Dedicated to protecting our customers

Questback has created this Security Statement to demonstrate our dedication to protecting our customers against any dissemination of information. Statement updated June 15th 2017.



Updated on October 25th 2017


Protecting the privacy of individuals is crucial to Questback as a provider of Software as a Service (SaaS) based software. This Security Statement sets out Questback’s commitment to the individual’s right to privacy, explaining how Questback processes information that can be related to an individual (“Personal Data”), both from our customers and from respondents to Questback surveys.

If you are a respondent to a Questback survey, the regulations in this security statement are relevant for you.
If you are not a respondent to a Questback survey, but a visitor to our website only, you will find a statement relevant for you here: Privacy Statement.

Questback provides advanced online survey software for corporate and public customers across a wide variety of sectors. Questback’s software is provided as Software as a Service (SaaS), accessed by Questback’s customers using an Internet browser. The customer has full access to the solution, and uses it as they see fit. The customer is solely responsible for who data is collected from, what data is collected and how surveys are made available to respondents. For a high-level overview of customer’s responsibilities, see Overview of customer’s responsibilities as data controllers.”

The collection of data through Questback’s platform covers the collection of customer data, and data from respondents to surveys, members of panels and members of communities, as specified below. Any information stored on Questback’s sites is treated as confidential. All information is stored securely and is accessed by authorized personnel only.

For the purposes of this statement, Questback defines the term “customer” as an entity with which Questback has an established relationship, and “respondent” as any individual who responds to surveys created by the customer and powered by Questback, or who takes part in panels and/or communities created by the customer and powered by Questback.



In 2016, the EU finalized the new General Data Protection Regulation (known as the GDPR). As of May 25, 2018, the GDPR will be a directly applicable law in all Member States in the European Economic Area (EEA).

Questback welcomes the positive changes the GDPR will bring by providing a higher degree of control to the people, and by ensuring a consistent and unified data protection regime for companies who provide their services to people in several jurisdictions in Europe.

The GDPR is highly relevant for any company that collects or processes feedback, and Questback therefore has great focus on its work to ensure compliance with the GDPR, and to make compliance with the GDPR as easy as possible for its customers. Questback will therefore implement privacy by design in its software, continue its high focus on information security and continuously update its procedures when needed. Questback does not process any personal data processed for its customers outside the EEA without specific customer requirements.

Questback has applied to the Data Protection Authority in Norway for Binding Corporate Rules, and Binding Corporate Rules for Processors, to ensure processing in compliance with the GDPR for its multinational customers.

Questback’s goal is for all individuals to feel safe when responding to surveys in Questback



Collection and use



In order to provide services to its customers, Questback collects certain types of data from them, as described herein. Furthermore, Questback’s customers collect information from respondents when they produce and publish surveys, panels, and communities. This section will describe how these two types of data are collected and used by Questback, and in Questback’s systems.

Collection of customer data

During a customer’s registration with Questback’s software, they provide information such as company name, e-mail, address, location, telephone/fax and the name of a contact person and other relevant personnel. This information is used by Questback to identify contact persons within customer organizations in Questback’s system. Furthermore, the information is required in order for Questback to know who the registered users of its software are, in accordance with its contract. Questback customers can at any time access and edit, update or delete contact details by logging in with username/password to Questback’s software. Questback customers may have access to create several users with different privilege levels within their account, depending on their contract. It is, however, the customer’s responsibility to choose the level of access each user should have and to protect its information by selecting which users within the organization can access protected folders.

Collection of respondent data

Questback provides feedback management through a Software as a Service (SaaS) platform.

Surveys, panels, and communities used for gathering feedback are created by customers, who make them available to relevant businesses, organizations, and individuals. It is the customers’ responsibility to ensure that collection and processing of data is done in accordance with applicable law. Under the Directive and the GDPR, there are certain requirements that must be fulfilled in order for Personal Data to be collected and processed. This includes all steps of the processing, from collection of potential respondents, to sending out invitations, receiving responses to surveys and processing the data when collected. For high-level information about customer responsibilities, please see “Overview of customer’s responsibilities as data controllers”. Note that the overview cannot be regarded as legal advice, and the customer must itself ensure that its collection and processing is in accordance with applicable laws.

Questback will not process personal data for other purposes or by other means than instructed by its customers.

Respondent data includes data from individuals who are invited by the customer to provide feedback to the customer by responding to surveys. Respondents may be members of panels set up by the customer, members of communities set up by the customer, the customer’s employees, the customer’s clients or specific groups of individuals, as applicable. Personal Data may include, among other information as agreed with the customer, personal contact information such as name, home address, home telephone or mobile number, email address, information concerning family, lifestyle and social circumstances including age, date of birth, marital status, number of children; employment details, education/qualification, business contact details. Personal Data may also include responses within the area covered by the survey in question.


Purpose of processing


Purpose for Questback’s processing of customer data

Customer data is collected in order for Questback’s customer’s employees to have access to the software, and to benefit from the software’s functionality. Furthermore, the information is used for Questback to understand the customer’s needs and interests and to help deliver a consistent experience. Questback will use such information only as described in this Security Statement and/or in the way specified at the time of collection. Questback will not subsequently change the way Personal Data is used without gaining consent, as required by applicable laws. Questback will exclusively use your Personal Data for the following purposes:

  • To process any orders or requests the customer may have provided to Questback
  • To keep customers up to date on the latest product announcements, software updates, software upgrades, security patches, system enhancements, special offers, and other information regarding Questback’s software and services. This may occasionally include information from other technology companies or business partners about products and services that can add value to Questback software. Such communication may be provided not only by Questback, but by companies with which Questback has partner agreements, and by any company in the Questback group of companies. You expressly acknowledge that your contact details may be shared by Questback with other companies within the Questback group. Furthermore, you acknowledge that any information required to track your choices regarding receiving marketing materials (i.e. depending on the country where the relevant Questback group company operates whether you have granted an explicit consent into receiving and/or opted-out of receiving marketing materials) may be stored and exchanged between any of the above-mentioned companies.
  • To tailor information about our products and services to your individual interests.
  • To provide the ability to contact you in order to respond to your inquiries, and provide you with billing information, and to provide customer feedback and support.
  • To conduct surveys in order to provide better products and services to Questback’s customers and end users.
  • To meet contractual obligations.
  • To comply with applicable regulatory requirements.

Purpose of Questback’s processing of respondent data

The purpose of collecting Personal Data as part of a survey will vary depending on the survey, as set up by Questback’s customers. As Questback provides surveys to a wide group of customers and businesses, the purpose may vary greatly.

For customers in the EEA, or for customers providing surveys to respondents in the EEA, the customer will be the Controller, as defined in the Directive and the GDPR. The purpose will consequently be defined by Questback’s customer.

Questback will not process personal data for other purposes except those instructed by its customers.

Geographical location

For Questback customers in the European Economic Area (EEA), all personal data is processed in the EEA. For customers in the United States of America (US), Questback offers an option to store all data in the US. In this section, we will describe these options.

Processing in the European Economic Area (EEA)

For customers who have entered into contracts based on processing in the EEA, all processing of Personal Data is performed in accordance with privacy rights and regulations following the EU Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 (the Directive), and the implementations of the Directive in local legislation. From May 25th, 2018, the Directive and local legislation based on the Directive will be replaced by the Regulations (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. (the GDPR), and Questback’s processing will take place in accordance with the GDPR.


Questback processes personal data both as a Processor and as a Controller, as defined in the Directive and the GDPR:

  • The Questback entity with which you as a customer have signed a contract will be the Controller for customer data, as outlined in the “Collection of customer data” section.
  • For respondent data, as outlined in the “Collection of respondent data” section, Questback’s customer will be the Controller in accordance with Directive and GDPR, and Questback will be the Processor.

Questback adheres to the Directive and the local adaptions of it (and the GDPR from May 25th, 2018). Consequently, Questback processes all data provided by its customers in the European Economic Area (EEA) in the EU/EEA only.

All data collected by Questback customers through surveys, panels or communities will be stored exclusively in the secure hosting facility listed below, as agreed with the customer:

  • In the EU (Bremen and Frankfurt in Germany). Questback has a data processing agreement in place with its provider, ensuring compliance with the Directive. All hosting is performed in accordance with the highest security regulations. All transfers of data internally in the EEA is done in accordance with data processing agreements in the Questback group. No processing of personal data will take place outside the European Economic Area (EEA) unless Questback’s customers specifically authorize such a transfer in a written agreement. This will typically be the case for Questback’s customers located in the US, who will have access to their separate instance in the hosting facility.

Processing in the United States of America (US)

For customers who have entered into contracts based on processing in the US, Questback processes data in data centers located in the US as agreed in contracts with its customers. Questback has adopted reasonable physical, technical and organizational safeguards which substantially mirror the EU safeguards against accidental, unauthorized or unlawful destruction, loss, alteration, disclosure, access, use or processing of the customer data in Questback's possession. Questback will promptly notify the customer in the event of any known unauthorized access to, or use of, the customer data.

All data collected by Questback customers through surveys, panels or communities will be stored exclusively in the secure hosting facility listed below, as agreed with the customer:

  • In Virginia, USA, Questback’s contract with its hosting provider ensures that all hosting is performed in accordance with the highest security regulations. Questback’s policy is to protect and safeguard any personal information obtained by Questback in accordance with United States state or federal laws governing the protection of personal information and data. Accordingly, Questback adheres to practices and policies that aim to safeguard the data.

Hidden identity in surveys

When hidden identity is used in surveys, no identifiable information, such as browser type and version, internet IP address, operating system, or e-mail address, will be stored with the answer. This is to protect the respondent’s identity.

Retention and deletion

Questback will not retain customer data longer than is necessary to fulfill the purposes for which it was collected or as required by applicable laws or regulations.

For respondent data, Questback’s customers have control of the purpose for collecting data, and the duration for which the Personal Data may be kept. For respondent data, customers with an active agreement will therefore have the responsibility to delete data when required. When a customer’s subscription to any Questback service is terminated or expired, all Personal Data collected through the site will be deleted, as required by applicable law.


Any information stored on Questback’s sites is treated as confidential. All information is stored securely and is accessed by authorized personnel only.

Questback implements technical and organizational measures to ensure information security for customers and respondents. Such measures include data storage exclusively in secure hosting facilities in Germany or Virginia, following well tested security frameworks. Questback’s customers are in control of any data entered into the platform by them or their respondents, and it is their responsibility to ensure that no data is collected, processed or stored in violation of current and relevant regulations.


If you are a citizen of a country in the European Economic Area (EEA), and wish to inquire about your personal data that may have been collected in a Questback survey, we recommend that you contact the entity that created or sent you the survey. As Questback is a Processor, it does not control the Personal Data used or stored in the survey, but processes it on behalf of its customer.

Should you wish to contact Questback directly, please contact the Questback entity in the country where you reside, using the contact information provided on our homepage (

General inquiries regarding complaints concerning surveys that are unresolved by the survey creator may be sent using the contact information provided on our homepage. There is no charge for such an inquiry.

Changes to this statement

Questback may occasionally amend this information; such changes will be notified by changing the last updated section in this document and may also be shown as a welcome message when logging into our site for a limited period of time. We encourage our customers to regularly check for any updates to this statement.

Want to learn more?

For further information about the Controller’s obligations under the Directive and GDPR, please see “Overview of customer’s responsibilities as data controllers”.


Questback Data Protection Officer


Arve Føyen, Lawyer/Partner

Mobile:    +47 91 81 99 62

Address:  Advokatfirmaet Føyen Torkildsen AS

               C.J. Hambros plass 2 D, 0164 Oslo,

               P.O. Box 7086 St. Olavs plass,

               NO-0130 Oslo


Swbd:      +47 21 93 10 00,

Fax          +47 21 93 10 01



Questback Data Protection Officer Germany

Dr. Karsten Kinast, LL.M.

Attorney at Law (Germany)

Address: Kinast & Partner

              Venloer Straße 24,

              50672 Köln (Cologne),


Phone:    +49 (0)221 - 222 183 - 0

Fax:        +49 (0)221 - 222 183 - 10

Mobile:    +49 (0)1520 - 9053214



Overview of customer’s responsibilities as data controllers