Interested in our security documents, compliances, policies, and more?
At FormAssembly, we’re dedicated to following security best practices both for our customers and our organization. Read on to learn about how we keep your account and data safe with different security policies and features, like our incident response policy, web application firewall, and intrusion detection system.
NIST CYBERSECURITY FRAMEWORK
We follow the NIST Cybersecurity Framework, which is a voluntary Framework consisting of standards, guidelines, and best practices to manage cybersecurity-related risks. The Framework helps to promote the protection and resilience of critical infrastructure and other sectors important to FormAssembly.
FormAssembly compliance standards:
FormAssembly is PCI DSS Level 1 Certified and is compliant with GDPR, HIPAA, FERPA, EU-U.S. Privacy Shield, the Australian Federal Privacy Act and Australian Privacy Principles. Our E-Signature feature is also compliant with the Australian Electronic Transactions Act. Our Government Cloud plan is FedRAMP Ready.
Our policies, procedures, and standards reference best practices of:
ISO, FFIEC, GLBA, HIPAA, PCI DSS, NIST, NYDFS, Privacy Act 1988
DATA CENTER LOCATIONS
Our commitment to upholding high security standards extends to our data centers, which are located around the globe and hosted by Amazon Web Services (AWS). AWS holds many certifications around Security and Privacy. We offer global regions to accommodate our customers’ data security needs, such as GDPR compliance.
All FormAssembly employees undergo background checks and privacy and security training. FormAssembly also maintains a comprehensive and regularly updated set of Information Security policies that cover a wide range of best practices for secure workplace procedures. All policies, procedures, and standards are reviewed and approved annually.
INCIDENT RESPONSE POLICY
FormAssembly has an established Incident Response policy and procedure based on NIST guidelines that activates upon a security breach. In the event of an incident, we will notify you in a timely manner of any unauthorized access to your data. The FormAssembly Incident Response plan is tested annually or as needed.
FormAssembly has Disaster Recovery and Business Continuity plans in place, and all relevant personnel are apprised of their roles. In the event of a disaster, the FormAssembly Customer Support team will provide a disaster declaration notice to all affected customers. Disaster Recovery and Business Continuity plans are tested on an annual basis.
FormAssembly maintains a robust centralized logging environment where logs are reviewed on a daily basis. Logging is enabled in order to establish a sufficient audit trail for all access. Logging is performed at the application level as well. Automated audit trails are implemented to reconstruct system events and they’re secured, so they cannot be altered in any way. File Integrity Monitoring is monitoring these actions along with several other security controls to ensure we maintain confidentiality, integrity, and availability of all data.
WEB APPLICATION FIREWALL
WAF, Security Groups, and IPtables are configured with deny-by-default policies. FormAssembly’s Web Application Firewall protects your data against common web attacks. We follow OWASP top 10 and SANS top 25 to ensure confidentiality, integrity, and availability of your data. Access control lists are reviewed throughout the year and any change must go through Change Management.
INTRUSION DETECTION SYSTEM
IDS (Intrusion Detection System) and IPS (Intrusion Prevention System) are deployed at FormAssembly to increase network and server security. IDS/IPS monitor traffic and inspect packets for suspicious data. Detection in both systems is mainly based on signatures already detected and recognized. Signatures are updated and alerts are reviewed on a daily basis. Logs are sent to our centralized logger where they are reviewed on an ongoing basis.