Security & GDPR

At ExitFox, we understand that exit interview data is sensitive and confidential. We are committed to implementing and maintaining the highest standards of data security to protect your organization and your employees' information.

All data collected through ExitFox is securely stored using industry-leading encryption standards and access controls. We continuously monitor and improve our security practices to ensure your data remains protected.

We employ robust encryption measures to protect your data:

• Encryption at Rest: All stored data is encrypted using AES-256 encryption
• Encryption in Transit: All data transfers use TLS 1.3 encryption
• Database Security: Encrypted database connections with secure key management
• Backup Encryption: All backups are encrypted with separate encryption keys

We implement strict access controls to ensure only authorized personnel can access your data:

• Role-based access control (RBAC) for all system access
• Multi-factor authentication (MFA) required for all administrative access
• Regular access reviews and audit logging
• Principle of least privilege applied to all system access
• Automatic session timeouts and secure password policies

Our consent process ensures:

• Informed Consent: Employees are clearly informed about what data will be collected and how it will be used before participating in any exit interview
• Voluntary Participation: Participation in exit interviews is entirely voluntary. Employees can choose not to participate without any consequences
• Withdrawal Rights: Employees can withdraw their consent and request deletion of their data at any time
• Data Transparency: Employees can request access to their interview data and understand how it has been used

ExitFox is fully compliant with the General Data Protection Regulation (GDPR). We implement the following measures to ensure compliance:

• Lawful Basis: We process personal data only with valid legal basis, primarily through explicit consent
• Data Minimization: We collect only the data necessary for conducting exit interviews
• Purpose Limitation: Data is used only for the purposes communicated to the data subject
• Storage Limitation: Data is retained only for as long as necessary and can be deleted upon request
• Right to Access: Data subjects can request access to their personal data
• Right to Rectification: Data subjects can request correction of inaccurate data
• Right to Erasure: Data subjects can request deletion of their data ("right to be forgotten")
• Right to Portability: Data subjects can request their data in a portable format

For enterprise customers, we provide a comprehensive Data Processing Agreement (DPA) that outlines:

• The nature and purpose of data processing
• Types of personal data processed
• Categories of data subjects
• Obligations and rights of both parties
• Sub-processor arrangements
• Data breach notification procedures

Contact us at [email protected] to request a DPA.

Our infrastructure is designed with security as a priority:

• Hosted on secure, SOC 2 compliant cloud infrastructure
• Regular security patches and updates
• Intrusion detection and prevention systems
• DDoS protection and mitigation
• Regular penetration testing and vulnerability assessments
• 24/7 monitoring and incident response

In the unlikely event of a data breach, we have established procedures to:

• Detect and contain the breach immediately
• Assess the impact and scope of the breach
• Notify affected parties within 72 hours as required by GDPR
• Report to relevant supervisory authorities
• Implement measures to prevent future incidents
• Provide support and guidance to affected users

As a user of ExitFox, you have the following rights regarding your data:

• Access: Request a copy of your personal data
• Rectification: Request correction of inaccurate data
• Erasure: Request deletion of your data
• Portability: Receive your data in a structured format
• Objection: Object to certain types of data processing
• Restriction: Request restriction of data processing

To exercise any of these rights, please contact us at [email protected].

If you have any questions about our security practices or GDPR compliance, please contact us: