Protect your data with advanced form security.
Safely gather and manage online data through secure forms that are packed with protective features.
Frequently Asked Questions
How is my form data stored and protected?
Form data is stored securely on Formstack’s servers. All users have the option to enable encryption for their stored submissions. Users can also enable PGP email encryption to protect information shared through notification and confirmation emails.
How do you protect the confidentiality of transmitted data, including personal information and sensitive business information?
For transmitted data that’s sent through integrations and other methods, we use TLS.
Do you handle any credit card information as part of your service offerings?
Yes, we allow users to accept and collect online payments using credit card fields on their forms. Formstack integrates with a number of credit card processors. Formstack is a PCI compliant Merchant and Service Provider.
Who has access to my data? Are there permissions in place?
We provide a segregated environment via a multi-tenant database so that each customer’s data is isolated and protected against unauthorized access. To protect your data further, we provide the ability to assign access privileges and permissions to different users.
What backups do you perform?
We back up the database daily with the ability to perform point-in-time restoration. Backups are kept for 14 days.
Do you proactively protect against common application attacks, such as input tampering and injection flaws?
We escape SQL, we sanitize HTML input, and we use CSRF tokens to mitigate common web vulnerabilities.
Is anti-virus and anti-malware protection maintained on your system? If so, what software is used?
Yes, we use anti-virus to scan file uploads for viruses. All of Formstack’s company owned laptops run endpoint protection.
Do you have a security incident response process in place?
Engineers are available 24/7 and all engineers in rotation receive monitoring alerts regarding any incident.
How often do you conduct vulnerability assessments for all infrastructure, servers, databases, and applications?
We run internal vulnerability scans quarterly. External vulnerability scans are run by a PCI Approved Scanning Vendor (ASV) quarterly. We have a third-party run penetration testing for our application, network, and segmentation on a bi-annual basis.
What is your company’s password policy?
Formstack provides customers with the ability to create strong passwords that:
- Lockout the users after ten (10) failed attempts to log in
- Require a minimum of seven (7) characters
- Contain letters, numbers, or symbols
- Must be changed periodically
- Cannot be the last four (4) passwords used.
Customers may set a timeout for users after a fixed period of inactivity (15 minutes, 30 minutes, 1 hour, 4 hours.) HIPAA accounts are set at 15 minutes. Formstack provides its customers with a password meter to guide users in the creation of strong passwords. Additionally, Formstack provides the customer with the option of enabling multi-factor authentication.
- 508 Compliance
- A/B Testing
- Advanced Integrations Add-On New
- Advanced PDFs
- API & Webhooks
- Calculating Fields
- Conditional Logic
- Confirmations & Redirects
- Conversion Kit Add-On
- Data Routing
- Discount Codes
- Drag and Drop
- Electronic Signatures
- Email Confirmations
- Email Logic
- Field Bottlenecks
- Field Validation
- File Uploads
- Form Importer
- GDPR Compliance
- HIPAA Compliance
- Mobile Apps
- Multiple Users
- Offline Forms Add-On
- Partial Submissions
- Payment Processors
- Portals Add-On
- Salesforce App
- Save & Resume
- Social Autofill
- SSO/SCIM New
- Themes & CSS
- User Permissions
- UTM Tracking
- Workflows Add-On