How do you protect the confidentiality of transmitted data, including personal information and sensitive business information?
For transmitted data that’s sent through integrations and other methods, we use TLS.
What is your company’s password policy?
We don’t have a strict policy regarding customers, but we do encourage our users to create strong passwords. All employees and contractors are required to enable two-factor authentication as an additional precaution when setting up their passwords. In addition to account passwords, we provide the ability to create passwords for individual forms.
Who has access to my data? Are there permissions in place?
We provide a segregated environment via a multi-tenant database so that each customer’s data is isolated and protected against unauthorized access. To protect your data further, we provide the ability to assign access privileges and permissions to different users.
Do you proactively protect against common application attacks, such as input tampering and injection flaws?
We escape SQL, we sanitize HTML input, and we use CSRF tokens to mitigate common web vulnerabilities.
Where can I find more information on your security measures?
Form data is stored securely on Formstack’s servers. All users have the option to enable encryption for their stored submissions. Users can also enable PGP email encryption to protect information shared through notification and confirmation emails.
What backups do you perform?
We back up the database daily with the ability to perform point-in-time restoration. Backups are kept for 14 days.
Do you handle any credit card information as part of your service offerings?
Yes, we allow users to collect credit card information on their forms. We require credit card data to be encrypted when captured or transferred via our system. While we do not currently attest to PCI compliance, we work with card provider integrations who are fully PCI compliant.
Does using Formstack make me completely PCI compliant?
While Formstack is PCI compliant, using our system does not relieve you from fulfilling other requirements outlined by the PCI DSS. As a merchant, you're still responsible for ensuring all your processes meet the appropriate standards. For more information, check out the PCI SSC's official website.
Where can I embed my payment forms?
Formstack offers multiple embed options. Add payment forms to your website or social media platform, share a link via email, use Lightboxes and iFrames, add forms to your content management system, or tweak your form’s HTML coding to suit your needs.
What payment integrations can I use with my forms?
Formstack lets you temporarily store cardholder data in your account before authorization. However, this option is not available by default and can only be enabled if you request access. For more information, check out this Help article.
Which Formstack products are HIPAA complaint?
Formstack Forms, Documents, and Sign are all HIPAA compliant. Our cloud-storage tool, Stash, is also HIPAA compliant.
Where can I embed my HIPAA forms?
Formstack offers multiple embed options. Embed forms on your website or social media platform, share a link via email, use Lightboxes and iFrames, add forms to your content management system, or tweak your form’s HTML coding.
Can I use Conversion Kit features with the Formstack HIPAA plan?
Can I get API access to connect to my EHR/EMR or other third party system?
Yes, Formstack has an open API that lets you connect your forms to third party systems. Developer Central, our resource hub, is chock full of information on how to set up integrations and webhooks through Formstack.
Can I see a copy of your HIPAA Audit?
Yes, you can view Formstack's HIPAA Audit by filling out this request form.
Do you have any integrations that meet HIPAA compliance standards?