Frequently Asked Questions About Formstack Security

Check out this list of the most frequently asked questions about security and compliance across the Formstack platform.

Try It Free

General FAQ

How do you protect the confidentiality of transmitted data, including personal information and sensitive business information?

For transmitted data that’s sent through integrations and other methods, we use TLS.

What is your company’s password policy?

We don’t have a strict policy regarding customers, but we do encourage our users to create strong passwords. All employees and contractors are required to enable two-factor authentication as an additional precaution when setting up their passwords. In addition to account passwords, we provide the ability to create passwords for individual forms.

Who has access to my data? Are there permissions in place?

We provide a segregated environment via a multi-tenant database so that each customer’s data is isolated and protected against unauthorized access. To protect your data further, we provide the ability to assign access privileges and permissions to different users.

Do you proactively protect against common application attacks, such as input tampering and injection flaws?

We escape SQL, we sanitize HTML input, and we use CSRF tokens to mitigate common web vulnerabilities.

Where can I find more information on your security measures?

For more information on Formstack's security, you can visit our Data Security page.

How is my form data stored and protected?

Form data is stored securely on Formstack’s servers. All users have the option to enable encryption for their stored submissions. Users can also enable PGP email encryption to protect information shared through notification and confirmation emails.

What backups do you perform?

We back up the database daily with the ability to perform point-in-time restoration. Backups are kept for 14 days.


Do you handle any credit card information as part of your service offerings?

Yes, we allow users to collect credit card information on their forms. We require credit card data to be encrypted when captured or transferred via our system. While we do not currently attest to PCI compliance, we work with card provider integrations who are fully PCI compliant.

Does using Formstack make me completely PCI compliant?

While Formstack is PCI compliant, using our system does not relieve you from fulfilling other requirements outlined by the PCI DSS. As a merchant, you're still responsible for ensuring all your processes meet the appropriate standards. For more information, check out the PCI SSC's official website.

Where can I embed my payment forms?

Formstack offers multiple embed options. Add payment forms to your website or social media platform, share a link via email, use Lightboxes and iFrames, add forms to your content management system, or tweak your form’s HTML coding to suit your needs.

What payment integrations can I use with my forms?

There are nine different payment integrations available with Formstack, including three HIPAA compliant options. Available integrations include Authorize.Net, Stripe, PayPal, PayPal Pro, PayPal Payflow, Bambora, Chargify, First Data, WePay, and ProPay. Please keep in mind that if you use these integrations, it is up to you to ensure that the payment processor you choose meets your PCI compliance needs. We are not responsible for what happens to data outside of our system.

Can I store credit card data in Formstack?

Formstack lets you temporarily store cardholder data in your account before authorization. However, this option is not available by default and can only be enabled if you request access. For more information, check out this Help article.


Which Formstack products are HIPAA complaint?

Formstack Forms, Documents, and Sign are all HIPAA compliant. Our cloud-storage tool, Stash, is also HIPAA compliant.

Where can I embed my HIPAA forms?

Formstack offers multiple embed options. Embed forms on your website or social media platform, share a link via email, use Lightboxes and iFrames, add forms to your content management system, or tweak your form’s HTML coding.

Can I use Conversion Kit features with the Formstack HIPAA plan?

Yes! You can use all features included in the Conversion Kit!

Can I get API access to connect to my EHR/EMR or other third party system?

Yes, Formstack has an open API that lets you connect your forms to third party systems. Developer Central, our resource hub, is chock full of information on how to set up integrations and webhooks through Formstack.

Can I see a copy of your HIPAA Audit?

Yes, you can view Formstack's HIPAA Audit by filling out this request form.

Do you have any integrations that meet HIPAA compliance standards?

Yes, we have six HIPAA compliant integrations available. These include: Salesforce, Salesforce Marketing Cloud, Google Calendar, Google Drive, and Google Sheets.

Can I get these security features without a HIPAA plan?

If you're not collecting patient health data, but you're still interested in a high level of security, check out our advanced data security options.

Step up your security standards.

See our Security feature in action during a free, 14-day trial. You can also demo our form builder to get started.

Try It Free