Formstack is PCI compliant as both a merchant and a service provider. To become PCI compliant, a third party auditor tested us on the following controls:
For our HIPAA plan customers, Formstack is committed to its continued compliance with HIPAA.
Global Privacy Compliance
To comply with privacy practices globally, Formstack is committed to its continued compliance with GDPR, PIPEDA, and other privacy regulations and laws.
Security and Privacy
Your Data is Your Data.
Data ownership. Your organization owns the submission data and file upload data. In EU Data Protection Law speak, your organization is the Controller. Formstack will only access your data at your request. To protect your data from unauthorized access, we have logs with alerts set to notify us of suspicious activity.
Authenticate Your Way
Passwords. Formstack provides customers with the ability to create strong passwords that:
Timeout Settings. Customers may set a timeout for users after a fixed period of inactivity (15 minutes, 30 minutes, 1 hour, 4 hours.) For HIPAA plan customers, the timeout is set at 15 minutes.
Password Strength. Formstack provides its customers with a password meter to guide users in the creation of strong passwords.
Industry Standard Encryption
Data at rest. All submission data is disk encrypted under AES-256.
Data in Transit. Data in transit is protected by TLS >=1.2 to provide end-to-end communication security.
Encryption Your Way
Data Backup and Replication
Data Backup. Formstack is not to be used for data backup. For our purposes, we back up and replicate data as follows:
Logging. Our application will be configured for appropriate logging of activities to enable detection of security incidents. These incidents will be reviewed, and identified anomalies will be investigated for a possible compromise.
Internal Vulnerability Scans. Formstack runs internal vulnerability scans quarterly.
External Vulnerability Scans. Formstack has a PCI Approved Scanning Vendor (ASV) run external vulnerability scans quarterly.
Penetration Testing. Penetration testing for our application, network, and segmentation are run on a bi-annual basis by a third-party security vendor.
Business Continuity/Disaster Recovery
Annual Training. Our employees and contractors are provided with privacy and awareness training yearly and must pass a quiz each year.
Incident Response and Data Breach Response
Response Plan. Formstack has documented Incident Response and Data Breach Response Plans, which outline the processes to respond to security events and incidents, and breaches of personal or protected data.
Internal Risk. Our organization addresses cybersecurity risks in our risk management processes to identify critical assets, threats, and vulnerabilities.
EU/Swiss Data Transfer. Formstack participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework, and has been added to the official list of certified companies by the U.S. Department of Commerce ( https://www.privacyshield.gov/participant?id=a2zt0000000TVUtAAO&status=Active ).