Data Security
Your research data is protected at every layer.
Written for researchers, not security engineers. If you need technical details for an institutional review, they are here too.
Last reviewed: May 30, 2026
The short version
Four things every researcher should know.
Data ownership
Your data stays yours.
The surveys you build and the responses you collect belong to you. We have no interest in reading your data, and we are not in the business of selling it.
We do not read your surveys or responses
Your data is used only to run the platform for you. We do not analyse, model-train on, or monetise your content.
We do not share it with third parties for commercial purposes
Sub-processors receive only what they need to operate the infrastructure — nothing more.
Your response data does not reach our analytics tools
PostHog receives pseudonymous usage events about how the builder is used. Raw survey responses and respondent identifiers never leave your data store.
You can delete everything at any time
Account deletion is self-serve in Settings → Account → Delete account. It permanently removes your surveys and all response data from our production database.
Participant privacy
How your respondents' data is protected.
When a participant submits a survey, their answers are protected from the moment they leave the browser to the moment they are stored.
Access control
You control who sees your surveys.
By default only you can see your work. Access is enforced at the database level — not just in application code — so permission rules cannot be bypassed by a software bug. Domandata staff cannot access your data without cause, and any internal access is logged.
Owner
Manage team membership, require MFA for the whole workspace, and access all surveys.
Member
Create and edit surveys within the workspace.
Viewer
Read surveys and responses without making changes.
Survey collaborator
Access only the specific survey they were invited to, as Editor or Viewer.
Authentication
Signing in securely.
We recommend enabling two-step login. It takes two minutes and means a compromised password alone cannot unlock your account.
Important limits
What Domandata cannot help with.
We are honest about our limits. There are data types you must not collect using this platform.
For FERPA, GDPR, and other frameworks: your institution is responsible for determining whether our controls are sufficient for your regulatory obligations. We will provide documentation to help you make that assessment.
Institutional review
Documentation for your IRB or IT office.
You can link directly to this page (domandata.net/security) in an IRB protocol or data management plan. We can also provide a written description of our security controls suitable for an institutional security questionnaire. Our infrastructure providers (Supabase and Vercel) both hold SOC 2 Type II certification — documentation is available on request.
Compliance
Working towards SOC 2 Type I.
SOC 2 is an independent audit that verifies a company's security controls meet the AICPA's Trust Services Criteria. We are actively working through the requirements for a Type I report.
SOC 2 Security framework adopted
All 34 Trust Services Criteria mapped to policies and controls.
10 security policies written
Covering access management, incident response, data classification, business continuity, vendor risk, and more.
Technical controls implemented
Encryption, audit logging, MFA, Row-Level Security, branch protection, and secrets management.
Policies formally approved
Under review with both founders — the final step before the audit engagement.
Auditor engaged
Selecting an independent CPA firm to perform the Type I assessment.
SOC 2 Type I report issued
Point-in-time audit confirming controls are suitably designed.
Compliance partner
gocosecurity.comBecause Domandata stores sensitive survey and respondent data, demonstrating strong security practices to researchers and their institutions is essential to us. GOCO Security gives us a single platform to manage our compliance program — mapping controls, tracking evidence, and staying audit-ready. We have started with SOC 2, because it's what our community expects, and GOCO is built to scale with us as we pursue additional certifications.
Platform practices
How we keep the platform secure.
The technical and operational practices we follow internally.
All code changes go through a pull request reviewed by a second engineer. The main branch is protected and cannot be merged without passing automated checks, including a dependency vulnerability scan.
Internal staff accounts require multi-factor authentication. Access to production systems is restricted to the two founders and is logged.
Sign-ins, failed sign-in attempts, exports, account changes, and deletions are written to an append-only audit log. Logs are retained for at least one year.
Secrets and credentials are managed in dedicated secrets managers and are never committed to source control.
Our database provider (Supabase) and hosting provider (Vercel) both hold SOC 2 Type II certification.
Raw survey response data is never transmitted to any third-party analytics or error-monitoring platform.
Responsible disclosure
Found a security issue?
If you discover a vulnerability, please report it to us before disclosing it publicly. We will acknowledge your report promptly, keep you informed, and credit researchers who report valid issues. We will not take legal action against anyone who reports in good faith.
security@domandata.netWhat to include
A description of the issue, steps to reproduce it, and the potential impact. Screenshots or request logs are helpful but not required.
What to expect
We will acknowledge receipt, investigate, and patch before public disclosure. We will let you know when it is fixed.
Credit
We credit researchers who report valid vulnerabilities unless you prefer to remain anonymous.
Questions about security or data handling?
We are a small team and we respond to security and privacy questions personally.