Formstack Forms is PCI compliant as both a merchant and a service provider. To become PCI compliant, a third party auditor tested us on the following controls:
For our Formstack Forms HIPAA plan customers, we are committed to continued compliance with HIPAA.
To comply with privacy practices globally, Formstack is committed to continued Forms compliance with GDPR, PIPEDA, and other privacy regulations and laws.
AWS Hosting. Formstack uses AWS in the United States as our external security hosting provider. AWS meets System and Organization (SOC) standards verified by independent third-party examination reports demonstrating how the provider achieves key compliance controls and objectives. Please see the following website for further details on AWS compliance: https://aws.amazon.com/compliance/programs/.
Data ownership. Your organization owns the submission data and file upload data. In EU Data Protection Law speak, your organization is the Controller. Formstack will only access your data at your request. To protect your data from unauthorized access, we have logs with alerts set to notify us of suspicious activity.
Your organization may download your information or delete your information for our application at any time.
Passwords. Formstack Forms provides customers with the ability to create strong passwords that:
Timeout Settings. Customers may set a timeout for users after a fixed period of inactivity (15 minutes, 30 minutes, 1 hour, 4 hours.) For Forms HIPAA plan customers, the timeout is set at 15 minutes.
Password Strength. Formstack Forms provides its customers with a password meter to guide users in the creation of strong passwords.
Multi-Factor Authentication. Formstack Forms provides the customer with the option to enable multi-factor authentication.
Data at rest. All submission data is disk encrypted under AES-256.
Data in Transit. Data in transit is protected by TLS >=1.2 to provide end-to-end communication security.
HIPAA File Uploads. Personal health information uploaded to our S3 file servers is AES-256 encrypted with an AWS managed encryption key for server-side encryption.
Client Form Encryption. Clients may encrypt their forms using a passphrase. This passphrase is only known to the customer and encrypts the data under a 1024 bit AES public key.
Data Backup. Formstack Forms is not to be used for data backup. For our purposes, we back up and replicate data as follows:
Data backups are also encrypted using AES-256. If the customer uses form encryption, the backup data will be encrypted with 1024 bit AES public key. If the data is replicated between regions, the data will be encrypted by AWS in addition to the file encryption and/or the client form encryption.
Logging. Our application will be configured for appropriate logging of activities to enable detection of security incidents. These incidents will be reviewed, and identified anomalies will be investigated for a possible compromise.
All logs activities are sent to a centralized logging infrastructure for audit purpose.
Internal Vulnerability Scans. Formstack runs internal vulnerability scans quarterly.
External Vulnerability Scans. Formstack has a PCI Approved Scanning Vendor (ASV) run external vulnerability scans quarterly.
Penetration Testing. Penetration testing for our Forms application, network, and segmentation are run on a bi-annual basis by a third-party security vendor.
No External Testing. Since we have continuous scans and tests run by third-party vendors, Formstack does not allow external testing of our environment, including performance testing.
Response Plan. Formstack has a business continuity and disaster recovery plan that allows customers to continue to run our Forms application in the unlikely event of an outage at AWS-US East.
Annual Training. Our employees and contractors are provided with privacy and awareness training yearly and must pass a quiz each year.
Developer Training. Developers train annually on secure coding guidelines, avoiding common coding vulnerabilities, and understanding how sensitive data is handled.
Response Plan. Formstack has documented Incident Response and Data Breach Response Plans, which outline the processes to respond to security events and incidents, and breaches of personal or protected data.
Formstack's goal is to notify customers of an actual security incident within 24 hours after becoming aware of it.
Internal Risk. Our organization addresses cybersecurity risks in our risk management processes to identify critical assets, threats, and vulnerabilities.
Third-Party Risk. Formstack performs risk-based due diligence on new and existing vendors to determine if the vendor is using appropriate technical controls and organization measures to protect data.