༺❦bmLnY❦༻Security Standards | Slido - Audience Interaction Made Easy

Security Standards

These Security Standards are effective as of March 14th, 2018.

Firstly, let’s define what we are talking about when we are talking about data:

A list of data types with their descriptions.
Customer Data	Category	What does it mean
	Content data	Questions, Polls, Ideas and anything related to the content which you or your participants made available via Slido.
	Purchase data	Information about your Slido plan and price - simply said, what you bought and what the price was.
	Payment data	Typically information about the credit card, but we do not collect such information, it is collected directly by the payment gateway.
	Contact dataPersonal Information	Your name, email and billing address.
	Voice Personal Information	Voice if you reached out to us via phone.
	Technical dataPersonal Information	Information we have collected automatically. Most of the data is not personal information. But there could be data that are considered personal(e.g. browser version, IP address, OS version).

As we think that transparency is an essential principle in the context of security, we aim to be as clear and open as we can about the way we handle security and data privacy. That is why we would like to also direct your attention to these resources to break down the table above:

Detailed information about the way we treat personal information and how it is used you can find in our Slido Privacy
Detailed information about our third-party service providers is available here!

Okay, now we all know what the data means, so let’s take a closer look under the hood of our organization.

Confidentiality

According to our Terms, we guarantee confidentiality of your account and your data as well. However, if you use the “BASIC” version of Slido, all data collected are considered public and can be displayed on our site and freely shared with other parties. In case you care about privacy, we strongly recommend to use our privacy settings available in paid versions of Slido.

When it comes to staff and third parties, anyone who can view Customer data is contractually obligated to keep them confidential.

Staff Practices

Our primary goal in the context of Security is to ensure that CIA (Confidentiality, Integrity and Availability) triangle is in place. Our staff has an important role in this mission, and we place strict controls over our staff and internal processes.

We perform background checks of each future member of staff during the hiring process. Each member of staff has to take security and data privacy training with our Security Manager. Training is focused on how to securely use our internal tools, how to handle sensitive information and significant part of the training is a workshop and discussion about social engineering, phishing and physical security.

The operation of Slido requires that some employees have access to the systems which store and process Customer Data. For example, in order to diagnose an issue which you are having while using our services, we may need to access Customer Data. All employees are committed to ensuring that Customer Data is not seen by anyone who should not have access to it. We use logical restrictions on the application layer to ensure that each member of staff only has access to that part of Customer Data which is needed to perform their job duties. These employees are prohibited from using these permissions to view Customer Data unless it is necessary to do so.

When it comes to internal accesses, we strictly follow our access policy. Our accesses are managed via an SSO identity provider (Okta, Inc.). This allows us to (de)provision, update and audit our accesses securely and efficiently . Audits are part of the job here, and we review accesses on a quarterly basis proactively, or whenever someone joins/leaves us. We do enforce strong passwords, password expiration and account lockout to maintain the security of authentication to tools we use internally. In addition to the above, we use multi-factor authentication (“MFA”).

Security and Data Privacy Product Features for Event Organizers

In addition to the work we do at the infrastructure level, we provide organisers of the paid versions of the Slido Services with additional tools & settings to enable their own users to protect their data:

Privacy level of an event (public / hidden / private)
Attendee authentication:
- Passcode
- Google SSO (Google oAuth)
- SAML based SSO – e.g. OKTA or OneLogin

Data Manipulation

Slido provides Customer Data export capabilities. Organisers are able to export questions as well as polls with complete results via Admin interface.

Upon Customer request, it is possible to delete Customer Data after the event. This request is usually processed within 24 hours. Our Customer support will be happy to discuss details about export capabilities as well as information regarding the Customer’s data deletion.

Infrastructure

Slido is hosted on AWS (Amazon Web Services) infrastructure. Currently, our infrastructure is located in the EU (Ireland, Germany). We might expand our infrastructure to different region within AWS infrastructure in the future, but in such case, we would adequately notify you about the change with an option to keep your data within the region you prefer.

The AWS environment that hosts the Slido Services maintains multiple certifications for its data centres, including ISO 27001 compliance, PCI Certification, and SOC reports. For more information about their certification and compliance, please visit the AWS security website () and the AWS compliance website (). We are able to provide you with some of the documentation and certification of AWS once you enter into a non-disclosure agreement with Slido.

When it comes to the architecture, we use multiple tiers within our stack. Each function / service is limited to operate only within a specific tier, and each tier provides services exclusively for function intended for that tier. In case you are curious what it looks like from a bird’s eye view, take a look here!

Data Encryption
Slido Services support the latest recommended secure cipher suites and protocols to encrypt (SHA-256 with RSA Encryption) all traffic in transit. Customer data is encrypted at rest (AWS RDS Encryption - AES-256) as well, our infrastructure is accessible only by the operations team and through VPN in combination with internal SSO solution. All activity is logged and audited.
We monitor changing cryptographic landscape closely and work promptly to upgrade the Services to respond to new cryptographic weaknesses as they are discovered and implement best practices as they evolve. For encryption in transit, we do this while also balancing the need for compatibility for older versions of commonly used browsers.
Availability and Disaster Recovery
Approximate availability of the Slido Services is at 99.95%. Our infrastructure runs on systems that are fault tolerant of failures of individual servers. Our operation team tests disaster recovery measures on an annual basis. Anytime you would like to check our status, you can always visit our .
Customer Data is stored redundantly at multiple locations in our hosting provider’s data centres to ensure availability. We have well-tested backup and restoration procedures, which allow recovery from a major disaster. Customer Data and our source code are automatically backed up on a regular basis.
Monitoring and Logging
Our solution is monitored on several levels. We use infrastructure as well as application monitoring tools. In combination with specialized tools for analysis and data visualization, it gives us strong insights about the condition our services are in. Slido maintains an extensive, centralized logging environment in its production environment which contains information pertaining to security, monitoring, availability, access, and other metrics about the Slido Services.

Software Development Lifecycle

Our development process is our own implementation of all the values and principles you can find in agile methodologies. We do frequent releases and continuously optimize our workflow according to our current needs and lessons learned.

During the development of a new feature, quality assurance team provides a continuous feedback to the development team. We perform these checks in a manual and automated manner as well. Any new code is reviewed by other members of the development team and approved only if it meets a set of pre-defined and documented requirements. One of these requirements is a set of unit tests.

Prior to release, a new code is deployed in the pre-production environment, where we run a set of automated regression tests and another round of a manual test. Once everything seems to run as expected we are ready to ship a new feature for you!

In case anything goes wrong, our development process enables us to revert to the previous version or release a patch for a minor issue in as fast as 15 minutes. Do you want to learn more? Not a problem! Please check out our .

Incident Management and Response

Our security team is responsible for incident management and response. Our primary goals on a daily basis are to:

proactively review security-related logs and search for any sign of a security incident or vulnerable part of the system;
react to security incidents according to our Security Incident Reporting and Response Policy.

In an event of a security breach, Slido will promptly notify you of any unauthorized access to Customer Data. Slido has incident management policies and procedures in place to handle such an event.

External Security Audits

We contract with respected external security firms who perform regular audits of the Slido Services to verify that our security practices are sound and to monitor Slido services for new vulnerabilities discovered by security research community. The most recent report from the audit is available upon customer request once you enter into a non-disclosure agreement with Slido.

Security

ISO 27001

ISO 9001

Security Standards

Confidentiality

Staff Practices

Security and Data Privacy Product Features for Event Organizers

Data Manipulation

Infrastructure

Data Encryption

Availability and Disaster Recovery

Monitoring and Logging

Software Development Lifecycle

Incident Management and Response

External Security Audits

Security FAQ

We would like to review your penetration tests results; What’s the process here?

Do you collect IP addresses of the participants? Can you share IP addresses with us if we request you to do so?

How long do you store collected data?

What happens with inactive surveys and other data, for how long is this stored?

Who is the owner of the data?

Why is it that Slido accepts non-complex passwords for the admins, and how can password complexity be enabled?

What data exactly is stored about the organiser and the people who ask questions? Could you list them?

What is your company data protection policy?

Bug Bounty

Contact Us