Security Statement

Data Security

  • Authentication: The safety of your account identification information is taken very seriously and is always encrypted in transit and at rest. Account passwords are subject to minimum complexity requirements. Login is required to access collected data and files by default.
  • Authorization: Once authenticated, only your account, or sub-user accounts with correct permissions, will be able to perform actions on your data by default. We also offer secure options to share your results. We strive to maintain as tight controls on actions as possible. You may further customize your user and form permissions. Secure single-access authorization helps ensure that only you are able to login to your account.
  • Accounting: Access and activity to accounts and data are routinely logged and analyzed. This information is then regularly used for security reviews and monitoring, as well as performance maintenance. Major activity in your account is also logged and viewable online.
  • Encryption: All data stored in your account, including data you collect with your forms, is encrypted at rest using the AES-256 encryption algorithm.
  • Privacy: Our Terms of Service covers our handling policies for your data including adherence to GDPR, data ownership, and data retention standards.

System and Network Security

  • All Formsite servers are colocated exclusively in a cloud-based architecture with Amazon Web Services (AWS) using their datacenters with hosting in the United States. Find complete information on AWS Security on their security and compliance pages. In addition to our own staff, AWS provides expert support and system maintenance. AWS meets multiple ISO, SOC, and other standards including compliance certifications and attestations from third-party, independent auditors.
  • Formsite uses high-grade SHA-256 RSA encryption for secure (https) connections over TLS, the same level of security used by banks and other financial institutions. The AES-256 encryption algorithm is used to encrypt data at rest.
  • High performance, stability, and DDOS mitigation are achieved through the use of load-balancing on public-facing servers, as well as redundant processing instances and databases across different physical locations. This allows us to support high traffic loads across our user base with high uptime.
  • Formsite servers are routinely monitored and tested by internal and external PCI and system scans as well as world class Penetration Testing (Pentest) firms. Servers are kept up to date with important security patches and software. Automated monitoring is also in place with the ability to alert Formsite personnel.
  • Disruptive and malicious activity such as email spam and bot-generated submissions are not tolerated and are prevented by various methods including but not limited to reCAPTCHA. You may also restrict submissions by allowing only one per user, requiring a login first, screening out users, or setting a results limit.
  • Secure network access is enforced by multi-tiered firewalls, custom system configurations, and multi-zoned networks. Partnership with AWS allows us to leverage their industry leading security features such load balancing, network and application firewalls, Virtual Private Cloud (VPC), Identity & Access Management, and more.

Application Security Features

We provide many features to help protect your data, including secure password-protected results sharing options for emails and reports. Files can also be shared securely with encoded links that require a login to open. Special items offer the ability to handle sensitive data like credit card numbers. As noted above, reCAPTCHA can be used to automatically protect against abusive submissions. To help protect your account access, enable Two-factor authentication (2FA) to require a special code upon login. You can also enable Data Retention to manage your results lifecycle and automatically remove older results.

Administrative Security

  • All Formsite personnel are trained and regularly updated with the latest best practices regarding security and threat management.
  • Access to Formsite resources is reserved solely for employees of Formsite, with minimal access permissions as needed.
  • Activity on Formsite servers and networks is constantly logged and audited. Access to systems and data is highly restricted to only essential skilled personnel, and activity is both tightly controlled and monitored. Our staff also use best security standards, including two-factor authentication, private key-protected secure shell, secure VPN, etc., where possible.

Business Continuity and Disaster Recovery

  • 24/7 monitoring and intrusion prevention systems are enacted for all public-facing services.
  • Robust alert systems, secure processes and systems allow vital Formsite personnel to respond to issues within minutes at any time.
  • Disaster recovery plans are in place, reviewed regularly, and distributed to all necessary Formsite personnel.
  • Our system and network architecture provide a high degree of fault tolerance and recovery, both in security and performance. Important systems have redundancies in place to support fail-over processes and are also backed up routinely.
  • Backups of all vital systems and data are taken regularly, and copied as appropriate to secure locations in order to provide contingencies across multiple systems and locations.
  • Results data can be exported from your account, allowing you to create personal backups.

Software Development

  • We use technologies including Java, Linux, and MySQL to develop Formsite.
  • All software produced by Formsite personnel is subject to regular screening, review, and testing.
  • Our systems and software are developed and maintained with consideration of the OWASP Top 10 and are held to best practices and industry standard guidelines in order to reduce vulnerabilities.
  • Testing on all software is performed in multiple test, or “sandbox”, environments before reaching the production environment. Actual customer data is not used in testing unless expressly required to diagnose specific issues, in which case it is handled securely and disposed of properly.
  • We utilize advanced code deployment systems including distributed version control and source code management. This allows us to develop and distribute patches or updates to our code quickly and safely should the need arise due to a bug or vulnerability.

PCI Compliance

  • Formsite is PCI 3.2.1 compliant. Our servers pass routine PCI compliance scans and we will provide our scan certificate upon request. PCI compliance includes the following requirements:
    • Firewall configured to protect cardholder data
    • Default password and security parameters not in use
    • Protection of stored data
    • Encrypted transmission of cardholder data
    • Antivirus and anti-malware precautions
    • Secure and well-maintained systems and applications
    • Restricted access to sensitive data
    • Authentication to system components
    • Restricted physical access to data and systems
    • Resource and data access restricted and monitored
    • Routine system and process testing
    • Information security processes maintained
  • We are PCI compliant with respect to the handling of billing information for Formsite accounts.
  • All payment integrations are PCI compliant (PayPal Business, PayPal Personal, PayPal Pro, Braintree,, Stripe).
  • If you elect to collect credit card information on your form, it is your responsibility to maintain the PCI compliance of your entire account.

Security Breach Response

While Formsite follows best practices and makes security a priority, transmitting and storing data will still carry some inherent risk. Due to this, we have procedures to enact should a breach occur. In addition to the monitoring and alerting systems mentioned above, our procedures also include contacting account holders by email or placing notices on our main website or within each account, as needed. We also maintain support round-the-clock to communicate with our users and address further questions and concerns.

Responsible Usage

Formsite offers many advanced features and functionality. Therefore, security of your data also relies upon your responsible usage. This includes, but is not limited to, keeping your passwords and sensitive account information safe and handling your results data safely. Any data you distribute should be as limited in scope as possible and use relevant security features, such as password protection, where possible. In addition, your data security also relies upon the security of any devices or networks you use to access your Formsite account and data. This includes keeping your computer or device up to date with security patches, enforcing user security standards, and storing and deleting downloaded files safely. For more information on the responsibilities of using Formsite, also see our Terms & Conditions.

Further Requests

Due to our large and varied user base, requests for further specific details or custom security assessments may require a certain level of service. You may also see more details about the features included with each level of service on our pricing page or detailed pricing page. For large existing or potential accounts, we also offer several additional Enterprise services, including White Label and HIPAA Compliant services.

Billions of forms submitted