The foundation of our approach to security is that we don't keep form submission data. Form submissions are held temporarily during validation, workflow & delivery, and then permanently deleted subject to the Data Retention Period configured for your account, the default is 10 days.

Encryption

All connections to our website, API and forms use HTTPS encryption with TLS 1.2.

Form data is encrypted with the industry standard AES-256 algorithm while it's temporarily held by us.

Form data is delivered via secure channels wherever possible, we discourage delivery of form data by email.

User passwords and access tokens for third-party services are encrypted with AES-256.

Storage

You can nominate your preferred region to store encrypted form data while it's temporarily held by us, see Regions

Access

Form data can be accessed via our portal and API while it's temporarily held by us.

Portal access requires a FormsByAir account login. We support 2FA using a mobile app and IP address whitelisting to restrict access to specific networks.

API access requires a bearer token generated by an Administrator in the portal. Tokens can be manually revoked at any time, and automatically expire after 3 years.

FormsByAir staff can only access metadata by default, and must request access to form data as required to troubleshoot an issue, which is logged with a comment.

Our website, API and all forms sit behind a Web Application Firewall with a comprehensive set of OWASP-based rules.

An independent security report from SecurityScorecard is available on request.

Hosting

FormsByAir is hosted by Microsoft Azure

Domain registration and SSL certificate services are provided by GoDaddy

SMTP email services are provided by SendGrid

Monitoring services are provided by Pingdom

Availability

The design of our infrastructure within Azure follows best practice to ensure high availability including global CDN endpoints. Our production environment is monitored 24/7 every minute from multiple geographic locations. A public status page is available here

PCI Compliance

FormsByAir is not PCI-Compliant and does not store or transfer credit card information.

Spam

FormsByAir offers spam protection by monitoring for unusual patterns of activity against your forms and blocking access if thresholds are exceeded.