When it comes to collecting and managing data with FormAssembly, security should never be an afterthought. Whether you’re gathering sensitive information for a short-term project or managing long-standing workflows with personal data, following security best practices – also known as hardening your instance – is key to safeguarding your organization and your users.
During our annual virtual user conference, FormFest 2025, guest speaker David Batz emphasized practical steps teams can take to strengthen their instance.
You can watch the clip below from David’s FormFest presentation or read on for a walk through of the top recommendations for hardening your FormAssembly environment.
1. Start with User Privileges and Access Control
One of the most important things you can do to maximize security is review your user groups and permissions. FormAssembly offers granular control over who can access what by allowing you to:
- Assign appropriate roles like “form administrator” or “system administrator” only where needed.
- Limit access to sensitive data by carefully configuring roles.
- Regularly audit your user list to ensure privileges are still appropriate.
This kind of role-based access is your first line of defense.
2. Enable SAML or MFA
If your organization supports it, implement SAML-based Single Sign-On (SSO) for seamless and secure access. If SAML isn’t an option, Multi-Factor Authentication (MFA) should be enabled for all users.
Both options significantly reduce the risk of unauthorized access and are easy to configure within the platform.
3. Assess and Limit Sensitive Data Collection
Collecting personal or sensitive information? Then it’s time to get serious about data minimization and lifecycle management by:
- Reviewing what data you’re collecting and making sure it aligns with the purpose of your form.
- Implementing field-level security to protect sensitive fields from unauthorized access.
- Using input validation to ensure only properly formatted and expected data is submitted.
- If you’re accepting file uploads, turning on secure file scanning to guard against malware.
4. Set Up Data Purging Policies
FormAssembly’s data purging feature lets you automatically delete responses after a set period. This is perfect for short-term projects or regulatory compliance.
As part of your data collection processes, ask yourself: “Do we really need to keep this data after the project ends?” If not, set a purge schedule. This reduces risk and supports privacy-by-design principles.
5. Conduct Regular Privacy Impact Assessments
Periodically review what data is being collected by your organization and why. A Privacy Impact Assessment (PIA) helps ensure your data collection aligns with the goals of your project and may reveal unnecessary risks or redundancies.
This step can also inform your approach to purging and access control.
6. Strengthen Session and Password Settings
FormAssembly provides options to fine-tune session expiration and password complexity rules. Review and adjust these settings to find the right balance between user convenience and organizational security needs.
7. Review Connectors and Integrations
At least once a year (or more often, if possible), audit your enabled connectors and third-party integrations. Ask yourself:
- Are they still needed?
- Are they functioning as intended?
- Are they secure and up to date?
Remove anything that is going unused to reduce potential points of vulnerability.
Final Thoughts
FormAssembly provides a strong foundation for secure, compliant data collection, but it’s up to each organization to ensure their instance is properly configured. Taking the time to review permissions, secure data inputs, and evaluate integrations can go a long way toward reducing risk.
