Check out this list of the most frequently asked questions about security and compliance across the Formstack platform.
Try It Free
For transmitted data that’s sent through integrations and other methods, we use TLS.
We don’t have a strict policy regarding customers, but we do encourage our users to create strong passwords. All employees and contractors are required to enable two-factor authentication as an additional precaution when setting up their passwords. In addition to account passwords, we provide the ability to create passwords for individual forms.
We provide a segregated environment via a multi-tenant database so that each customer’s data is isolated and protected against unauthorized access. To protect your data further, we provide the ability to assign access privileges and permissions to different users.
We escape SQL, we sanitize HTML input, and we use CSRF tokens to mitigate common web vulnerabilities.
For more information on Formstack's security, you can visit our Data Security page.
Form data is stored securely on Formstack’s servers. All users have the option to enable encryption for their stored submissions. Users can also enable PGP email encryption to protect information shared through notification and confirmation emails.
We back up the database daily with the ability to perform point-in-time restoration. Backups are kept for 14 days.
Yes, we allow users to collect credit card information on their forms. We require credit card data to be encrypted when captured or transferred via our system. While we do not currently attest to PCI compliance, we work with card provider integrations who are fully PCI compliant.
While Formstack is PCI compliant, using our system does not relieve you from fulfilling other requirements outlined by the PCI DSS. As a merchant, you're still responsible for ensuring all your processes meet the appropriate standards. For more information, check out the PCI SSC's official website.
Formstack offers multiple embed options. Add payment forms to your website or social media platform, share a link via email, use Lightboxes and iFrames, add forms to your content management system, or tweak your form’s HTML coding to suit your needs.
There are nine different payment integrations available with Formstack, including three HIPAA compliant options. Available integrations include Authorize.Net, Stripe, PayPal, PayPal Pro, PayPal Payflow, Bambora, Chargify, First Data, WePay, and ProPay. Please keep in mind that if you use these integrations, it is up to you to ensure that the payment processor you choose meets your PCI compliance needs. We are not responsible for what happens to data outside of our system.
Formstack lets you temporarily store cardholder data in your account before authorization. However, this option is not available by default and can only be enabled if you request access. For more information, check out this Help article.
Formstack Forms, Documents, and Sign are all HIPAA compliant. Our cloud-storage tool, Stash, is also HIPAA compliant.
Formstack offers multiple embed options. Embed forms on your website or social media platform, share a link via email, use Lightboxes and iFrames, add forms to your content management system, or tweak your form’s HTML coding.
Yes! You can use all features included in the Conversion Kit!
Yes, Formstack has an open API that lets you connect your forms to third party systems. Developer Central, our resource hub, is chock full of information on how to set up integrations and webhooks through Formstack.
Yes, you can view Formstack's HIPAA Audit by filling out this request form.
Yes, we have six HIPAA compliant integrations available. These include: Salesforce, Salesforce Marketing Cloud, Google Calendar, Google Drive, and Google Sheets.
If you're not collecting patient health data, but you're still interested in a high level of security, check out our advanced data security options.
See our Security feature in action during a free, 14-day trial. You can also demo our form builder to get started.