How Momentive securely manages customer data


How Momentive securely manages customer data

What our SOC 2 Type 2 certification means for customers.

Shelbi Scott

19 January 2022 | 2-min read


One of the many things that businesses have begun to appreciate during this pandemic is the power that technology has to enable employees to work fully remotely. As Momentive CIO Eric Johnson wrote in September, the pandemic has led IT to completely rethink business operations. However, remote work and digital transformation due to the pandemic have also increased the average total cost of a data breach in business. According to IBM’s study of 537 data breaches across 17 countries, the average cost was $1.07 million (approx. £0.94 million) higher in breaches where remote work was a factor in causing the breach, compared to those where remote work was not a factor. 

Industry standards such as System and Organization Controls (SOC) for Service Organizations reports  developed by the American Institute of Certified Public Accountants (AICPA) are designed to provide customers with peace of mind in terms of how their vendors manage and process data. SOC 2 is an independent auditing procedure that provides assurance about the systems and processes that a service organisation uses to process customer data and the confidentiality and privacy of the information being processed. Momentive recently achieved SOC 2 Type 2 certification, adding to our existing ISO 27001 certification

Achieving SOC 2 Type 2 certification is a significant effort, and it demonstrates to our customers that we have an established process for securely managing data and running a world-class security programme.

Our SOC 2 Type 2 certification applies to the SurveyMonkey and GetFeedback platforms. 

What SOC 2 Type 2 certification means for customers  

Three trust service principles fall under the SOC 2 criteria for managing customer data: security, availability and confidentiality. 

  • Security refers to how the service organisation protects system resources against unauthorised access. 
  • Availability demonstrates how the service organisation ensures system or service availability as stipulated by a contract or service-level agreement.
  • Confidentiality ensures that data is restricted to a specific set of persons or organisations and encrypted to protect the data during transmission.

At Momentive, we take our responsibility to protect and secure your enterprise information seriously. Security is built-in across our products, infrastructure and processes. 

How Momentive manages data security 

We use encryption, access control and need-to-know processes to ensure proper handling of customer data throughout its lifecycle. Our global Trust & Security team works around the clock to monitor and manage our security posture. They are responsible for security compliance, education, operations and incident response. 

Data resides on our infrastructure, which is hosted and managed on public clouds. We select public cloud vendors that demonstrate and adhere to rigorous data protection processes. In addition, we perform rigorous security testing and maintain security incident response policies. These processes help us to adhere to 99.9% uptime of our web services. 

One of our most important security strategies is to comply with and expand coverage of the industry regulations that matter to businesses. In addition to our SOC 2 Type 2 certification, we work with multiple third parties to audit and certify our products with ISO 27001, PCI DSS 3.2 and more. 

View our Security Statement for more details about how we protect data for both our enterprise and individual customers.  

Brent Williams is chief information security officer at Momentive.