Survey123 security questions - Does data get passed through public site?

Jay_Gregory · ‎07-22-2019

I have deployed a couple surveys to our ArcGIS Enterprise 10.6.1. When filling out the survey through the web, the url is something like:

https://survey123.arcgis.com/share/f9f0421e26ec4006a247dc53085a998f?portalUrl=https://myarcgisenterprise

When looking at Chrome developer tools, it seems like the survey123.arcgis.com website is just for the JS and CSS parsing of the form tables, but data submitted through the survey does not go through survey123.arcgis.com, just all through the applyEdits endpoint of the feature service. Is that correct? Is there any documentation regarding Survey123 for the security minded folks in our organization, because having the survey123.arcgis.com website in the URL raises some eyebrows.

Is there any way around having to use a public url to submit the form? Is the only way using one of the native mobile apps or Survey123 connect? We don't work in an entirely disconnected env., but any documentation that speaks to limiting the amount of external traffic when viewing and submitting forms will go a long way with our security folks.

The main issue is, even though data might NOT get passed through survery123.arcgis.com when submitting to ArcGIS Enterprise, we have no control over that, and at some point Esri _could_ decide to capture this data, because we're accessing the form through survey123.arcgis.com.

Thanks!

Jay

Anonymous User · ‎07-28-2019

Hi Jay,

If you do not want to use the public Survey123 website due to security and data privacy issues, we are currently working on an On-premises install of the Survey123 Website, Web App and API. This allows you to install all the required components on a local server inside your infrastructure and point Connect, Field App, Website and Web App to use this local install inside your network and not need to use the public Survey123 web services. Works for both fully disconnected (no internet) and partially disconnected environments.

The On-premises install is currently in Beta and due to be released with the next release of Survey123 later this year. You can try out the current Beta version of the install on the Early Adopter Community site for Survey123, where we have the install files and documentation.

Hope this helps.

Phil.

IsmaelChivite · ‎07-29-2019

To add to Philip Wilson‌'s response above: Data submitted through the Survey123 web or field app will not go through ArcGIS Online if your survey is hosted in your own instance of ArcGIS Enterprise. Having said this, the survey123 web application that renders your ArcGIS Enterprise survey is hosted in ArcGIS Online. This is why when you use the developer tools in your web browser, you will see that this resource is downloaded from ArcGIS Online. The Survey123 web app is downloaded into your browser and from there, the data sent always goes straight into ArcGIS Enterprise. You will also see many other calls going into ArcGIS Online including calls to download map tiles (if you use a map question). Again, this does not mean that your data goes through ArcGIS Online. If all of the above is still an issue for you, as Philip points out, you should consider installing the Survey123 web app, website and API in your own server.