Trust Center

Our commitment to security and transparency.

Domandata stores sensitive survey and respondent data. This page gives researchers and their institutions a single place to review our policies, certifications, and compliance program status.

Last reviewed: June 2026

Documents

Externally available policies.

These documents are public and can be linked in IRB protocols, data management plans, and institutional security questionnaires.

Privacy Policy

How we collect, use, store, and share personal data — including respondent data and researcher account information.

Terms of Service

The agreement governing use of the Domandata platform, acceptable use, and data ownership.

Security Overview

Technical and operational security controls, including encryption, access management, and our vulnerability disclosure policy.

Certifications & Frameworks

Certification status.

Current status of compliance certifications and regulatory frameworks. We are transparent about what we have, what is underway, and what does not apply.

SOC 2 Type I

In Progress

Controls mapped, policies written, auditor selection underway. Estimated completion: late 2026.

SOC 2 Type II

Planned

Planned after Type I is issued. Type II adds an observation period to verify controls operate consistently over time.

CCPA

Active

Our Privacy Policy describes data collection, use, and California resident rights. We do not sell personal data.

HIPAA

Not Applicable

Domandata does not sign Business Associate Agreements and is not certified as a HIPAA Business Associate. Do not use Domandata for studies requiring a BAA.

PCI DSS

Not Applicable

We do not process payment card data and are not PCI DSS certified. Never collect card numbers through a survey.

Compliance Program

How we manage our security program.

Compliance Partner

gocosecurity.com
“Because Domandata stores sensitive survey and respondent data, demonstrating strong security practices to researchers and their institutions is essential to us. GOCO Security gives us a single platform to manage our compliance program — mapping controls, tracking evidence, and staying audit-ready. We have started with SOC 2, because it's what our community expects, and GOCO is built to scale with us as we pursue additional certifications.”

— Domandata Founders

SOC 2

Working towards SOC 2 Type I.

SOC 2 is an independent audit that verifies security controls meet the AICPA's Trust Services Criteria. Below is our current progress toward Type I.

Progress to Type I~65%

SOC 2 Security framework adopted

All 34 Trust Services Criteria mapped to policies and controls.

Security policies written

Covering access management, incident response, data classification, business continuity, vendor risk, and more.

Technical controls implemented

Encryption, audit logging, MFA, Row-Level Security, branch protection, and secrets management.

Policies formally approved

Under review with both founders.

Auditor engaged

Selecting an independent CPA firm to perform the Type I assessment.

SOC 2 Type I report issued

Point-in-time audit confirming controls are suitably designed.

Institutional Review

Documentation for your IRB or IT office.

You can link directly to this page (domandata.net/trust) or to /security in an IRB protocol or data management plan. We can provide a written description of our security controls for an institutional security questionnaire. Our infrastructure providers (Supabase and Vercel) both hold SOC 2 Type II certification — documentation is available on request.

Request documentationSecurity Overview