🎉  Formstack has acquired WebMerge! Learn More   ðŸŽ‰

Features Security

Protect your data with advanced form security.

Safely gather and manage online data through secure forms that are packed with protective features.

Try It Free

Secure Forms with Formstack

Formstack is dedicated to providing all users with the highest levels of form security. We offer multiple security methods to help you gain peace of mind. Browse through the selection of tools below to learn more.

256-Bit SSL

256-Bit SSL

Keep your form data safe with the industry standard for viewing and sending sensitive information online. Every Formstack form comes with 256-bit SSL (Secure Socket Layer) enabled.

Learn More

Data Encryption

Data Encryption

Encrypt information in Formstack's database to ensure no one but you can read it. This is required if you're collecting sensitive data like credit card details and social security numbers.

Learn More

PGP Email Encryption form security

PGP Email Encryption

Protect the data you send via email with advanced PGP (Pretty Good Privacy) encryption. This is required if you're using email to route sensitive information to different team members.

Learn More

Password Protection

Password Protection

If you don't want just anyone viewing and submitting your form, set a required password. This works perfectly if you're using your form internally or for private events with limited space.

Learn More

Invisible reCAPTCHA

Invisible reCAPTCHA

Opt to add Invisible reCAPTCHA to your forms to create a more secure form submission process. Spammers won't be able to submit bogus information, and your database will be clean and error-free.

Learn More

Formstack is committed to its continuous compliance with the EU General Data Protection Regulation (GDPR) and other global privacy regulations. Read more

HIPAA Compliance

Formstack offers an enterprise-level solution that is compliant with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). With Formstack HIPAA, healthcare customers can eliminate hours of manual data entry with secure online forms that collect electronic protected health information (ePHI). Mandatory security measures include data encryption, access controls, auditing, and logging.

To learn more about HIPAA and how you can activate Formstack HIPAA compliance for your organization, please contact us.

Frequently Asked Questions

How is my form data stored and protected?

Form data is stored securely on Formstack’s servers. All users have the option to enable encryption for their stored submissions. Users can also enable PGP email encryption to protect information shared through notification and confirmation emails.

How do you protect the confidentiality of transmitted data, including personal information and sensitive business information?

For transmitted data that’s sent through integrations and other methods, we use TLS.

Do you handle any credit card information as part of your service offerings?

Yes, we allow users to accept and collect online payments using credit card fields on their forms. Formstack integrates with a number of credit card processors. Formstack is a PCI compliant Merchant and Service Provider.

Who has access to my data? Are there permissions in place?

We provide a segregated environment via a multi-tenant database so that each customer’s data is isolated and protected against unauthorized access. To protect your data further, we provide the ability to assign access privileges and permissions to different users.

What backups do you perform?

We back up the database daily with the ability to perform point-in-time restoration. Backups are kept for 14 days.

Do you proactively protect against common application attacks, such as input tampering and injection flaws?

We escape SQL, we sanitize HTML input, and we use CSRF tokens to mitigate common web vulnerabilities.

Is anti-virus and anti-malware protection maintained on your system? If so, what software is used?

Yes, we use anti-virus to scan file uploads for viruses. All of Formstack’s company owned laptops run endpoint protection.

Do you have a security incident response process in place?

Engineers are available 24/7 and all engineers in rotation receive monitoring alerts regarding any incident.

How often do you conduct vulnerability assessments for all infrastructure, servers, databases, and applications?

We run internal vulnerability scans quarterly. External vulnerability scans are run by a PCI Approved Scanning Vendor (ASV) quarterly. We have a third-party run penetration testing for our application, network, and segmentation on a bi-annual basis.

What is your company’s password policy?

Formstack provides customers with the ability to create strong passwords that:

  • Lockout the users after ten (10) failed attempts to log in
  • Require a minimum of seven (7) characters
  • Contain letters, numbers, or symbols
  • Must be changed periodically
  • Cannot be the last four (4) passwords used.

Customers may set a timeout for users after a fixed period of inactivity (15 minutes, 30 minutes, 1 hour, 4 hours.) HIPAA accounts are set at 15 minutes. Formstack provides its customers with a password meter to guide users in the creation of strong passwords. Additionally, Formstack provides the customer with the option of enabling multi-factor authentication.

Protect your data with secure forms.
See Formstack's form security features in action with a free, 14-day trial.
Try It Free