Trust Center Sync Security & Technology

Formstack Sync Security and Technology

Formstack Sync manages a secure and scalable technology stack that is continuously monitored and patched to stay ahead of digital threats. Below is a summary of our policies and practices as it relates to compliance, privacy, and security.

Application Security

Traffic between customers and Formstack Sync is protected with highly secure in-transit encryption using only the most secure TLS protocols and ciphers, along with 2048-bit encryption keys.

Formstack Sync’s software services are automatically monitored and checked against a constantly updated database of over 20,000 vulnerabilities.

Formstack Sync uses third-party Distributed Denial of Service (DDoS) protection software to ensure DDoS attacks are easily detected and thwarted before they cause a problem.

Our application codebase is continuously and automatically tested to ensure adherence to operational targets, including data integrity and security.

Application, audit, and system logs are captured and stored permanently, allowing for detailed forensic research.

Data Security

Customer data is encrypted in transit and at rest to ensure end-to-end protection with the latest standards and protocols.

Data Center Security and Certifications

Formstack Sync’s software is powered by world leaders in data center management and security. Physical access is protected by 24x7 onsite staff, as well as state-of-the-art biometric scanning and other electronic security controls.

Our infrastructure partners maintain SOC Type II and ISO 27001 certifications.

Availability & Continuity

Formstack Sync has an “availability first” approach. All infrastructure and application components are redundant, with active failover mechanisms. Critical operational data is backed up automatically, and backups are regularly tested to ensure integrity and recoverability.

Data Encryption

Data in transit is encrypted with the most secure TLS versions and ciphers. We employ 2048-bit encryption at a minimum and rotate keys regularly. When connecting to third party services on behalf of customers (e.g., to synchronize data), we ensure all API endpoints are protected by a valid SSL certificate.

Data at rest is encrypted at multiple levels, including on the physical disk and by the logical storage subsystem using AES-128 and AES-256. Keys are randomly generated and encrypted asymmetrically, stored and protected by a proprietary key management service provided by a global leader in infrastructure security.

PCI Compliance

Formstack Sync uses an industry-leading third party to process credit card transactions for customers who wish to pay by credit card. Formstack Sync does not store or possess any cardholder data relative to these transactions; this data is transmitted directly and securely to our upstream payment processor.

Formstack Sync attests to PCI-DSS SAQ-A compliance, and has been certified by Trustwave.

Operational Security

Vulnerability Detection

Formstack Sync employs active vulnerability detection, which audits every action taken on our servers as well as all data ingress and egress. Suspicious activity is automatically flagged and sent to our security operations team for investigation. Our team regularly reviews audit logs, monitoring data access patterns by internal and external actors.

Malware Interception

Automatic virus and malware protection with top-tier, self-updating tools ensures that our network is kept free of malware, spyware, worms, and other common Internet vulnerabilities.

Proactive Scanning

Formstack Sync utilizes enterprise-grade security scanning tools which automatically check against a continuously updated database of over 20,000 known vulnerabilities. This allows us to stay ahead of the curve and keep our infrastructure strong, even against new attack vectors as they are discovered.


All Formstack Sync staff members receive security training and a secured computer to ensure consistent protection of shared infrastructure, such as our corporate network. Developers receive additional security training, and application code is regularly reviewed to ensure adherence. Technical operations staff receive the highest level of security training; these are the only team members who are permitted to access production systems and, by extension, customer data.

Incident Response

Formstack Sync maintains a detailed incident response plan to ensure that any security events and incidents are properly diagnosed, categorized, and managed. Technical staff are regularly trained and tested in incident response procedures. Bedrock adheres to industry standard incident response practices, including involvement of local law enforcement where appropriate.

Continuous Improvement

The Formstack Sync Security Committee reviews all security-related policies, procedures, and training programs to ensure adherence in the execution phase, and to ensure alignment with the latest industry standards and best practices.


Formstack Sync is committed to protecting the privacy of our customers’ personal information. Please see our Privacy Policy for more information.

Privacy Shield

Formstack Sync complies with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States. Formstack Sync has certified to the Department of Commerce that it adheres to the Privacy Shield Principles.

Date Of Last Update: April 18, 2018