Enterprise-Grade Security

Security & Privacy

Anonymous feedback only works if submitters trust you. Here's how we protect anonymity and secure your data at every layer.

Our Security Pledge

We're committed to protecting your data and your submitters' anonymity. No compromises.

Zero Knowledge

We never log IP addresses or track submitters on public feedback forms

Encrypted Always

All data encrypted in transit (TLS 1.3) and at rest (AES-256)

Full Transparency

Open about what we collect, why we collect it, and how we use it

Anonymity Guarantees

How we ensure feedback submitters remain truly anonymous

What We DON'T Collect

  • IP addresses on public feedback forms
  • Browser fingerprints or device IDs
  • Tracking cookies or pixels
  • Location data or GPS coordinates
  • Referrer URLs (where you came from)
  • Session IDs that could identify submitters

What We DO Collect

  • Feedback text and optional star rating
  • Timestamp of submission (date/time only)
  • Browser type (for compatibility, not tracking)
  • Device type (mobile/desktop for UX)
  • Language preference (for translations)
  • Nothing that can identify individuals

Technical Implementation

We've architected our system to make re-identification technically impossible:

  • • Feedback submissions go through an anonymization proxy that strips metadata
  • • No correlation between submissions - each treated as independent
  • • Database design prevents linking feedback to submitter identity
  • • Even our engineers cannot reverse-engineer who submitted what

Data Security

Enterprise-grade protection for your data

Encryption

In Transit:

TLS 1.3 with perfect forward secrecy

At Rest:

AES-256 encryption for all stored data

Keys:

Rotated regularly, stored in secure vaults

Infrastructure

Hosting:

SOC 2 Type II certified providers

Database:

Isolated, encrypted, daily backups

Network:

DDoS protection, firewall rules

Access Control

Authentication:

2FA required for team accounts

Authorization:

Role-based access control (RBAC)

Audit Logs:

All data access logged and monitored

Security Practices

Regular Audits

Third-party security audits quarterly

Penetration Testing

Annual pen tests by certified firms

Vulnerability Scanning

Automated daily scans for CVEs

Dependency Updates

Security patches applied within 24h

Incident Response

Documented plan, tested quarterly

Employee Training

Security awareness training for all staff

AI & Third-Party Services

How we handle data with external processors

AI Processing (OpenAI)

What we send: Feedback text only (no personal data, no metadata)

Purpose: Sentiment analysis, theme extraction, insight generation

Protection:

  • Zero data retention agreement with OpenAI
  • Data not used to train models
  • Encrypted in transit
  • Results cached to minimize API calls

Other Third Parties

Stripe (Payments):

PCI-DSS Level 1 certified. We never see card numbers.

Supabase (Database):

SOC 2 Type II, encrypted backups, US-based.

Vercel (Hosting):

Edge network, DDoS protection, 99.99% uptime SLA.

All processors bound by Data Processing Agreements (DPA) with strict security requirements.

Compliance & Certifications

Meeting global privacy and security standards

GDPR

EU General Data Protection Regulation compliant

CCPA

California Consumer Privacy Act compliant

SOC 2

Type II in progress (infrastructure providers certified)

Privacy Shield

Following Privacy Shield principles

For Enterprise Customers

We offer additional compliance support for enterprise customers:

  • Custom Data Processing Agreements (DPA)
  • Business Associate Agreements (BAA) for HIPAA
  • Data residency options (US, EU)
  • Custom retention policies
  • SSO and SAML integration
  • Dedicated security review and questionnaires

Incident Response

What happens if something goes wrong

Our Commitment

Detection:

24/7 monitoring, automated alerts for anomalies

Response Time:

Critical incidents triaged within 15 minutes

Communication:

Affected users notified within 72 hours (or sooner if legally required). Transparent incident reports published.

Remediation:

Immediate containment, root cause analysis, preventive measures implemented

Report a security issue: Email security@feedb.co for our responsible disclosure process. We offer bug bounties for valid reports.

Transparency & Trust

Stay informed about our security posture

Status Page

Real-time uptime monitoring and incident history

Security Docs

Whitepapers, certifications, and technical details

Bug Bounty

Responsible disclosure program with rewards

Questions About Security?

We're happy to discuss our security practices in detail.