Millisecond Software, LLC takes your security and privacy concerns seriously. This Security Statement is intended to provide a transparent look at our security infrastructure and practices to help assure that your data are sufficiently protected.
Inquisit Lab enables data collection on dedicated computers and laptops that may or may not have network access. Data from each Inquisit testing session is by default saved locally on the device in the same folder as the script. Inquisit Lab is designed to work with access restriction and disk encryption tools provided by the computer's operating system as well as most third party vendors.
Millisecond provides each customer a unique user name and password that must be entered each time a customer logs on. Millisecond issues a session "cookie" only to record encrypted authentication information for the duration of a specific session. The session "cookie" does not include either the username or password of the user. Millisecond does not use "cookies" to store confidential user and session information, but instead implements more advanced security methods based on dynamic data and encoded session IDs.
Customers login to secure areas of the site using industry standard Secure Socket Layer (SSL) technology, which protects data using both server authentication and data encryption, ensuring that data are safe, secure, and available only to customers providing valid login credentials for the account.
Password and credit card information are always sent over secure, encrypted SSL connections.
Data from participants are always uploaded to the server using secure, encrypted SSL connections.
Customers can delete data from the server at any time, at which point the data are completely removed from server and, after a 1-week buffer, from our tape backup system. If a customer does not delete the data, they are retained on the server for 5 years, after which Millisecond may delete or archive the files at its discretion.
We are PCI-DSS compliant. If you purchase our products using a credit card, your card number, expiration date, CVS code, billing name, and billing address are transmitted directly to our credit card processor in order to process the transaction. Only the billing name, address, and last 4 digits of the card number are stored in our systems.
Millisecond’s web servers are located in Overland Park, Kansas, USA. The facility is staffed and surveilled 24/7. It is secured by security guards, visitor logs, and entry requirements (card keys and biometric recognition), and digital surveillance equipment that monitors the data center. The facility has environmental controls for temperature, humidity, and smoke/fire detection. The facility has SAS70, ISO27002, and PCI certification.
The servers reside behind high-availability firewalls and signature-less and signature-based intrusion prevention systems. All network layers are scanned in real time to detect spyware, spam, viruses, worms, Trojans, Web-based exploits, and blended threats. Automated network security audits are conducted to the standards and requirements of the SANS/FBI security test, the U.S. Department of Homeland Security's published recommendations and the Payment Card Industry Data Security Standard.
All software on the server is kept current with the latest patches, updates, and service packs. To reduce the surface area exposed to attacks, the servers run only those software components that are mission critical, with all non-essential components and functions removed or disabled.
The web site is coded in ASP.NET 4.0 running on Windows 2008 Server and SQL Server 2008.
Our engineers use best practices and industry-standard secure coding guidelines to ensure secure design and implementation.
Access to sensitive data and systems is granted on an as-needed basis. All newly hired personnel with access to sensitive data are subject to background checks. We maintain audit logs on all of our systems that provide an exhaustive account of which personnel have accessed which systems. We also maintain internal information security policies, including incident response plans, and regularly review and update them.
Despite best efforts, no method of transmission over the Internet, or method of electronic storage, is perfectly secure. Therefore, we cannot guarantee absolute security. If Millisecond learns of a security breach or potential security breach, we will attempt to notify affected users electronically so that they can take appropriate protective steps. Millisecond may also post a notice on our website if a security breach occurs. Of course, any security breach will be fully investigated to determine how the breach occurred and what data and systems might have been affected in order to prevent such an incident from happening again in the future.
Millisecond is subject to the investigatory powers of the Federal Trade Commission (FTC). Millisecond may be required to disclose personal information in response to lawful requests from public authorities, including to meet national security or law enforcement requirements.
Millisecond offers online demos of its products, including surveys and psychological tests. Some of these tests may gather personal information that may be used for purposes of product development, product testing, and scientific research. Millisecond does not share the information with third parties other than those that provide its computing and storage infrastructure. Millisecond stores such information anonymously so that it can not be traced back to any individual's identity. Because the data are anonymous, Millisecond is unable to provide individuals access to their data.
Researchers may license Millisecond's products to gather and store personal information via surveys or psychological tests for the purposes of scientific or commercial research. While Millisecond provides services for gathering and storing such data, it does not own these data. Therefore, individuals wishing to access personal information gathered by researchers, or who wish to limit the use and disclosure of such data, should contact the researchers who recruited them to participate in the study.
Except as otherwise provided herein, Millisecond discloses Personal Data only to Third Parties who reasonably need to know such data only for the scope of the initial transaction and not for other purposes. Such recipients must agree to abide by confidentiality obligations. Millisecond may provide Personal Data to Third Parties that act as agents, consultants, and contractors to perform tasks on behalf of and under our instructions. For example, Millisecond may store such Personal Data in the facilities operated by Third Parties. Such Third Parties must agree to use such Personal Data only for the purposes for which they have been engaged by Millisecond and they must either:
1) comply with the Privacy Shield principles or another mechanism permitted by the applicable EU & Swiss data protection law(s) for transfers and processing of Personal Data;
2) or agree to provide adequate protections for the Personal Data that are no less protective than those set out in this Policy;
Millisecond also may disclose Personal Data for other purposes or to other Third Parties when a Data Subject has consented to or requested such disclosure. Please be aware that Millisecond may be required to disclose an individual's personal information in response to a lawful request by public authorities, including to meet national security or law enforcement requirements. Millisecond is liable for appropriate onward transfers of personal data to third parties.
In compliance with the Privacy Shield Principles, Millisecond commits to resolve complaints about our collection or use of your personal information. EU individuals with inquiries or complaints regarding our Private Shield policy should first contact Millisecond at:
Millisecond has further committed to cooperate with EU data protection authorities (DPAs) with regard to unresolved Privacy Shield complaints. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact the EU DPAs for more information or to file a complaint. The services of EU DPAs are provided at no cost to you.
All claims and disputes not covered by the DPA are to be settled by binding arbitration in the state of Washington, US or another location mutually agreeable to the parties. An award of arbitration may be confirmed in a court of competent jurisdiction. While Millisecond endeavors to keep personal information secure, Millisecond is not liable for the unauthorized transfer of personal information to third parties by accident or security breach.
If you have questions about Millisecond security, please email us at .