PCI Compliance

Your payment data, handled with care.

PCI DSS Compliance Statement

Effective Date: March 1, 2026

1. Overview

Zigpoll is committed to protecting the security of cardholder data. This page outlines our compliance with the Payment Card Industry Data Security Standard (PCI DSS) and describes the measures we take to ensure payment information is handled securely.

Zigpoll self-certifies its compliance with PCI DSS as a Level 4 Service Provider. We complete an annual Self-Assessment Questionnaire (SAQ) to validate our adherence to applicable PCI DSS requirements.

2. Payment Processing Architecture

Zigpoll does not directly process, store, or transmit cardholder data. All payment processing is delegated to PCI DSS Level 1 certified third-party payment processors:

Provider	Role	PCI DSS Level
Stripe	Primary payment processor	Level 1
Shopify Billing API	Shopify app subscription billing	Level 1

Because we rely entirely on these PCI-compliant providers to handle cardholder data, our systems never come into contact with full card numbers, CVVs, or other sensitive authentication data.

3. Self-Assessment Questionnaire (SAQ)

Zigpoll completes SAQ A annually, which applies to merchants and service providers that have fully outsourced all cardholder data functions to PCI DSS validated third-party service providers. This questionnaire confirms that:

We do not electronically store, process, or transmit any cardholder data on our systems or premises.
All payment pages are served directly by our PCI DSS validated payment processors.
We have confirmed that all third parties handling cardholder data are PCI DSS compliant.

4. Security Measures

Although we do not handle cardholder data directly, we maintain robust security practices across our infrastructure:

4.1 Encryption

All data transmitted between users and Zigpoll is encrypted using TLS 1.2 or higher.
Data at rest is encrypted using AES-256 encryption via our infrastructure providers.

4.2 Access Controls

Access to production systems is restricted to authorised personnel on a need-to-know basis.
Multi-factor authentication (MFA) is required for all administrative access.
Access permissions are reviewed on a regular basis.

4.3 Network Security

Firewalls and network segmentation are in place to protect sensitive systems.
Intrusion detection and monitoring are active across our infrastructure.
Regular vulnerability scans are performed on internet-facing systems.

4.4 Application Security

Secure coding practices are followed in all development processes.
Dependencies are monitored and updated to address known vulnerabilities.
Annual penetration testing is conducted by qualified assessors.

5. Incident Response

Zigpoll maintains an incident response plan that includes procedures for identifying, containing, and remediating security incidents. In the event of a suspected data breach involving payment information:

The incident will be escalated to our security team immediately.
Affected payment processors will be notified without undue delay.
Affected customers will be notified in accordance with applicable laws and regulations.
A post-incident review will be conducted to prevent recurrence.

6. Third-Party Compliance Validation

We verify the PCI DSS compliance status of our payment processing partners on an annual basis. Compliance attestations and certificates are available from each provider:

Stripe: PCI DSS Level 1 Service Provider. Compliance documentation is available at stripe.com/docs/security.
Shopify: PCI DSS Level 1 compliant. Compliance documentation is available at shopify.com/security.

7. Employee Awareness

All Zigpoll employees and contractors receive security awareness training that covers:

Handling of sensitive data and payment-related information.
Recognising and reporting phishing attempts and social engineering.
Adherence to company security policies and procedures.

8. Annual Review

This compliance statement and our associated security measures are reviewed and updated at least annually, or whenever there is a material change to our payment processing architecture or security posture.

Last SAQ Completion Date: February 2026

Next Scheduled Review: February 2027

9. Contact

For questions about our PCI compliance or to request additional security documentation, please contact us:

Email: [email protected]
Security Contact: [email protected]

Start surveying for free.

Try our no-code surveys that visitors actually answer.

Get Started See Examples

Questions or Feedback?

We are always ready to hear from you.

Let's Talk