Safe, secure, and ready for GDPR

Nothing matters more to us than the security of your data. We have you covered for the EU’s new General Data Protection Regulation (GDPR).

Securing your data

Protecting customer data is a top priority at Delighted. We understand you are trusting us with your data and we take the responsibility of securing it extremely seriously. Our Security page outlines all of our practices. Additionally, Delighted has a Data Protection Impact Assessment (DPIA) that documents our handing of all your data, including personal data.

Data correction

Account admins can modify collected personal data to meet the correction requirement of the GDPR with a simple request to our Concierge team.

Right to be forgotten

As an account admin, you can permanently delete individual people, responses, and respondent personal data should an individual request it.

Built for security

Delighted protects all of our customers with an array of security features.

  • Authenticated email (DKIM, SPF, DMARC)
  • Data encryption in transit
  • Data encryption at rest
  • Data centers routinely audited with industry-standard SSAE-16 methods
  • Data redundancy for resilience during disasters
  • Two-factor authentication
  • Continuous network monitoring
  • EU-US Privacy Shield Certified
  • Swiss-US Privacy Shield Certified
  • Users can opt-out of re-contact for a survey
  • Industry-standard security evaluations
  • Independent third-party security reviews and penetration tests
  • Role-based authentication
  • IP address whitelisting

What is GDPR?

Effective May 25th 2018, GDPR tightens the rules for businesses on how they collect, store and process EU citizens’ personal data. The new regulations impact organizations worldwide who collect and process personal data of EU citizens. Some of the key changes likely to impact your customer feedback programs are listed below.

See all GDPR changes

Data correction

EU citizens will have the right to request that their personal data are rectified, and they can request restrictions on how their data are used. In addition, they may asked to “be forgotten,” requiring that all their personal data be permanently erased. Generally speaking, the GDPR explicitly states it must be as easy to withdraw your data as it was to consent to it in the first place.


A business must seek an individual’s unambiguous consent prior to collecting any personal data. How the personal data will be used must be clearly stated, and business contact details provided if more information is requested. Organizations may need to consider conditions for processing other than consent, such as in relation to a contract, or because of another legal obligation (such as employer-employee).

Privacy assessment

Data processors will need to implement a high level of security to safeguard the controller’s data, and to conduct a Data Protection Impact Assessment (DPIA) that documents how personal data will be safeguarded. Our Security page describes our key privacy-related processes and procedures.

Enabling you to be GDPR compliant

Delighted enables customers to be GDPR compliant. Briefly stated, that means Delighted:

  • Provides sufficient guarantees to the controller to implement appropriate technical and organizational measures designed to safeguard Customer data
  • Processes data (that could include personal data) only to fulfil its obligations as related to the Services
  • Enables users to modify and delete their account
  • Enables users to modify and delete complete survey responses, as well as remove all requested customer data
  • Provides security documentation that describes the processes and procedures for safeguarding the data at our Security page
  • Can sign a contract that governs the processing of EU personal data

GDPR contract – Data Processor Agreement (DPA)

GDPR Article 28, Section 3, requires that a contract be in place between a data controller and a data processor. For years, the Delighted Terms of Service and Privacy Policy have provided the fundamental legal requirements and obligations regarding data ownership, processing behavior, safeguarding data, and more.

However, to provide added GDPR coverage and compliance, we’ve since updated our Terms of Service to include our DPA. These Terms of Service are agreed to upon creation of a Delighted account. If you have a Delighted account, you are already covered.

Frequently asked questions

Disclaimer: This FAQ contains helpful compliance information when using Delighted products. Customers should always consult their internal compliance team and/or their privacy attorney regarding legal matters. The information herein is provided as-is, and should not be considered legal advice. Delighted desires to enable its customers to comply with applicable laws, but does not warrant that a customer’s particular use of its products will be compliant.

  • While it is always good practice to receive explicit consent from your customer, certain laws and regulations (such as the GDPR) require consent prior to collecting personal data of certain individuals (such as those in the EU).

    It is also important to note that under GDPR, consent is one of a number of legitimate interests for processing data. Others include the need to process for the performance of a contract, the need to process in order to comply with a legal obligation, and the need to process in order to protect the vital interests of the data subject or another natural person. Full details can be found in Article 6 of GDPR.

  • Yes, you can modify all response data to correct personal data as required by GDPR when you receive a Subject Access Request, or for other reasons. Simply contact us and we will work with you to swiftly make the adjustments.

  • Yes, you can delete any response, including a response that contains personal data, as required by GDPR. You can also remove all other requested customer data.

  • A deleted response or person is initially flagged for deletion, and may be recovered by our Concierge team upon request. After 90 days, the deletion becomes permanent and unrecoverable.

  • Delighted’s philosophy is that customers own and control all the data they collect. Any retention period required by law or your company policy is controlled by you.

    You should ensure that all people and personal data are deleted prior to stopping your usage of Delighted, especially if required by policy, law, or regulation.

  • Yes. Delighted backs up all customer data, and retains the backups for 90 days. After 90 days, the backup is deleted.

  • No. The backup dataset contains all customer data, and is used for disaster recovery purposes only. This is required for legal and compliance reasons related to availability obligations. Any personal data in these backups will be permanently deleted after 90 days.

  • Our data centers are with Amazon Web Services in the United States. However, data transfer is covered by the EU-US Privacy Shield framework, of which we are a member, and allowed by GDPR as providing adequate safeguards.

  • As required by GDPR, only qualified Delighted employees with a specific need are permitted to access your account. The typical reason for accessing your account would be upon your specific request for support.

  • Delighted presently uses sub-processors to provide the service. As required by GDPR, Delighted maintains a list of those sub-processors at

  • If a confirmed data breach occurs that is caused by Delighted’s actions or inactions, we will, without undue delay, notify the account owner. Information about the breach will be released as it becomes available, as allowed by GDPR. The account owner will be the main point of contact for all notifications, and will be kept aware of the investigation and remediation efforts as they progress.

  • As you know about the data you are collecting, you are responsible for handling any Subject Access Request (SAR). Delighted only provides the platform and wouldn’t know the details about your survey customizations, properties, or your customers.

    A SAR means that a customer is asking about information being collected about him or her in a survey that he or she completed. If you collected personal data of an EU citizen or a person residing in the EU, you may have a legal obligation to respond to a SAR.

    Response data may be downloaded in industry-standard formats for data portability to comply with GDPR.

    If Delighted receives a SAR, it will do its best to contact the survey owner. It may not always be possible to know what survey the customer took, and who the rightful owner is.

  • Similar to the above, you know your survey and what data you have. If you collected personal data of an EU citizen or a person residing in the EU, you may have a legal obligation to respond and comply with a request to delete all identifiable data.

    As previously stated, you have the ability to delete a customers’ data.

  • Delighted provide easy ways to download all your survey data in industry-standard formats. And, as previously described, you may easily delete responses, all survey responses, and entire histories for a customer.

  • All response data stored in our primary databases and backups are encrypted using an industry standard strong cipher. All data transmitted to the Delighted platform are encrypted using the industry standard TLS protocol.

  • Delighted is committed to safeguarding your data. We use sophisticated controls during processing to maintain the confidentiality, integrity, availability, and resilience of your data. Our Security page outlines the details of our application security, network security, policies, and more.

    As related to Article 28 in the GDPR, Delighted will only process personal data according to your instructions. In other words, the commands you use in the product are the “instructions,” and Delighted does not use personal data for any other means. In addition, it does not transfer personal data to a third party without your consent. If personal data is transferred from the EU to a third country, then adequate safeguards will apply to the transfer (such as the EU-US Privacy Shield Framework).

    Delighted has developed recovery procedures to minimize downtime related to a disaster, with the ability to restore access to personal data in a timely manner in the event of a physical or technical incident.

    We regularly test, assess and evaluate the effectiveness of our technical and organizational measures to ensure the security of the processing.

Any questions?

Don’t hesitate to contact us to find out more about our changes and how we’re helping you to comply.

Contact us