Support Home

Due Diligence

  • Overview
  • Legal
  • Legal Documents
  • Ethics
  • Ethics Applications
  • Anonymity and Ethics
  • Data Protection and Security
  • GDPR: General Data Protection Regulation
  • Data Protection and Security
  • Server Downtime

Overview


This document provides information on a range of topics that may need to be reviewed by stakeholders as part of the process of purchasing a Gorilla licence. If you have further questions, please don't hesitate to contact us by email (info@gorilla.sc).

Navigate through menu to the left for information on Gorilla Ethics, Data Protection, GDPR Complience and more.

If you want to read more about Gorilla Product and its Technical Side visit our Gorilla FAQ page.


Legal Documents


Gorilla is made, owned and sold by Cauldron Science Ltd (Cauldron).

Cauldron is incorporated in England and Wales under company number 07071678. Our VAT number is GB996693829. We are a micro-SME.

Our registered office is 2 Old Bath Road, Newbury, Berks, RG14 1QL and our business address is St John's Innovation Centre, Cowley Road, Cambridge, CB4 0WS.

Our Terms and Conditions can be found here.

Our Privacy Policy can be found here.

Our List of Suppliers can be found here.

Our Data Processing Agreement can be found here.


Ethics Applications


We're often asked to provide draft text for an ethics application. Below you will find information about Gorilla that could be useful for your application.

Gorilla

We will use Gorilla (www.gorilla.sc) to collect data for our study. Gorilla is a cloud software platform specifically for the behavioural sciences.

  • Hosting: Gorilla is hosted on Microsoft Azure within the EU (Republic of Ireland)
  • Traffic Encryption: All traffic to and from Gorilla is encrypted (TLS/SSL)
  • Database Encryption: The database is encrypted using industry-standard cryptography
  • Data Ownership: The experiment owner owns the research data that has been collected using Gorilla and has complete control over it
  • Data Protection: Gorilla is fully compliant with data protection legislation
  • BPS: Gorilla is fully compliant with BPS guidelines.
  • GDPR: Gorilla is fully compliant with GDPR.
  • IP Address: IP addresses are not provided in the data download unless specifically included.

Recruitment

  • Data Collection: Participants will take part via a desktop computer, laptop, tablet or phone from [anywhere in the world]
  • Consent: Participants will give consent within Gorilla [see supporting documentation]. Participant can opt to not give consent.
  • Recruitment Policy:
    • We will use an anonymous recruitment policy in Gorilla. Consequently, once data is collected it cannot be deleted as it cannot be identified. Participants can still withdraw from the experiment at any time by closing their browser.
      or
    • We will use a recruitment policy in Gorilla that provides participants with a unique an non-identifyable key [ABC123456] that allows them to withdraw their data after completing the experiment.
      or
    • We need to collect data from participants over several days and therefore want Gorilla to email participants to remind them to take part. Consequently participant email addresses will be uploaded to Gorilla.
      • To ensure complete confidentiality and data security, participants are first given a Public ID (ABC123456) which they can use to log in with.
      • Performance data is stored against a Private ID (X1Y2Z345).
      • The relationship between the email address and Public ID is stored separately from performance data.
      • The relationship between the Public ID and Private ID is stored separately from performance data.

Anonymity and Ethics


In compliance with BPS (The British Psychological Society) requirements, identifying data, demographic information and performance data are all stored separately. They are downloaded separately from the metrics tab and joined together outside Gorilla using the Private IDs provided.

Our database architecture supports double-blind studies; you can join demographic data with performance data while remaining blinded.

If using Gorilla in conjuction with a third party recruitment service, it may be that you do not collect any identifying data. We do not collect IP addresses automatically, in order to ensure participant anonymity.

By default, data for each participant only becomes accessible when the participant completes an experiment, so if a participant withdraws from an experiment partway through you will not have access to their data. However, you can choose to manually include a participant who is partway through an experiment, which will give you access to their data. You can also choose to manually delete the data for any or all participants at any time.


GDPR: General Data Protection Regulation


Gorilla is fully compliant with GDPR.

Gorilla is built around the existing BPS (The British Psychological Society) and NIHR (National Institute for Health Research) standards which were far more stringent than the Data Protection Act. Moreover, GDPR does not apply to data that “does not relate to an identified or identifiable natural person or to data rendered anonymous in such a way that the data subject is no longer identifiable.” The majority of our recruitment policies anonymise participants.

In compliance with GDPR, we also provide a data protection agreement and list of suppliers.

Data Protection and Security


Gorilla is fully compliant with data protection and security policies.

  • Cyber Essentials: Certificate of Assurance - IASME-CE-004228.
  • Hosting: Gorilla is hosted on Microsoft Azure.
    • Currently, all our instances are located in their North Europe region, which is within the EU (Republic of Ireland).
    • In future, we may need to expand to other regions as we take on more international clients. This will allow us to keep data storage to particular jurisdictions if that's required from a legal standpoint
    • Microsoft Azure is compliant with ISO/IEC 27001:2005. More details.
  • Traffic Encryption: All traffic to and from Gorilla is encrypted (TLS/SSL)
  • Database Encryption: The database is encrypted using industry-standard cryptography
  • Ownership: The experiment owner owns the research data that has been collected using Gorilla
  • Data Protection: Participant research data can be fully deleted by the researcher. Responsiblity for deletion of participant data falls to the researcher including accidental deletion of participant data. Once data has been deleted it cannot be recovered. Researchers are able to delete all data for an experiment or data pertaining to an individual participant. When this action is taken, data will be removed immediately from the database, and cleared permanently from our automated backups after 14 days.
  • Passwords: We use up-to-date cryptography techniques to handle passwords and user authentication. Passwords are 10 characters long and must contain a reasonable amount of entropy. They are stored as salted hashes in our database to prevent against rainbow table attacks. To prevent brute force attacks, after 3 failed login attempts, users have to wait for 10 seconds before they can try again.
  • GDPR: Gorilla is fully compliant with GDPR.
  • IP Address: IP addresses are not provided in the data download unless specifically included.

Server Downtime


Microsoft Azure guarantees that our servers will be working 99.95% of the time. There are 525,600 minutes in a year. That 0.05% when our servers could be down - outside of our control - equates to ~263 minutes a year. This is equivalent to ~2 minutes a month or ~44 seconds a day. At scale, very rare events happen surprisingly often.

Microsoft Azure performs far above this threshold, nevertheless server downtime is a reality of internet research, and we want to give you the information you need to make an informed decision.

  • Short server downtime: Some server downtime will be so short that it will not affect your participants. The participants computer will have stored a few trials ahead, so it’s possible that the server is back up again before the participant needs more information.
  • Longer server downtime: Some server downtime will be long enough that participants notice. It may still be sufficiently short that the participant has to refresh their browser, and in that case it might simply be a question of excluding a trial with a long reaction time or inter trial interval. In this situation, the server downtime has impact similar to your participant being momentarily distracted.
  • Critical server downtime: Some server downtime will be long enough that participants cannot continue at that time. Depending on the recruitment policy and experiment, it might be that they can continue later. On the other hand, it might be that for experimental reason, you can’t use the data.

The risk to your experiment of server downtime will depend on your recruitment method and your target participants.

  • If you are crowdsourcing participant for free - then just ignore this risk.
  • If you are using a recruitment service, then you can mitigate the risk by releasing your study in batches. Generally this isn't necessary - participant pools are so big and the risk is so small that it makes more sense to tollerate the attrition.
  • However, if you are recruiting from a small population (e.g. green-eyed bilinguals), then you may want to recruit in very small batches.

On our side – as long as you haven’t included participants at the start node – no Gorilla fees would be due. If you are paying participants through a participant recruitment service, you may need to check their policy.