TSIA Benchmarking Data
Protection Measures

TSIA conducts primary research studies throughout the year in each of its Research Practices. These studies, collectively referred to as “benchmarking,” include the core Benchmark Study in each Practice; Multi-Member Studies, such as the PS Market Rates Study; and topic-specific studies that may be added to Practice research calendars.

In addition to the several layers of security afforded all member company confidential information and Personally Identifiable Information (PII) handled by TSIA (see “Information Security Measures”), the following measures are enforced with specific regard to benchmarking data:

Technology

There are three technologies employed in TSIA benchmarking: collection (SurveyGizmo); ETL (Alteryx); and visualization (Tableau).

• Hosting for the collection technology resides in SurveyGizmo’s cloud data center.
• Hosting for the ETL technology resides on the TSIA corporate network.
• Hosting for the visualization technology resides on TSIA’s Rackspace private cloud.

See technology supplier websites for information security-related documentation.

Encryption

All benchmarking data is encrypted from the point of collection through to transmission and storage:

• HTTPS and Secure Socket Layer (SSL) at the end user data collection interface
• 256-bit encryption for data at rest
• Technology suppliers’ HTTPS REST API for data transfer

Access

Only TSIA Research Executives and members of the TSIA Data Analytics Team have access to non-aggregated benchmarking data. Access to collection, ETL, and visualization technologies is controlled by one member of the Data Analytics Team. User accounts are deleted upon employee termination. All internal TSIA emails pertaining to a member company’s benchmarking response refer to alphanumeric codes instead of member company names; actual member company names are never mentioned in emails. All TSIA employees are bound by the company’s agreements and restrictions on the handling of member confidential data.

Aggregation

Depending on the study, benchmarking data can be aggregated at the total study level and at “industry” and “peer group” levels. The minimum number of data points reported out as an aggregate number at the industry level is nine (9), and at the peer group level is six (6). Benchmarking data points that do not meet these minimums are reported as “Not Enough Data” (NED).

Transmission

To ensure that benchmarking data is never shared with the wrong party, all benchmarking materials are securely delivered to the member company’s Primary Response Editor using password-protected links via TSIA’s instance of Salesforce:

• Benchmarking readout materials are uploaded to a proprietary Secure File System (SFS) inside TSIA’s instance of Salesforce.
• Salesforce generates a unique SFS sharing link, which is assigned and emailed to the member company’s Primary Response Editor.
• The Primary Response editor must then pass an email validation test before receiving a one-time code (OTC) that provides access to the SFS.

If another employee from a participating member company requests information about the benchmarking results, the Primary Response Editor must provide written authorization.

Retention

Benchmarking data is retained for 48 months from the date of collection. Data older than 48 months is flagged as inactive and archived from the benchmark database. Inactive/archived data can be restored if needed but is not used for industry or peer comparisons. Inactive/archived data can be expunged upon request by the contributing member company.