← Back to Documentation

Security Best Practices

Comprehensive guide to keeping your Smart eQuiz account and data secure

Security is a shared responsibility. While we implement enterprise-grade security measures, following these best practices will help you maximize the security of your Smart eQuiz account and protect your organization's data.

Account Security

Strong Passwords

  • Use at least 12 characters with a mix of uppercase, lowercase, numbers, and symbols
  • Avoid using personal information or common words
  • Use a unique password for Smart eQuiz (don't reuse passwords)
  • Consider using a password manager to generate and store secure passwords

Two-Factor Authentication (2FA)

  • Enable 2FA for all administrator accounts (required for Enterprise plans)
  • Use authenticator apps (Google Authenticator, Authy) instead of SMS when possible
  • Store backup codes in a secure location
  • Encourage all users to enable 2FA voluntarily

Access Management

Principle of Least Privilege

Grant users only the permissions they need to perform their role. Regularly review and audit user permissions to ensure they remain appropriate.

  • Limit the number of users with org_admin role
  • Use specialized roles (question_manager, inspector) instead of granting admin access
  • Remove access immediately when users leave your organization

Session Management

  • • Log out from shared or public devices
  • • Use the "Remember this device" option only on personal devices
  • • Review active sessions regularly in account settings
  • • Terminate suspicious or unrecognized sessions immediately

Data Protection

Question Bank Security

  • • Mark sensitive questions as "confidential" to restrict access
  • • Use approval workflows for question changes
  • • Regularly backup your question bank data
  • • Avoid including personally identifiable information (PII) in questions

Participant Data

  • • Collect only the minimum data necessary
  • • Obtain proper consent for data collection
  • • Delete participant data when no longer needed
  • • Use data anonymization for analytics and reporting

API & Integration Security

API Key Management

API keys provide full access to your account. Treat them like passwords.

  • Never commit API keys to version control or public repositories
  • Rotate API keys regularly (at least every 90 days)
  • Use environment variables to store API keys
  • Revoke API keys immediately if compromised
  • Use separate API keys for development, staging, and production

Monitoring & Incident Response

Activity Monitoring

  • • Review audit logs regularly (available on Professional and Enterprise plans)
  • • Monitor login attempts and failed authentication
  • • Watch for unusual data access patterns
  • • Set up alerts for critical actions (user creation, permission changes)

If You Suspect a Security Incident

  1. Immediately change your password and revoke API keys
  2. Contact our security team at security@smartequiz.com
  3. Review recent activity logs for unauthorized access
  4. Notify affected users if data may have been compromised
  5. Document the incident timeline and actions taken

Additional Resources

Data Privacy Documentation

Learn about our privacy policies and data handling practices

Compliance Reports

View our security certifications and compliance status

Security Overview

Platform security features and architecture

Contact Security Team

Report security issues or ask questions