The foundation of our approach to security is that we don't keep form submission data. Form submissions are held temporarily during validation, workflow & delivery, and then permanently deleted subject to the Data Retention Period configured for your account, the default is 10 days.

Encryption

All connections to our website, API and forms use HTTPS encryption with TLS 1.2.

Form data is encrypted with the industry standard AES-256 algorithm while it's temporarily held by us.

Form data is delivered via secure channels wherever possible, we discourage delivery of form data by email.

User passwords and access tokens for third-party services are encrypted with AES-256.

Access

Form data can be accessed via our portal and API while it's temporarily held by us.

Portal access requires a FormsByAir account login. We support 2FA using a mobile app and IP address whitelisting to restrict access to specific networks.

API access requires a bearer token generated by an Administrator in the portal. Tokens can be manually revoked at any time, and automatically expire after 3 years.

Our website, API and all forms sit behind a Web Application Firewall with a comprehensive set of OWASP-based rules.

Hosting

FormsByAir is hosted by Microsoft Azure

DNS and SSL certificate services are provided by GoDaddy

SMTP email services are provided by SendGrid

Availability

The design of our infrastructure within Azure follows best practice to ensure high availability including global CDN endpoints. Our production environment is monitored 24/7 every minute from multiple geographic locations using pingdom.com. A public status page is available here

PCI Compliance

FormsByAir is not PCI-Compliant and does not store or transfer credit card information.

Spam

FormsByAir offers spam protection by monitoring for unusual patterns of activity against your forms and blocking access if thresholds are exceeded.