Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
SurveyMonkey is a user preference and personalization service that helps websites deliver customized experiences based on individual visitor settings and choices. It manages preferences for content display, communication channels, and interaction styles. SurveyMonkey integrates with website platforms to remember and apply user choices consistently across sessions. With privacy-compliant preference storage, SurveyMonkey enhances satisfaction by ensuring tailored browsing experiences for every visitor.
SurveyMonkey, founded in 1999 and now part of Momentive Inc., is one of the most widely used SaaS survey platforms. Surveys are designed and hosted on surveymonkey.com and distributed by direct link, email, embedded JavaScript snippet, popup or iframe. Responses are stored on SurveyMonkey infrastructure by default in the United States, with an optional EU data residency for Enterprise customers.
SurveyMonkey provides a question builder with 16 question types, branching logic, randomisation, multilingual surveys, NPS and CSAT templates, advanced analytics with crosstabs and text analysis, and integrations with Salesforce, HubSpot, Microsoft Teams, Slack and Zapier. The Audience marketplace also lets customers purchase responses from a panel of paid participants.
The embedded collector loads JavaScript from www.surveymonkey.com or its CDN and sets third party cookies including ep202 (anonymous identifier, two years), ep203, sm_uuid, ajs_anonymous_id and __cf_bm. Visitor IP, user agent and the page that triggered the collector are sent with each response. The platform records the response duration, the device type and, with the IP enabled option, an approximate geolocation.
SurveyMonkey acts as a processor on behalf of the survey author. The author must sign the SurveyMonkey Data Processing Addendum, document SurveyMonkey as a sub processor and choose a lawful basis for the response data. For embedded collectors, prior consent under Art. 5(3) ePrivacy is required for the third party cookies. SurveyMonkey is self certified under the EU US Data Privacy Framework.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Standard accounts store responses in the US. SurveyMonkey Enterprise customers can opt for the European data residency (Dublin, AWS eu west 1) at account level. Transfers from EU collectors to the US rely on the EU US DPF or on Standard Contractual Clauses plus supplementary measures. A Transfer Impact Assessment is mandatory either way for surveys that include identifiable personal data.
Block the embed until consent is granted. Sign the SurveyMonkey DPA. Activate EU data residency on Enterprise. Disable IP collection or anonymise it in the collector settings. Add a privacy notice and an opt in checkbox to each survey. Set a retention rule per project. Document SurveyMonkey as a sub processor and the relevant transfer mechanism in your records of processing.
Websites using SurveyMonkey must obtain user consent under GDPR regulations.
Third-party domains contacted
surveymonkey.comwww.surveymonkey.comeu.surveymonkey.comcdn.smassets.netmomentive.aiCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| ep202 | third_party | 2 years | Anonymous visitor identifier set by SurveyMonkey for analytics and survey completion tracking. |
| ep203 | third_party | Session | Session identifier used by the SurveyMonkey collector to follow the current response. |
| sm_uuid | third_party | 1 year | Unique cookie used by SurveyMonkey to deduplicate responses and to remember partially completed surveys. |
| ajs_anonymous_id | third_party | 1 year | Anonymous identifier from the Segment analytics SDK used inside SurveyMonkey. |
| __cf_bm | third_party | 30 minutes | Cloudflare bot management cookie used to distinguish humans from bots on surveymonkey.com. |
SurveyMonkey uses cookies for user preferences — inform visitors with a consent banner.
The embedded collector loads cookies on the surveymonkey.com third party context: ep202 (anonymous identifier, two years), ep203 (session), sm_uuid, ajs_anonymous_id (Segment based analytics) and __cf_bm (Cloudflare). All require prior consent in the EEA.
Yes for the embedded collector that sets third party cookies (Art. 5(3) ePrivacy). The response data itself may be processed under Art. 6(1)(b) GDPR for customer feedback, Art. 6(1)(f) for legitimate interest or Art. 6(1)(a) consent for marketing surveys.
It depends on the survey purpose. Customer satisfaction: legitimate interest (Art. 6(1)(f)) or contract (Art. 6(1)(b)). Marketing or research: explicit consent (Art. 6(1)(a)). Employee surveys: legitimate interest or labour law obligation. Sensitive data (Art. 9): explicit consent.
By default yes. Enterprise customers can activate EU data residency in Dublin. Without EU residency, transfers rely on the EU US DPF (SurveyMonkey is certified) or on Standard Contractual Clauses with supplementary measures and a Transfer Impact Assessment.
A DPIA is recommended for surveys collecting health data, political opinions, religious beliefs, biometric data; for employee monitoring; or for surveys at large scale. The DPIA must cover the lawful basis, the residency, the transfer mechanism and the rights workflow.
Block the embed behind a marketing consent category. Sign the SurveyMonkey DPA. Activate EU residency in Enterprise. Disable IP collection in the collector settings if not strictly necessary. Add a privacy notice and consent checkbox to each survey. Set a retention rule. Document SurveyMonkey as a sub processor.
EU based: Typeform (Spain), Tally (Belgium), Qualtrics (US with EU residency), Sphinx (France), Drag'n Survey (France), LimeSurvey (Germany, self hostable). US based: Microsoft Forms, Google Forms, Qualtrics, Forsta, Alchemer.
Subscribe to the SurveyMonkey trust centre notifications. When the DPA, sub processor list or residency offering changes, update the cookie table, the data transfer section and the records of processing, and bump the consent banner version.