Data security is critical to any organization. Formstack knows about form security and the best ways to protect your online form data. Follow this guide to learn more about data encryption, PGP email encryption, and password protected forms.
How to Secure Your Formstack Forms
If you are collecting sensitive, identifying information such as (but not limited to) passport, bank account, credit card or driver’s license numbers, you MUST enable SSL. SSL (Secure Sockets Layer) is a protocol for providing secure communications on the Internet. SSL provides for the authentication and encryption of traffic between your browser and Internet servers.
To enable SSL on your form, go to Settings > Security and click yes next to SSL. After enabling this feature, you will notice that the original “http” in the URL has now changed to “https,” which stands for HyperText Transfer Protocol Secure.
When you enable SSL on your form and you embed it on a website that does not have a security certificate, your form will still be secured by Formstack, even though the URL on the embedded website will not display the “https.” Below is an example of an embedded form with SSL enabled, displayed on a nonsecure website.
Although your form will always be secure, it might be a good idea to secure your website as well so that individuals filling out your forms will not be confused by the seemingly unsecure URL. If you would like to add a security certificate to your website, simply contact your website provider for their pricing plans and features. If your website is a custom, personal domain, you can obtain a security certificate from a provider (GoDaddy.com, for example).
If you decide it’s not necessary to obtain a security certificate for your personal website, after you turn on SSL, you can always choose to display the “Form Secured by Formstack” logo at the bottom of your form so users know their data entry is definitely secure. To display this logo, click on Form Extras when in Build mode. Then, click on Secure Logo and check the box to Show Secure Logo.
Other Ways to Protect Your Data
Password-only access to form (for entry/submission): You can password protect your forms if you would like to prevent just anyone from accessing them. To do this, go to Settings > Security > Use Password. Pick a password and click on Save Settings.
PGP email encryption (for notification emails): You MUST use PGP if you are emailing sensitive data to yourself, such as credit card or social security numbers. Regular email is not a secure method for sending sensitive data and violates our terms of service.
Database Encryption (for your form database): You MUST enable data encryption if you are collecting sensitive data such as credit card or social security numbers and storing them in your Formstack database. If you do not do this, you are violating our terms of service and your data is NOT secure.
When you set up your form to save data for later downloading and viewing, you can set a password to encrypt the data when stored in the Formstack database. When you set a password, public and private keys are generated and stored with your form. The public key is used to encrypt the data when saved in the database. Your password encrypts the private key, which will be used to decrypt the data. Your encryption password is not saved on the server in plain text, so it's not possible for anyone to decrypt the information without knowing your encryption password.
How to Enable Data Encryption on Your Form
- Click on the Settings tab for your form.
- Scroll down to Security.
- Enter a new password in the Encrypt Saved Data field. You will have to verify the password to continue.
If you do not see the Data Encryption option, your account plan does not give you access to those features.
Notes: You do not need to enable data encryption if you are not saving collected data in the database. File attachments are not encrypted.
These options should provide you with ample means of securing the data you gather on your forms.