Every survey runs through TLS 1.3, lands in AES-256 storage, and ignores personal identifiers on purpose. Respondents stay anonymous, institutions keep control, and our team treats every change like it could page us at 2 a.m.
The teams that depend on us asked for specifics, so here’s what we actually do.
Traffic stays on TLS 1.3 from browser to database. Once it arrives, the payload is stored with AES-256, and every backup copy is encrypted before it leaves the primary cluster.
Only institution admins you approve can see dashboards, and even then they only see aggregate data. Credentials are hashed with bcrypt, and we rate-limit anything that looks like a spray attack.
Code ships only after passing static analysis, dependency scanning, and review by someone who didn’t write it. Runtime guards handle the rest.
Production lives in a hardened cloud environment with monitoring that actually escalates to humans. We patch weekly and practice restores instead of assuming they work.
The product was built to collect trends, not dossiers. We removed every temptation to store personal data, and we review new features with that lens before any work begins.
Billing runs entirely through Stripe. We never touch card numbers; we just get notified that the invoice cleared or needs attention.
We maintain the certifications our customers’ legal teams ask about and document every control so audits move quickly.
We sign Business Associate Agreements, keep audit logs for the required six years, and restrict PHI to encrypted stores behind role-based access.
Student data never leaves the institution boundary, and our agreements include the required FERPA language for districts and universities.
Data Processing Agreements, sub-processor lists, and erasure workflows are in place. Requests are handled within the statutory timelines.
Independent auditors review our controls annually. We share the latest report and bridge letter under NDA.
Consumer requests flow through the same response pipeline as GDPR, with documented SLAs and internal ticketing.
Stripe maintains PCI DSS Level 1 compliance; we scope ourselves out of storing or transmitting cardholder data altogether.
Quarterly penetration tests, monthly internal reviews, and ticketed remediation keep findings from lingering. Summaries are available to customers.
Sessions live in HttpOnly, SameSite=Strict cookies. Tokens are 48 characters long, rotate on login, and expire after 24 hours of inactivity.
PostgreSQL runs with prepared statements only, each institution lives in its own schema, and connections require TLS with client certificates.
APIs accept JSON over HTTPS, validate payloads before touching the database, and apply token-based auth plus per-route rate limits.
Responses include CSP, HSTS, X-Frame-Options, X-Content-Type-Options, and a tight Permissions-Policy to cut off unused browser features.
Password requirements include complexity checks, bcrypt hashing with per-user salts, and reset links that expire after 30 minutes.
Audit logs capture admin actions, authentication events, exports, and configuration changes. Entries are append-only and reviewable by customers.
Multi-tenant architecture keeps institution data isolated. Cross-tenant requests are blocked at the application layer and the database.
Dependencies patch weekly, GitHub Advanced Security scans every pull request, and we track CVEs until proof of fix, not just merge.
Feedback works only if respondents feel invisible. We engineered the platform so we can’t trace a response back to a person even if we wanted to.
We record answers, location ID, and timestamp. That’s it. We don’t store names, emails, IP addresses, device IDs, or browser fingerprints, so there is nothing to deanonymize later.
Survey responses contain only the answers to wellness questions and the location where the survey was taken. No names, emails, IP addresses, or any identifiable information is collected or stored.
We don't use cookies to track survey respondents. We don't log IP addresses. We don't fingerprint devices. Each survey response is a standalone data point with no connection to any individual.
All analytics show aggregated, anonymized data. Administrators see trends, averages, and patterns—never individual responses or identifiable information.
We never sell, rent, or share survey data with anyone. Your institution's aggregate data belongs to you and stays with you. No exceptions.
Export your institution's aggregate analytics at any time in standard formats (CSV, PDF). The exported data contains only anonymized, aggregated statistics.
Institution administrators can delete locations, surveys, or their entire account at any time. Deletion is permanent and irreversible. Survey respondents have nothing to delete—we never collected their personal information.
True anonymity encourages honest feedback. When people know their responses cannot be traced back to them—not by their employer, not by administrators, not even by us—they provide more accurate and valuable insights. This is privacy-first design at its core.
All data transmitted between your browser and our servers is encrypted using TLS 1.3, the same technology banks use. Data stored in our databases is encrypted at rest using AES-256 encryption.
Your data is stored in secure, SOC 2-certified data centers in the United States. We can accommodate specific data residency requirements for enterprise customers.
Strict role-based access control ensures users can only access data within their own institution. Administrators have granular control over user permissions.
Complete audit logs track all data access, modifications, and administrative actions. Logs are tamper-proof and retained for compliance purposes.
Automated daily backups with 30-day retention. Point-in-time recovery available. Backups are encrypted and stored in geographically separate locations.
24/7 security monitoring with automated threat detection. Dedicated incident response team ready to respond to any security concerns.
We welcome and encourage security researchers to report potential vulnerabilities. If you discover a security issue, please report it responsibly.
Email: security@wellpulse.org
We commit to responding within 48 hours and will work with you to understand and address the issue promptly.
We use Stripe for all payment processing. Stripe is PCI DSS Level 1 certified (the highest level). Your credit card information never touches our servers—it goes directly to Stripe's secure infrastructure.
Absolutely not. Survey responses are 100% anonymous by design. We don't collect names, email addresses, IP addresses, device identifiers, cookies, or any information that could identify individual respondents. It is technically impossible for anyone—administrators, our team, or even law enforcement—to determine who submitted a specific response. Only location and timestamp data is recorded.
Only authorized administrators within your institution can access your aggregated analytics. Individual responses are never shown—only trends, averages, and statistics. Our multi-tenant architecture ensures complete data isolation between organizations. Even our support team cannot access your data without explicit permission.
We conduct internal security reviews monthly and engage third-party security firms for comprehensive penetration testing quarterly. Our code undergoes automated security scanning with every deployment.
We have a comprehensive incident response plan. However, because survey responses contain zero personal information, a breach would only expose aggregated wellness statistics—no individual identities could be compromised. Institution administrator accounts are protected with encryption and multi-factor authentication.
Anonymous survey responses are retained as long as your institution's account is active. Institution administrators can delete individual surveys, locations, or their entire account at any time. After account deletion, all data is permanently removed within 30 days. Survey respondents have no data to delete—we never collected their personal information.
Absolutely not. Your institution's aggregate wellness data is never used for machine learning, AI training, sold to third parties, or used for any purpose other than providing the wellness monitoring service you signed up for.
Yes! Institution administrators can export all aggregate analytics at any time through the dashboard. Exports include anonymized survey statistics, wellness trends, and location-level insights in CSV and PDF formats. No personally identifiable information is included because none is collected.
Only survey answers, location ID, and timestamp. That's it. No names, no emails, no phone numbers, no IP addresses, no cookies, no device fingerprints, no user accounts. Survey respondents remain completely anonymous—we have zero ability to identify who they are.
Our team is here to answer any security or compliance questions you may have.