This is a questionnaire Medium sends to third party service providers before we work with them to ensure their data collection, storage, and security practices are consistent with our standards. We’re putting this in the public domain under Creative Commons license cc0 with no rights reserved — feel free to copy, modify, or use within your own organizations.

Privacy & Security at Medium

Questionnaire for Technology Service Providers

At Medium, protecting our users’ privacy and the security of their data is among our highest priorities. Occasionally, we work with technology service providers that may differ from us in their data collection, storage, and security policies. Before implementing any code from these providers, we seek to understand their approach to these issues and their practices around requesting and sharing data with third-parties.

If you’re reading this, we’re closely considering adding you to the very short list of service providers we work with. Please take the time to answer the questions below and submit them to privacy@medium.com.

Data Collection

1. Does your service require a tracking script? If so, please detail all data that it tracks, any endpoints it hits, and any sub-resources it loads.
2. Does your service drop a cookie? If so, please specify whether it is a persistent or session cookie, and detail all data that it tracks.
3. Does your service use other methods to track or identify users (for example, HTML5 local storage or Flash local shared objects)? Please detail all data your service tracks using these methods.
4. Does your service provide an API that can substitute for implementing a tracking script and/or cookie? If so, please provide documentation for using the API in this way.
5. Does your service supplement data collected online with offline data sources? If so, which offline data sources?
6. Does your service correlate activity across multiple websites, or allow third parties to do so?
7. Does your service comply with users’ Do-Not-Track settings?

Data Storage

1. Does your service store non-aggregate data about users?
2. Does your service store private or personally identifying individual user data?
3. Does your service delete or anonymize private or personally identifying individual user data after it is stored for a certain amount of time? If so, when? If the data is anonymized, how is that done?
4. How long do you keep logs containing user data?
5. Will all data about our users be deleted (including from logs) if we stop using your services?

Data Security

1. Does your service use SSL/TLS by default to transfer data securely? If not, does your service support SSL/TLS so that users can opt to transfer data securely?
2. Does your service encrypt private or personally identifying individual user data at rest on its servers?
3. Have you ever had any significant security breaches? Please specify when the service’s last professional security audit was conducted.

Third-Party Services

1. Does your service send out requests to any third-party hosts?
2. For each host that needs to be CSP whitelisted, please specify whether the content is loaded via XHR, scripts/tags, or iframes.
3. Does your service inject an iframe? If so, what does it load?
4. Does your service pull in any third-party tracking pixels, such as DFA or Facebook’s conversion tracking pixel?

Commercial Use

1. Do you use customer data to promote your business through advertisements?
2. Do you sell customer behavior/information to third parties for marketing?