How do I Create a Secure Form?
Formsite has the security features necessary to collect and handle data securely, but depending on the type of form you're building, it's your responsibility to utilize these features when appropriate. See our Security Statement for more details on our site security and policies.
All form links use "https", which secures data in transit. All collected form data is stored encrypted (also known as "encrypted at rest"), which secures data in storage. These security features are automatic and there's nothing extra you need to do to take advantage of them.
If your form collects sensitive information, follow these additional guidelines when appropriate:
- Collect credit card numbers only with the Credit Card item type. This item type applies extra card-specific security features, such as automatic masking when viewing results. If you're using a payment integration, don't ask for credit card numbers on your form. The payment integration will securely collect credit card and payment information.
- For Notification emails, use the "Send as password link" setting or use Results Views to exclude any items containing sensitive information (like credit card numbers or social security numbers). Email doesn't transfer data securely and shouldn't be used to send sensitive information.
- For Results Reports, use the "Password" setting to prevent public access or use Results Views to exclude any items containing sensitive information.
Additional Security Features
Secure Results Files
Files uploaded via File Upload items can be further secured by enabling the "Require login to access files" setting, on your form's "Settings -> Security" page. This setting replaces file links appearing in results with encoded links which require you to be logged in.
All forms are protected by an automatic reCAPTCHA. If an unusual pattern of submissions is detected for your form, the reCAPTCHA will selectively appear to prevent abuse. You can further customize when this will appear on your form's "Settings -> Security" page.
For compatibility with reCAPTCHA, it's best to make your forms at least 300px wide to make sure it has enough space to display.
Two-factor authentication (2FA) links a mobile device to your account. A time-sensitive passcode from the mobile device will be additionally required during login.
Data Retention policies can automatically remove results after a specified period of time. This allows you to control the lifecycle of your data for compliance, or just to help manage your storage footprint.