operation.

  • Comprehensive information security policy

    Our Information Security Policy outlines the security measures and practices followed within our organisation to protect data and systems.

  • Secure working practices policy

    Our secure working practices policy provides guidelines on safe handling of data, remote working security, and the protection of physical and digital assets.

  • Business continuity and disaster recovery plan

    We have a well-defined disaster recovery plan to ensure that in the event of a disaster, we can quickly restore operations and minimise downtime.

  • Access control on a least-privilege basis

    Physical, logical, application, and network access control for all Jisc-managed systems that hold personal data are managed on a least-privilege, need-to-know basis, ensuring that only authorised personnel have access to sensitive data.

  • Employee information security and data protection training

    All employees receive regular training on data protection and information security, covering secure data handling, phishing awareness, and compliance with data protection laws to ensure they effectively safeguard user data.

  • Staff confidentiality agreement

    All new staff at Jisc, including casual staff, are provided with a contract of employment that includes a confidentiality clause to ensure the protection of sensitive information and data.

Incident response

  • Incident response plan

    We have a well-defined incident response plan that outlines the steps we take to identify, contain, and resolve security incidents, ensuring minimal impact on our users.

  • Security breach notification policy

    In the unlikely event of a data breach, we commit to notifying affected users promptly and transparently, in accordance with applicable data protection laws.

Visit our Security page