In today’s digital world, data security isn’t optional – it’s foundational – and FormAssembly stands behind this belief.
We’re proud to share that we have successfully completed our annual ISO/IEC 27001 and SOC 2 Type II audits, earning updated certifications for both. The renewal of these certifications reaffirms our mission to help organizations become exceptional stewards of data and prove that we hold ourselves to the same standard.
What ISO 27001 and SOC 2 Really Mean
What is ISO/IEC 27001?
ISO/IEC 27001 is an international standard that helps organizations manage and protect sensitive information. It uses a modern, risk-based approach, meaning companies focus on the specific security risks they face and build protections that make sense for their unique situation.
The latest standard includes updated controls across technology, processes, and people, covering everything from secure software to employee training. It also aligns with other quality and service standards like ISO 9001 and 20000, promoting a more complete, well-rounded approach to managing both security and service delivery.
Unlike a one-time checklist, ISO/IEC 27001 promotes continuous improvement, encouraging organizations to regularly evaluate and enhance their security practices. For FormAssembly, renewing this certification is an independent confirmation of our commitment to security, giving customers added confidence that we take data protection seriously.
What is SOC 2?
SOC 2 is a widely respected standard that helps organizations prove they’re managing customer data securely and responsibly. It’s based on five Trust Services Criteria — security, availability, processing integrity, confidentiality, and privacy — with security always being required.
What makes SOC 2 especially valuable is that it doesn’t just look at policies on paper; it evaluates whether security controls actually work over time, in real-world, day-to-day operations.
Recent updates to SOC 2 have added more detail around risk management, vendor oversight, and how companies handle emerging technologies. For FormAssembly, renewing a SOC 2 certification helps confirm that our data practices aren’t just compliant but that they’re consistently reliable. It’s a signal to our customers that they can trust our platform to protect their information, not just in theory, but in practice.
The Importance of Data Stewardship
At FormAssembly, our mission is simple: to empower organizations to be responsible stewards of the data entrusted to them.
We take the responsibility to collect, connect, and protect data – both our own and that of our customers – seriously. To be good data stewards, we:
- Prove to our customers that they can trust us by committing to everything that is necessary to earn ISO 27001 and SOC 2 certifications
- Proactively work within our own organization to keep data secure and to educate our employees on data security best practices
- Prioritize compliance when it comes to our customers and their data
Good data stewardship is demonstrated through the actions you take to protect the data entrusted to you. It’s not enough to claim you’re a responsible data steward — you have to prove it through ongoing commitment, regular evaluation, and consistent action.
The Product Controls That Make It Real
These certifications aren’t just checkboxes. They reflect real controls built into the FormAssembly platform.
Password Management & Multi-Factor Authentication
Strong password policies and MFA are essential, but they’re not enough on their own. Passwords can and will be compromised. If stored credentials become public in a breach, password strength alone won’t protect you — that’s why password management is what really matters.
To stay ahead of these risks, FormAssembly relies on three supplemental services that detect when a password appears in a suspected breach. MFA also plays a key role, but not all MFA methods offer the same level of security. Instead of SMS-based authentication, which can be intercepted, we use an internal MFA application combined with multiple verification indicators, ensuring a strong identity verification process at every step.
Ongoing Security Audits & Vulnerability Assessments
Security isn’t static, which is why a single audit or assessment isn’t enough. To continuously reinforce security, FormAssembly layers multiple tools, internal processes, and external expertise. Audits provide a snapshot, but maintaining security requires ongoing evaluation and proactive reinforcement.
Vendor security is just as critical as internal monitoring. When third-party service providers act as custodians of sensitive data, their weaknesses become a direct risk. That’s why we require partners to demonstrate a continuous commitment to security through regular audits, transparent assessments, and proactive compliance measures.
Encryption Best Practices
Encryption is a cornerstone of data security, but its effectiveness depends on proper configuration and management. Data must be encrypted both at rest and in transit, with strong safeguards in place to ensure continuous protection.
To maintain security standards, FormAssembly regularly reviews and strengthens encryption protocols. Our encryption practices ensure that all data collected through our platform is protected end-to-end. We also assess how external partners encrypt data and manage encryption keys to confirm their safeguards align with our best practices.
Data Minimization & Retention
What’s the best way to minimize risk? Minimize what you collect. If data isn’t providing meaningful value, don’t collect it. If you do collect sensitive data, identify it, monitor access, and take action when necessary. Ask yourself:
- Who within your organization – especially non-administrators – has privileged access?
- What data exists that no longer serves a purpose?
At FormAssembly, we believe the key is to audit, restrict, and purge. Holding onto unnecessary data only increases exposure. You must ensure that you’re storing only what’s needed, for only as long as it’s needed, and that you’re controlling access at every step.
Why Data Security Matters to Our Customers
For FormAssembly customers, data security isn’t just a technical concern – it’s a critical part of choosing the right solution.
Our strong security credentials help simplify the purchasing process by reducing the time and friction of security reviews. More importantly, they offer peace of mind by ensuring you’re working with a vendor that prioritizes data protection at every level.
As your organization grows, FormAssembly also supports scalable compliance, making it easier for your team to meet its own regulatory and security requirements securely and efficiently.
Looking Ahead: Security Is Never “Done”
Security isn’t a one-and-done achievement, but rather, an ongoing, evolving commitment. While our recent ISO 27001 and SOC 2 certifications reflect where FormAssembly stands currently, they’re just one part of a larger picture.
Behind the scenes, we’re continuously investing in training, improved tools, and platform-wide vigilance to stay ahead of emerging threats. We believe every organization deserves tools that make secure, reliable data collection simple and accessible. We commit to making sure that FormAssembly remains one of those tools.Want to learn more about how FormAssembly protects your data? Visit our Security & Compliance Center or get in touch with our team.
