When it comes to security, your software choice is your first line of defense. Submittable is SOC 2 Type 2 certified (and HIPAA compliant as needed)—so you’re off to a great start. But it’s important to recognize that your choices, habits, and internal policies have a serious role to play in protection of applicant data as well.
This month, we’ll go over a “security check up”: a few steps worth taking on your end to keep your program data safe and private. And, surprise! One of them is to consider requiring multi-factor authentication, which is now available at no cost to all Submittable customers.
Why do a security check up?
Submittable programs, especially the ones that involve funding, can collect some of the most sensitive information people share anywhere—tax records, bank details, Social Security numbers, household income. Over time, this data only accumulates.
That’s why it’s important to closely watch what information you collect, how you collect it, and who has access to it. Failure to do so could have awful consequences for your applicants: identity theft and financial fraud, to say nothing of betrayal by a program designed to help them. For your organization, they’re no less serious, including potential liability and reputational damage from which it could be tough to recover. Bear in mind, it wouldn’t necessarily require a sophisticated attack either. Just a door that no one remembered to close.
Have I convinced you? Good, scare tactic complete! Now let’s dig in.
Submittable Security Check Up
1. Consider requiring MFA
Why it matters:
A compromised password could be enough to expose all of your data. Multi-factor authentication (MFA) adds a second step at login that stops most unauthorized access before it starts. While Submittable has required email validation and offered automated MFA when we detect suspicious activity on an account for two years now, your organization now has the option to require MFA for all users at all times.
What to do:
Decide if requiring MFA is right for your organization. Keep in mind that when enabled, it will require MFA for all admins, reviewers, and submitters interacting with your account. (Note, they will have the option to have their device remembered for 30 days.)
Contact our Support team to get it enabled today!
2. Audit who has access to your account
Why it matters:
Especially if you’ve been with Submittable for a while, it could be that there are staff who have left or external reviewers from previous cycles who still have access to your account. It’s a good idea to regularly take a look and remove anyone who is no longer an active part of your process.
What to do:
Visit your Teams page under More > Teams
If anyone no longer needs access to your account, decide to deactivate or remove them:
Deactivate by clicking “Edit” and then unchecking “Active.” They’ll lose access but their name will still be visible with any reviews they’ve left.
Remove by clicking “Delete.” Their name will be removed on any reviews they’ve left.
3. Practice the “Principle of Least Privilege” with Custom Roles
Why it matters:
The Principle of Least Privilege (PoLP) is a cybersecurity philosophy that restricts user permissions to the bare minimum required for them to perform their tasks. You can use Submittable’s Custom Roles to ensure users do not have more access than is required. For instance, a finance role might not need access to submission data. Think of it as a way to reduce the "blast radius" if an account were to be compromised.
What to do:
Custom Roles are available to customers on our current Starter package and above. To activate it, contact Support. To upgrade, contact your Customer Success Manager.
Under the Roles Management tab, design the role(s) with the required permissions.
Read more in the Help Center.
4. Conceal sensitive fields in forms
Why it matters:
Reviewers should only have access to data relevant to their decision. However, often you’ll need to collect demographic data or financial information as part of your process. In these cases, use the Conceal Response feature to avoid unnecessary exposure.
What to do:
When building any Form, check the “Conceal Response” box under Response Options. Conceal is particularly recommended for SSNs, EINs, bank details, date of birth, and income information. Note: Submittable automatically selects this for you in SSN, W2, Bank Details, and Fraud Prevention form fields.
When creating your Project, set the Concealment threshold. Higher is more secure.
Bear in mind that when a submission enters a terminal status (Accepted, Declined, Completed, or Withdrawn), previously concealed data becomes available to all reviewers. Be sure, therefore, to remove any non-administrators from the submissions before changing submissions to terminal statuses. Stay tuned for a future update where you’ll have the option to keep concealed fields hidden indefinitely!
Read more in the Help Center.
5. Collect only what you need
Why it matters:
Every piece of data that you ask for becomes data that you are responsible for keeping safe. So the more you gather, the more exposed you are if something goes wrong. A simple way to reduce risk is to not ask for anything inessential, especially personal information. Bonus: this is also a best practice from the perspective of respecting your applicants’ (and reviewers’!) time.
What to do:
Review your active forms for information you are collecting. Be sure to include post-award forms as well (such as Request and Additional Forms).
Especially where there is sensitive data being collected, ask yourself or your team: Do we use this data? Is it essential for our work? Is it being gathered at the right stage? (For instance, you only need to collect payment information from awardees and should do so via an Additional Form, not in an Intake Form.)
6. Understand your responsibility to delete submitter data if asked
Why it matters:
Under Submittable's Terms and Conditions and Privacy Policy, Submittable controls Submittable users’ account information, and serves as the processor and service provider of submission data on behalf of our customers. This means that your organization is responsible for received submission data.
As such, when it comes to requests to delete accounts and data, Submittable can delete Submittable accounts, but it may be your responsibility to delete individual submissions. We advise submitters who make such a request to contact you.
What to do:
Nothing, unless and until a submitter requests you delete their submission. If they do, you should honor that request and refer to this help article for a refresher on how to delete a submission.
As always, I hope you find the tips in today’s newsletter helpful. Security may be a little boring, but a security breach sure would not be! So do your part to be responsible, and feel good knowing that we are, too. (Learn more about security at Submittable on our website.)
Hope everyone's summer is off to a great start!
Natalya Taylor
Director of Product Marketing
