These Security Standards are effective as of March 14th, 2018.
Firstly, let’s define what we are talking about when we are talking about data:
A list of data types with their descriptions.
What does it mean
Questions, Polls, Ideas and anything related to the content which you or your participants made available via Slido.
Information about your Slido plan and price - simply said, what you bought and what the price was.
Typically information about the credit card, but we do not collect such information, it is collected directly by the payment gateway.
Contact dataPersonal Information
Your name, email and billing address.
Voice Personal Information
Voice if you reached out to us via phone.
Technical dataPersonal Information
Information we have collected automatically. Most of the data is not personal information. But there could be data that are considered personal(e.g. browser version, IP address, OS version).
As we think that transparency is an essential principle in the context of security, we aim to be as clear and open as we can about the way we handle security and data privacy. That is why we would like to also direct your attention to these resources to break down the table above:
Detailed information about the way we treat personal information and how it is used you can find in our Slido Privacy
Detailed information about our third-party service providers is available here!
Okay, now we all know what the data means, so let’s take a closer look under the hood of our organization.
According to our Terms, we guarantee confidentiality of your account and your data as well. However, if you use the “BASIC” version of Slido, all data collected are considered public and can be displayed on our site and freely shared with other parties. In case you care about privacy, we strongly recommend to use our privacy settings available in paid versions of Slido.
When it comes to staff and third parties, anyone who can view Customer data is contractually obligated to keep them confidential.
Our primary goal in the context of Security is to ensure that CIA (Confidentiality, Integrity and Availability) triangle is in place. Our staff has an important role in this mission, and we place strict controls over our staff and internal processes.
We perform background checks of each future member of staff during the hiring process. Each member of staff has to take security and data privacy training with our Security Manager. Training is focused on how to securely use our internal tools, how to handle sensitive information and significant part of the training is a workshop and discussion about social engineering, phishing and physical security.
The operation of Slido requires that some employees have access to the systems which store and process Customer Data. For example, in order to diagnose an issue which you are having while using our services, we may need to access Customer Data. All employees are committed to ensuring that Customer Data is not seen by anyone who should not have access to it. We use logical restrictions on the application layer to ensure that each member of staff only has access to that part of Customer Data which is needed to perform their job duties. These employees are prohibited from using these permissions to view Customer Data unless it is necessary to do so.
When it comes to internal accesses, we strictly follow our access policy. Our accesses are managed via an SSO identity provider (Okta, Inc.). This allows us to (de)provision, update and audit our accesses securely and efficiently . Audits are part of the job here, and we review accesses on a quarterly basis proactively, or whenever someone joins/leaves us. We do enforce strong passwords, password expiration and account lockout to maintain the security of authentication to tools we use internally. In addition to the above, we use multi-factor authentication (“MFA”).
Security and Data Privacy Product Features for Event Organizers
In addition to the work we do at the infrastructure level, we provide organisers of the paid versions of the Slido Services with additional tools & settings to enable their own users to protect their data:
Privacy level of an event (public / hidden / private)
Google SSO (Google oAuth)
SAML based SSO – e.g. OKTA or OneLogin
Slido provides Customer Data export capabilities. Organisers are able to export questions as well as polls with complete results via Admin interface.
Upon Customer request, it is possible to delete Customer Data after the event. This request is usually processed within 24 hours. Our Customer support will be happy to discuss details about export capabilities as well as information regarding the Customer’s data deletion.
Slido is hosted on AWS (Amazon Web Services) infrastructure. Currently, our infrastructure is located in the EU (Ireland, Germany). We might expand our infrastructure to different region within AWS infrastructure in the future, but in such case, we would adequately notify you about the change with an option to keep your data within the region you prefer.
The AWS environment that hosts the Slido Services maintains multiple certifications for its data centres, including ISO 27001 compliance, PCI Certification, and SOC reports. For more information about their certification and compliance, please visit the AWS security website (https://aws.amazon.com/security/) and the AWS compliance website (https://aws.amazon.com/compliance/). We are able to provide you with some of the documentation and certification of AWS once you enter into a non-disclosure agreement with Slido.
When it comes to the architecture, we use multiple tiers within our stack. Each function / service is limited to operate only within a specific tier, and each tier provides services exclusively for function intended for that tier. In case you are curious what it looks like from a bird’s eye view, take a look here!
Slido Services support the latest recommended secure cipher suites and protocols to encrypt (SHA-256 with RSA Encryption) all traffic in transit. Customer data is encrypted at rest (AWS RDS Encryption - AES-256) as well, our infrastructure is accessible only by the operations team and through VPN in combination with internal SSO solution. All activity is logged and audited.
We monitor changing cryptographic landscape closely and work promptly to upgrade the Services to respond to new cryptographic weaknesses as they are discovered and implement best practices as they evolve. For encryption in transit, we do this while also balancing the need for compatibility for older versions of commonly used browsers.
Availability and Disaster Recovery
Approximate availability of the Slido Services is at 99.95%. Our infrastructure runs on systems that are fault tolerant of failures of individual servers. Our operation team tests disaster recovery measures on an annual basis. Anytime you would like to check our status, you can always visit our status page.
Customer Data is stored redundantly at multiple locations in our hosting provider’s data centres to ensure availability. We have well-tested backup and restoration procedures, which allow recovery from a major disaster. Customer Data and our source code are automatically backed up on a regular basis.
Monitoring and Logging
Our solution is monitored on several levels. We use infrastructure as well as application monitoring tools. In combination with specialized tools for analysis and data visualization, it gives us strong insights about the condition our services are in. Slido maintains an extensive, centralized logging environment in its production environment which contains information pertaining to security, monitoring, availability, access, and other metrics about the Slido Services.
Software Development Lifecycle
Our development process is our own implementation of all the values and principles you can find in agile methodologies. We do frequent releases and continuously optimize our workflow according to our current needs and lessons learned.
During the development of a new feature, quality assurance team provides a continuous feedback to the development team. We perform these checks in a manual and automated manner as well. Any new code is reviewed by other members of the development team and approved only if it meets a set of pre-defined and documented requirements. One of these requirements is a set of unit tests.
Prior to release, a new code is deployed in the pre-production environment, where we run a set of automated regression tests and another round of a manual test. Once everything seems to run as expected we are ready to ship a new feature for you!
In case anything goes wrong, our development process enables us to revert to the previous version or release a patch for a minor issue in as fast as 15 minutes. Do you want to learn more? Not a problem! Please check out our blog.
Incident Management and Response
Our security team is responsible for incident management and response. Our primary goals on a daily basis are to:
proactively review security-related logs and search for any sign of a security incident or vulnerable part of the system;
react to security incidents according to our Security Incident Reporting and Response Policy.
In an event of a security breach, Slido will promptly notify you of any unauthorized access to Customer Data. Slido has incident management policies and procedures in place to handle such an event.
External Security Audits
We contract with respected external security firms who perform regular audits of the Slido Services to verify that our security practices are sound and to monitor Slido services for new vulnerabilities discovered by security research community. The most recent report from the audit is available upon customer request once you enter into a non-disclosure agreement with Slido.
We would like to review your penetration tests results; What’s the process here?
We will be happy to share the executive summary of the most recent penetration tests results however, prior to sharing, you will have to sign our NDA (non-disclosure agreement) as such report contains information which we consider confidential. Please, send your request at firstname.lastname@example.org and we will provide you with our NDA.
Do you collect IP addresses of the participants? Can you share IP addresses with us if we request you to do so?
Yes, we collect IP addresses. Please, check out our Slido Privacy to learn more about what we collect and why we need it. We won’t be able to share the IP addresses with you even if you request us to do so - we are committed to maintaining the privacy of participants, for instance we guarantee that an anonymous question stays anonymous. That’s the reason why we are not willing to share even indirect information about the participant. However, we are always happy to comply with requests from law enforcement authorities in a case such information is needed to help with investigation of any unlawful activity.
How long do you store collected data?
We store your data for the duration of the contract between Slido and you. Simply said, as long as your account exists, we need the data to be able to provide you with our Services. You always have an option to terminate the contract. If you would like to delete Slido account, please check out the article covering this topic in our help center.
What happens with inactive surveys and other data, for how long is this stored?
Inactive surveys or other content are still considered Customer Data which are stored on our servers for the period given and can be deleted upon Customer’s request.
Who is the owner of the data?
All information and materials uploaded remain yours - the owner of the event is the owner of the data.
Why is it that Slido accepts non-complex passwords for the admins, and how can password complexity be enabled?
Security experts at National Institute of Standards and Technology (NIST) aren’t that convinced about the usefulness of “strong passwords” anymore. We recommend to our clients to set a password that they feel is secure enough to protect their data. That is the reason we don't establish any restrictions on non-complex passwords.
What data exactly is stored about the organiser and the people who ask questions? Could you list them?
Sure! Have a look at our Slido Privacy, you can find the complete list there.
What is your company data protection policy?
This page was dedicated to answering questions covering security policies and practices when it comes to the protection of your data at Slido. If we haven’t managed to answer your questions, please feel free to reach out to us.
First of all, we would like to thank you that you are trying to make the Internet safer and you care about the safety of our platform, therefore our users as well.
We are trying our best to keep the pace with industry standards by performing continuous security scans as a natural part of our development lifecycle and by involving respected third parties in conducting of our regular penetration tests.
But we are aware of the possibility that you have discovered something that could be classified as a vulnerability. Unfortunately, we don’t have a Bug Bounty program at the moment. In case you have discovered something we should be aware of, we will be happy if you share such finding with us.
If you have any additional questions regarding security, we are happy to answer them. Please contact us at email@example.com, and we will respond as quickly as we can.