Security

The security of your data is of paramount importance to us at Formcrafts. We never sell your data, and take all the necessary precautions to safeguard it from unwanted access. You can learn more about our security practices on this page.

Compliance

GDPR

As a data processor, Formcrafts diligently adheres to GDPR, implementing strict policies to manage personal data responsibly and transparently. Our roles and responsibilities are clearly defined to ensure compliance with European data protection laws.

Data Processor vs Data Controller

A data controller is, "a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of processing of personal data." Since Formcrafts collects and processes the data on behalf of form creators, it acts as a data processor.

Data Processing Addendum (DPA)

We offer data processing addendum (DPAs) for customers that operate in the EU. Our DPA offers the terms and conditions to fulfill GDPR requirements, and reflect our commitment to EU data privacy. Please contact support to get a copy of our DPA.

Right to be Forgotten

Formcrafts' users can delete their account from their dashboard. This deletion results in erasure of all their data, and the form respondents. Some data may persist in backups, which is deleted after a period of time.

Right to Data Portability

Users can easily export form responses, facilitating data control and mobility. If you would like to bulk export your responses please contact support.

Right to Rectification

We provide the means for users to update their personal information, ensuring data accuracy. You can edit your information with us on the Account page.

PCI DSS

Formcrafts does not store payment data. We use a third-party service called Stripe to accept and process payment information. Stripe is PCI Service Provider Level 1 certified. Learn more about security at Stripe.

CCPA

The California Consumer Privacy Act (CCPA) protects privacy rights of California consumers. Formcrafts is compliant with CCPA regulations.

Hosting and Network Security

Formcrafts uses a variety of cloud providers to host its infrastructure. Our servers are hosted with:

  1. Fly.io
  2. Amazon Web Services

Our database is hosted with Amazon Web Services, and located in the European Union. Please note that even though our database is located in the EU, your data may be processed in other locations.

We use other data providers for services like email delivery, analytics, and CDN. Please contact support for more information.

Organization Policies

Formcrafts has a business continuity plan, and a broad set of organizational policies governing security and data privacy, including password policy, communication protocols, access control, non-disclosure agreements, etc ... We also conduct regular internal tests and workshops to update our policies.

Encryption

Your data in Formcrafts' databases is encrypted at rest with AES-256, and in transit via TLS. We use HTTPS for all our web traffic, ensuring secure data transfer.

Backups

We conduct regular database and application backups to prevent data loss and ensure quick recovery in the event of an incident. Backups are stored in a secure location, and are encrypted.

Backups are stored for 30 days and are automatically deleted after that time.

Development

We follow industry-standard best practices for most of our application development. Testing and production environments are isolated. New employees go through rigorous training and education when they are hired, and also on a periodic basis.

Least Privilege

We operate on a principle of least privilege, ensuring that every employee, contractor, and system has only the minimal access necessary to perform their role. This minimizes the risk of unauthorized access or accidental changes to critical systems.

Other key elements of our policy include:

  1. Periodic access review
  2. Granular access levels
  3. Strong password policy

OWASP

OWASP Top 10 is a standard awareness document for developers and web application security, listing the most critical security risks for web applications. We follow this document during application development. Developers are trained on these principles on hire, and also on a periodic basis.

Penetration Testing

To identify and mitigate vulnerabilities, we conduct regular internal penetration tests, enhancing our defense mechanisms.

Incident Response Plan

Formcrafts has a robust incident response plan to promptly address any security breaches or data leaks. Our dedicated team is trained to manage incidents effectively, minimizing impact and restoring security.

Our incident response plan is reviewed and updated bi-annually to ensure it is up to date.