How Do I Create A Secure Form?
FormSite has the features necessary to create forms that can collect and handle data securely. However, it is your responsibility to take advantage of these features when appropriate. To create a form suitable for collecting sensitive information, use the following guidelines:
- Use a Professional level account. Only Professional accounts can create secure form links and encrypt item results.
- Publish the form with a secure (https) link or embed code. This will ensure data is transmitted to and from FormSite securely.
- For forms that send email Notifications, use the Secure Email email format, or use Results Views to exclude all items that contain sensitive information (eg. credit card numbers or social security numbers). Email does not transfer data securely and should not be used to send sensitive information.
- Enable the "Encrypt Result" setting for each text field that collects sensitive information (eg. credit card numbers or social security numbers).
- Enable the "Secure Form" setting on the form's Configure page to enforce security features.
Several terms are frequently mentioned when discussing online security:
- SSL - Secure Socket Layer. This is the technology used to securely transmit data over a network.
- HTTPS - HTTP over SSL. This is how SSL is used to securely transmit data to and from a website.
- encryption - This is a way to convert data into a format that cannot be read without a special key.
Short Answer, Paragraph, and Password Field items can store results in an encrypted format. Encryption is provided for data that needs "extra" security, such as credit card numbers and social security numbers. This type of data can be collected securely, but many organization have policies that it, further, must be encrypted when stored.
There is no limit to the number of items you can encrypt. However, for best performance, only enable encryption where appropriate.
The "Secure Form" Setting
To assist in enforcing security requirements, you can designate a form that collects sensitive information as a "Secure Form". This setting can be found on each form's Configure page.
The "Secure Form" setting affects the following:
- Insecure (http) links - Insecure links will not be available on the Publish page. Any existing insecure links will refuse submissions.
- Public Results - The Public Results feature will not be available.
- Potentially insecure actions - Warnings will appear next to settings and features that, when used incorrectly, may result in data being handled insecurely.
NOTE: The "Secure Form" setting will only disable functionality that is guaranteed to be insecure. To remain flexible for as many users as possible, other features remain enabled but are noted as "potentially insecure". That is, insecure only when used incorrectly. When in doubt, refer to the guidelines in the "How Do I Create A Secure Form?" section above.
In order to securely collect data, you must distribute a secure (https) link to your form. Secure links will result in data being transmitted to and from FormSite securely. You can always determine whether a link is secure by checking that it begins with "https".
To get a secure link to your form, use the Publish page. If your form has the "Secure Form" setting enabled, the Publish page will only display secure links. Otherwise, near the top of the page, select "Secure SSL" as the "Link Type" before copying a link.
By default, all Professional level accounts use a secure (https) connection when logged in. Viewing results within your account will be secure. However, several features, such as Printable Report and Results Download, have an "email me when it's ready" option. Do not use this option for forms that contain sensitive data as email does not transfer data securely.
FormSite uses high-grade 256 bit SSL encryption for secure (https) connections, the same level of security used by banks and other financial institutions. Results that are encrypted are done so using the Advanced Encryption Standard (AES) algorithm, the encryption standard adopted by the United States government.
All FormSite servers are colocated exclusively at Equinix Datacenters in Chicago. Physical security includes: 5 layers of biometric palm scanners to enter and leave the facility, 24 hour security personnel, over 600 video cameras with 30 day digital recording, and kevlar floors and walls.