Formstack is PCI compliant as both a merchant and a service provider. To become PCI compliant, a third party auditor tested us on the following controls:
- Firewall Configuration
- No Vendor Supplied Password Defaults in Use
- Stored Data Protection
- Encryption in Transit
- Anti-Virus Use
- Secure Systems and Applications
- Access Restriction
- Unique Passwords for Users
- Physical Access Restrictions
- Access Tracking and Monitoring (Logging)
- Test Security Systems
- Security Policy
For our HIPAA plan customers, Formstack is committed to its continued compliance with HIPAA.
Global Privacy Compliance
To comply with privacy practices globally, Formstack is committed to its continued compliance with GDPR, PIPEDA, and other privacy regulations and laws.
Security and Privacy
AWS Hosting. Formstack uses AWS in the United States as our external security hosting provider. AWS meets System and Organization (SOC) standards verified by independent third-party examination reports demonstrating how the provider achieves key compliance controls and objectives. Please see the following website for further details on AWS compliance: https://aws.amazon.com/compliance/programs/.
Your Data is Your Data.
Data ownership. Your organization owns the submission data and file upload data. In EU Data Protection Law speak, your organization is the Controller. Formstack will only access your data at your request. To protect your data from unauthorized access, we have logs with alerts set to notify us of suspicious activity.
Your organization may download your information or delete your information for our application at any time.
Authenticate Your Way
Passwords. Formstack provides customers with the ability to create strong passwords that:
- Lockout the users after ten (10) failed attempts to log in
- Require a minimum of seven (7) characters
- Contain letters, numbers, or symbols
- Must be changed periodically
- Cannot be the last four (4) passwords used.
Timeout Settings. Customers may set a timeout for users after a fixed period of inactivity (15 minutes, 30 minutes, 1 hour, 4 hours.) For HIPAA plan customers, the timeout is set at 15 minutes.
Password Strength. Formstack provides its customers with a password meter to guide users in the creation of strong passwords.
Multi-Factor Authentication. Formstack provides the customer with the option of enabling multi-factor authentication.
Industry Standard Encryption
Data at rest. All submission data is disk encrypted under AES-256.
Data in Transit. Data in transit is protected by TLS >=1.2 to provide end-to-end communication security.
HIPAA File Uploads. Personal health information uploaded to our S3 file servers is AES-256 encrypted with an AWS managed encryption key for server-side encryption.
Encryption Your Way
Client Form Encryption. Clients may encrypt their forms using a passphrase. This passphrase is only known to the customer and encrypts the data under a 1024 bit AES public key.
Data Backup and Replication
Data Backup. Formstack is not to be used for data backup. For our purposes, we back up and replicate data as follows:
- Nightly snapshots are taken of our application database cluster. These daily backups are stored for 14 days.
- All data stored on our AWS S3 is replicated consistent from US-East Region to US-West Region with versioning enabled on all buckets replicated to another region.
Data backups are also encrypted using AES-256. If the customer uses form encryption, the backup data will be encrypted with 1024 bit AES public key. If the data is replicated between regions, the data will be encrypted by AWS in addition to the file encryption and/or the client form encryption.
Logging. Our application will be configured for appropriate logging of activities to enable detection of security incidents. These incidents will be reviewed, and identified anomalies will be investigated for a possible compromise.
All logs activities are sent to a centralized logging infrastructure for audit purpose.
Internal Vulnerability Scans. Formstack runs internal vulnerability scans quarterly.
External Vulnerability Scans. Formstack has a PCI Approved Scanning Vendor (ASV) run external vulnerability scans quarterly.
Penetration Testing. Penetration testing for our application, network, and segmentation are run on a bi-annual basis by a third-party security vendor.
No External Testing. Since we have continuous scans and tests run by third-party vendors, Formstack does not allow external testing of our environment, including performance testing.
Business Continuity/Disaster Recovery
Response Plan. Formstack has a business continuity and disaster recovery plan that allows customers to continue to run our application in the unlikely event of an outage at AWS-US East.
Annual Training. Our employees and contractors are provided with privacy and awareness training yearly and must pass a quiz each year.
Developer Training. Developers train annually on secure coding guidelines, avoiding common coding vulnerabilities, and understanding how sensitive data is handled.
Incident Response and Data Breach Response
Response Plan. Formstack has documented Incident Response and Data Breach Response Plans, which outline the processes to respond to security events and incidents, and breaches of personal or protected data.
Formstack's goal is to notify customers of an actual security incident within 24 hours after becoming aware of it.
Internal Risk. Our organization addresses cybersecurity risks in our risk management processes to identify critical assets, threats, and vulnerabilities.
Third-Party Risk. Formstack performs risk-based due diligence on new and existing vendors to determine if the vendor is using appropriate technical controls and organization measures to protect data.
EU/Swiss Data Transfer. Formstack participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework, and has been added to the official list of certified companies by the U.S. Department of Commerce ( https://www.privacyshield.gov/participant?id=a2zt0000000TVUtAAO&status=Active ).