Support Home

Due Diligence

  • Due Dilligence
  • Company
  • Company Information
  • Terms and Conditions
  • Internal Review Boards / Ethics
  • Internal Review Boards / Ethics
  • Anonymity and Ethics
  • Informed Consent
  • Technical Attrition
  • Data Protection and Security
  • Overview
  • Processing of Data
  • EU Representation
  • Retention and Access to Information
  • Data Deletion
  • Third Party Suppliers
  • HR and InfoSec Policies
  • Cyber Essentials
  • Technical Safeguards
  • Accessibility
  • Accessibility Statement
  • Roadmap

Due Dilligence

This document provides information on a range of topics that may need to be reviewed by stakeholders as part of the process of purchasing a Gorilla subscription or getting approval from your Internal Review Board or Ethics Committee. If you have further questions, please don't hesitate to contact us by email (

If you want to read more about Gorilla Product and its Technical Side visit our Gorilla FAQ page.

Company Information

Gorilla is made, owned and sold by Cauldron Science Ltd (Cauldron).

Cauldron is incorporated in England and Wales under company number 07071678. Our VAT number is GB996693829. We are a micro-SME.

We are registered with the ICO under registration number ZA245277.

Our registered office is: 2 Old Bath Road, Newbury, Berks, RG14 1QL

Our business address is: St John's Innovation Centre, Cowley Road, Cambridge, CB4 0WS.

Terms and Conditions

Our Terms and Conditions can be found here.

Our Privacy Policy can be found here.

Our List of Suppliers can be found here.

Our Data Processing Agreement can be found here.

Internal Review Boards / Ethics

We're often asked to provide draft text for an Internal Review Board (IRB) or Ethics Committee. Below you will find information about Gorilla that could be useful for your application.


We will use Gorilla ( to collect data for our study. Gorilla is a cloud software platform specifically for the behavioural sciences. Here are some key facts about their data security:

  • Cyber Essentials: Certificate of Assurance - IASME-CE-004228
  • Hosting: Gorilla is hosted on Microsoft Azure within the EU (Republic of Ireland) which is compliant with ISO/IEC 27001:2005
  • Traffic Encryption: All traffic to and from Gorilla is encrypted (TLS/SSL)
  • Database Encryption: The database is encrypted using industry-standard cryptography
  • Data Ownership: The experiment owner owns the research data that has been collected using Gorilla and has complete control over it
  • Data Protection: Gorilla is fully compliant with data protection legislation
  • BPS: Gorilla is fully compliant with BPS guidelines.
  • GDPR: Gorilla is fully compliant with GDPR.
  • IP Address: IP addresses are not provided in the data download unless specifically included.


  • Data Collection: Participants will take part via a desktop computer, laptop, tablet or phone from [anywhere in the world]
  • Consent: Participants will give consent within Gorilla [see supporting documentation]. Participant can opt to not give consent.
  • Recruitment Policy:
    • We will use an anonymous recruitment policy in Gorilla. Consequently, once data is collected it cannot be deleted as it cannot be identified. Participants can still withdraw from the experiment at any time by closing their browser.
    • We will use a recruitment policy in Gorilla that provides participants with a unique an non-identifyable key [ABC123456] that allows them to withdraw their data after completing the experiment.
    • We need to collect data from participants over several days and therefore want Gorilla to email participants to remind them to take part. Consequently participant email addresses will be uploaded to Gorilla.
      • To ensure complete confidentiality and data security, participants are first given a Public ID (ABC123456) which they can use to log in with.
      • Performance data is stored against a Private ID (X1Y2Z345).
      • The relationship between the email address and Public ID is stored separately from performance data.
      • The relationship between the Public ID and Private ID is stored separately from performance data.

Anonymity and Ethics

In compliance with BPS (The British Psychological Society) requirements, identifying data, demographic information and performance data are all stored separately. They are downloaded separately from the metrics tab and joined together outside Gorilla using the Private IDs provided.

Our database architecture supports double-blind studies; you can join demographic data with performance data while remaining blinded.

Participant Data collected using Gorilla is anonymous by default. The only exceptions to this are (1) when using email based recruitment policies as Gorilla requires the participants email address to send them emails, (2) experiments in which the researcher elects to use personally identifying participant IDs and (3) the researcher collects personally identifying data as part of their study. In all cases, the participant would have given their consent.

For the avoidance of doubt, IDs from 3rd party recruitment services (e.g. Prolific) are anonymous; we cannot link such an ID and the associated participant data back to an individual. Unless you explicitly collect identifying data (e.g. names or email addresses), your data is most likely anonymous.

By default, data for each participant only becomes accessible when the participant completes an experiment, so if a participant withdraws from an experiment partway through you will not have access to their data. However, you can choose to manually include a participant who is partway through an experiment, which will give you access to their data. You can also choose to manually delete the data for any or all participants at any time.

Informed Consent

When getting consent from participants it may be prudent to get explicit consent for using Gorilla and our sub-processors. We suggest the following text:

How will my data be processed?

By taking part in this study you consent to the use of Gorilla and their subprocessors receiving your data. The Gorilla servers are located in the EU, with some ancillary services (emailing, error handling) provided by suppliers in the USA.

In order to have informed consent, you may want to provide more detail, such as:

  • The data collected will be anonymised


  • The study will collect your email address in order to send you login credentials or email reminders


  • The study will use personally identifying IDs, so your data can be identified

Technical Attrition

Technical attrition due to any element between the participant's device and our servers is a reality of internet research, and we want to give you the information you need to make an informed decision.

  • Short interruption: Some events will be so short that it will not affect your participants. The participant's computer will have stored a few trials ahead, so it’s possible that the connection is back up again before the participant needs more information. Gorilla stores participant data locally and will re-transmit any failed uploads.
  • Longer interruption: Some events will be long enough that participants notice. It may still be sufficiently short that the participant has to refresh their browser, and in that case it might simply be a question of excluding a trial with a long reaction time or inter trial interval. In this situation, the event would have an impact similar to your participant being momentarily distracted.
  • Critical interruption: Some events (e.g. a server issue or participant connection issue) will be long enough that participants cannot continue at that time. Depending on the recruitment policy and experiment, it might be that they can continue later. On the other hand, it might be that for experimental reason, you can’t use their data.

The impact of technical attrition on your experiment will depend on your recruitment method and your target participants.

  • If you are crowdsourcing participant for free - then just ignore this risk.
  • If you are using a recruitment service, then you can mitigate the risk by releasing your study in batches. Generally this isn't necessary - participant pools are so big and the risk is so small that it makes more sense to tolerate the attrition.
  • However, if you are recruiting from a small population (e.g. green-eyed bilinguals), then you may want to recruit in smaller batches.

On our side – as long as you haven’t included participants at the start node – no Gorilla fees would be due. If you are paying participants through a participant recruitment service, you may need to check their policy. Microsoft Azure guarantees that our servers will be working 99.95% of the time, and generally performs far above this threshold.


Gorilla is built to support the existing BPS (The British Psychological Society) and NIHR (National Institute for Health Research) standards which have strict codes of practice to adhere to, in addition to the legislative requirements of the GDPR and DPA2018.

To fulfil our Art 28 legal requirements as a Data Processor, we offer a Data Processing Agreement to our customers

Data controllers accept our list of suppliers as part of our terms and conditions. If and when we engage additional sub-processors, the Data Controller is informed.

The Data Controller shall be entitled to object to any such change, provided that the Data Processsor shall not be liable to the Data Controller for any failure to provide any element of Gorilla as a result of such objection.

2021 Brexit Update:

The EU has granted temporary ‘adequacy’ to the UK in relation to its personal data regime until at least 30 April (and potentially 30 June) in order to ensure that personal data can continue to travel from the EU to the UK and vice-versa as it did prior to Brexit.

In parallel to this, we have put in place arrangements to apply if the UK is not deemed ‘adequate’ and is treated as a third country by the EU. Those arrangements comprise the appointment of an EU representative and making available a mechanism pursuant to which you can enter into the EU Standard Contractual Clauses with us.

As a result and regardless of the outcome of the current EU/UK negotiations, EU institutions are able to continue to do business with us in a GDPR-compliant way.

Processing of Data

With regard to the personal data processed in the Gorilla System, we are a Data Processor and the customer is the Data Controller. S10 of our Terms and Conditions clarifies this.

For data where the customer is the Data Controller and we are the Data Processor, we use a small subset of our suppliers. We only use services from these suppliers which are limited in scope and strictly necessary to provide our services.

2020 Update

Following the judgment in the Schrems II case issued by the European Court of Justice we have been following the advice and guidance of the ICO and EDPB so that we can implement recommendations swiftly. This is the current advice from the Information Commissioner's Office.

The suppliers this applies to are:

Microsoft Azure

  • Web Hosting & Data Storage, hosted in EU (ROI and the Netherlands)
  • Microsoft itself located in USA
  • DPA signed with GDPR compliant SCCs

Participant Data collected using Gorilla is anonymous by default. The only exceptions to this are (1) when using email based recruitment policies as Gorilla requires the participants email address to send them emails, (2) experiments in which the researcher elects to use personally identifying participant IDs and (3) the researcher collects personally identifying data as part of their study. In all cases, the participant would have given their consent.

For the avoidance of doubt, IDs from 3rd party recruitment services (e.g. Prolific) are anonymous; we cannot link such an ID and the associated participant data back to an individual.


  • Error handling
  • Located in USA
  • DPA signed with GDPR compliant SCCs

We use Rollbar for error reporting. In the event that something unexpected happens, we capture that event data and send it to Rollbar so that we can investigate. The error data that is sent to Rollbar depends on the nature of the error. Identifying data will only be sent to Rollbar if necessary to diagnose the error.


  • Email Delivery
  • Located in USA
  • DPA signed with GDPR compliant SCCs

We use Sendgrid for email delivery. This is used to send transactional email to researchers (account setup, password recovery) and also to send transactional emails to participants to enable them to take part in studies. Emails will only be sent to participants when researchers use email-based recruitment policies, or if a participant enters their email address to receive reminder emails as part of a longitudinal study. In both cases, the participant will have supplied their email address to the researcher and consented to take part in the experiment.

EU Representation

We have appointed The DPO Centre as our EU Representative. If you wish to contact them directly:

or contact their physical address:

The DPO Centre
Alexandra House
3 Ballsbridge Park
D04C 7H2

Retention and Access to Information

  • Information accessible to Gorilla employees is managed in line with our retention and records management policies. These policies are owned and managed by the senior management team within Cauldron and detail the retention periods in place for the data within Cauldron.
  • Access to Gorilla systems is strictly limited to those people who need to access them based on their role. If a person leaves the organisation, or changes their role, access is reviewed or revoked as appropriate.
  • Data is created when a participant takes part in an experiment.
  • Data is deleted when a researcher deletes the data.
  • Deleted data is purged from our systems and not archived.
  • No customer or personal data is transported between physical locations within Cauldron and the Data Controller is responsible for any data transported between locations within their organisation (e.g. if data is exported and printed)

Data Deletion

What happens to the data in a user’s account if they close their account?

  • We delete their personal information (name, email etc).
  • We retain a HASH of their email address, so if they want to restore their account, we would be able to recover it. A HASH is a one-directional encryption, so we can't use it to restore their account without them contacting us first.
  • For any experiment where they are the owner: We move the project to a special 'orphaned' account in case a collaborator (or university) wants to claim ownership. We have no rights over User Content, even once they have closed their account.
  • Researchers are able to delete individual participants from experiments via the UI.
  • With this process, we've aimed to strike a balance between preserving potentially valuable research data while fulfilling expectations around privacy.
  • Deleted data is automatically removed from our back-ups after 14 days.

How can a university keep access to data that they paid for?

  • Researchers can collaborate with anyone else with a Gorilla account
  • Technicians have the ability to access projects owned by members of their subscription with the owner's permission.
  • Technicians could use this to ensure that a copy of data is downloaded and stored for posterity.

Third Party Suppliers

Our List of Suppliers can be found here

  • We perform an annual review of our suppliers to ensure that they continue to be compliant with our legal requirements. We also receive regular security bulletins from these suppliers.
  • Our T&Cs, list of Suppliers and DPA are kept up to date with any material changes to the platform. When they change, users are required to reconfirm their acceptance of them.
  • When you engage Gorilla as your Data Processor, we make you aware of the sub-processors involved in the processing of personal data via Clause 1.5 in the Data Processing Agreement
  • Agreements are in place which include detailed security requirements with any 3rd parties that are used to transfer business information between the organisation and external parties
  • We have a process to formally review the information security controls of those third party suppliers who will have access to client data:
    • Annual check of subcontractor status with respect to:
    • GDPR compliance
    • Lawful transfer mechanism for data outside of the EEA
    • Review regular security and update bulletins from these suppliers

HR and InfoSec Policies

  • All information security policy responsibilities are assigned to our CTO. The CTO is responsible for the content, updates and dissemination of all policies within Cauldron.
  • All policies are peer reviewed by the CEO prior to publication.
  • Staff are required to required to acknowledge receipt and understanding of information security policies, including updates.
  • All employee contracts include standard NDA clauses relating to confidentiality of client and business information. Access to information is based on least-privilege and any breach of confidentiality is grounds for termination of contract.
  • We have a robust Joiners, Movers and Leavers Process, which ensures that staff have access to all the information they need in order to fulfil their role, whilst also ensuring that no credentials remain for staff who move on, or for projects that are inactive.
  • If a member of our team moves on to other employment, processes are in place to ensure that all devices and information are returned at the end of the last working day.
  • Where Contractors are engaged by Cauldron, the same robust access management processes are used. This includes for privileged access. We only use established, reputable and industry leading subcontractors with appropriate contractual agreements.

Cyber Essentials

We hold Cyber Essentials certification: Certificate of Assurance - IASME-CE-004228. The registration can be viewed by entering ‘Cauldron Science Ltd’ into the search area here

Technical Safeguards

  • Cyber Essentials: Certificate of Assurance - IASME-CE-004228.
  • Hosting: Gorilla is hosted on Microsoft Azure.
    • Currently, all our instances are located in their North Europe region, which is within the EU (Republic of Ireland).
    • Microsoft Azure is compliant with ISO/IEC 27001:2005. More details.
    • Personal Data and User Content will be uploaded from the Controller to the Processor SaaS environment where it stored with Azure's standard security protocols.
  • Traffic Encryption: All traffic to and from Gorilla is encrypted (TLS/SSL)
  • Database Encryption: The database is encrypted using industry-standard cryptography
  • Ownership of Research Data: Users own their user content and the experiment owner owns the research data that has been collected using Gorilla
  • Data Deletion: Participant research data can be fully deleted by the researcher. Responsiblity for deletion of participant data falls to the researcher including accidental deletion of participant data. Once data has been deleted it cannot be recovered. Researchers are able to delete all data for an experiment or data pertaining to an individual participant. When this action is taken, data will be removed immediately from the database, and cleared permanently from our automated backups after 14 days.
  • Passwords: We use up-to-date cryptography techniques to handle passwords and user authentication. Passwords are 10 characters long and must contain a reasonable amount of entropy. They are stored as salted hashes in our database to prevent against rainbow table attacks. To prevent brute force attacks, after 3 failed login attempts, users have to wait for 10 seconds before they can try again.
  • GDPR: Gorilla is fully compliant with GDPR.
  • IP Address: IP addresses are not provided in the data download unless specifically included.
  • Risk Assessment: Our SaaS supplier is certified to ISO27001:2013 which is a risk-based certification. Evidence of risk assessment is a fundamental requirement of certification. We have access to Microsoft's Compliance Centre and are able to use their tooling to assess our risk
    • The MS Azure 27001:2013 risk assessment covers end of life hardware and software and ensures that all systems are supported.
  • Asset Management All hardware and software assets managed by Cauldron have been identified and documented in an asset register.
  • Data Centre Security: All data relating to Client Projects is held in Microsoft Data Centres. As part of their ISO27001 certification, it is a requirement that suitable physical security is in place The DCs that are in scope of the certification can be found on the 27K certificate here
  • Encryption (storage and transmission): User accounts are secure - passwords are stored using modern best-practice cryptography and reset keys are one-use-only SSL is used as standard
    • Service keys are held securely as Azure configuration settings and injected as environment variables (they never touch the codebase or developer machines)
    • All SQL queries are parameterised properly
    • All user input is sanitised and validated
  • Patching and Vulnerability Management Cauldron-owned and managed devices all have auto-update (patching) and AV (Windows Defender) enabled and auto-updated. The OS is Windows 10 pro in all cases. Change management processes are in place and any incidents following a change can be tracked back to the time and date so that remediation actions or change reversal can be performed. Event monitoring and vulnerability scanning are performed by Microsoft and any unusual activity investigated and remediated by the Cauldron CTO.
  • Back-ups: Back-ups are taken by Microsoft in line with their Terms of Service.
  • SDLC (Software Development Life Cycle) Software development lifecycle is as follows:
    • Features are developed on local developer machines which do not connect to any production services.
    • Builds are then deployed to a development server for testing, which is a completely standalone instance of Gorilla with its own separate infrastructure.
    • Once tested, updates are deployed to production via a staging slot to allow for seamless service.
  • Client Pentesting: Clients can commission their own penetration testing of the development environment at their own cost and with permission from us. Where clients have done this in the past, the tests have been passed successfully.
  • Test data: All development is done using test data. When new features are released, they are done so as 'beta' releases to further confirm how they work with live data. No live data is used during the development of systems.
  • Information Security Incident Management: All information security incidents are escalated to the relevant management as required. Our policy is to review the circumstances and take appropriate measures including termination of employment. We have internal processes for managing incidents such as database overloads or CPU exhaustion to minimise disruption for our users. This is covered in Section 1.4.f of the Data Processing Agreement
  • Business Continuity: Microsoft Azure is certified to ISO22301. Certification can be found here

Accessibility Statement

Our Accessibility Statement can be found here.


Gorilla is a large and complex software, and therefore adding accessibility to all our systems will take time. Here is our current roadmap:

Researcher Side

  • Implement an accessibility option that can be added to any account that needs it ( complete)
  • Improve accessibility of Support Docs and Academy (target: April 2021)
  • Improve the accessibility of the Gorilla marketing site ( complete)
  • Build accessibility into the next generation of tools (anticipated release date: September 2021)
  • Build accessibility into the next generation of Open Materials (anticipated release date: September 2021)

Participant Side

Not yet scheduled in detail. We are currently working with our users and scientific advisors to design the right set of accessibility features to support their research.