Ballpark

Sign in

Book a demo

Ballpark

Sign in

Book a demo

Ballpark

Platform

Features

Surveys

Video

Prototype testing

Website testing

Copy testing

Recruitment

Screeners

Preference test

First click test

Five second test

Data tables

Card sorting

Live interviews

AI agent

soon

AI study creator

AI insights report

Solutions

Concept testing

Wireframe testing

Design surveys

Video surveys

Brand teams

Insight teams

Marketing teams

Use cases

Product managers

User researchers

Design leadership

Product designers

Pricing

Enterprise

Templates

Contact

Black-and-white line illustration of a folder tree representing projects and studies.
Black-and-white line illustration of a folder tree representing projects and studies.

Security and compliance

Authentication flow, role-based access and compliance standards

Overview

This page summarises how we protect customer data and what you should expect when building on the Ballpark API. Replace the placeholders with confirmed details from engineering and legal.

Data protection

  • Encryption in transit: TLS 1.2+ for all traffic

  • Encryption at rest: AES-256 for database and object storage

  • Backups: automated encrypted backups with periodic restore tests [confirm RPO/RTO]

  • Data residency: primary region [confirm region], optional residency controls [if applicable]

Access control

  • OAuth 2.0 with scoped tokens; follow least-privilege and request only the scopes you need

  • Personal access tokens may be available for single-user automation

  • See Scopes & permissions for a full mapping from resources to scopes

Data retention and deletion

  • Retention: default retention for responses, transcripts and media is specific to customer needs and in compliance with GDPR requirements

  • Deletion: permanent deletion on user request via the product or API. Data will be backed up for 30 days and then permanently deleted.

  • Exports: projects, responses, transcripts and media can be exported using Guides

Subprocessors

  • We work with carefully vetted subprocessors for hosting, storage and analytics

  • Full list and DPAs available on request via our https://trust.ballparkhq.com

Incident response

  • 24/7 monitoring and alerting [confirm coverage]

  • Triage severity levels and playbooks

  • Customer notification window of [confirm hours] for security incidents impacting data

Responsible disclosure

  • Report potential vulnerabilities to security@ballparkhq.com

  • Please include steps to reproduce, affected endpoints and any proof of concept

  • Coordinated disclosure policy and acknowledgement programme [link]

Compliance and audits

Can be accessed through our trust portal https://trust.ballparkhq.com

  • SOC II type 2 report

  • Penetration test report

  • Policies available on request: Information Security Policy, Data Protection Policy, Incident Response Policy

References

  • Authentication

  • Scopes & permissions

  • Terms of use