Our commitment to security

Cloud security

Our services are hosted with Amazon Web Services in the United States. They employ a robust security program with multiple certifications. For more information on our provider's security processes, please visit AWS Security.

Formspree uses an industry-leading Web Application Firewall with automatic updates to thwart the latest attack vectors.

Encryption

All databases are encrypted at rest using AES-256 block-level storage encryption. We use a minimum of TLS 1.2 to encrypt network traffic between users' browsers and Formspree. Formspree salts and hashes passwords.

Vulnerability management

We perform vulnerability scanning and actively monitor for threats. We actively monitor and log various cloud services. We use a leading intelligent threat and anomaly detection service to proactively to identify and respond to any potential threats.

Least privileged access

We follow the principle of least privilege. Access to cloud infrastructure and tools with access to customer data are limited to authorized personnel who require it for their role. We enforce 2 factor authentication and strong password policies to access critical systems.

Access reviews

We maintain a dedicated offboarding process to immediately revoke access when no longer required. We also conduct quarterly access reviews of all team members to audit access to sensitive systems.

Business continuity and disaster recovery

We have developed an action plan distributed to all personnel to prepare for any unexpected disasters. We regularly backup all critical data systems and run walkthroughs to allow us to quickly recover in the event of a catastrophe.

Incident response

We have a process for handling information security events including escalation procedures, rapid mitigation, and communication. Formspree maintains a bug bounty program to encourage responsible disclosure.

Security awareness

Personnel are required to undergo security awareness training covering phishing and password management. We perform background checks on all new team members in accordance with local laws. All team members are required to sign and adhere to an industry standard confidentiality agreement prior to their first day of work.

Vendor management

Vendor risk is determined and vendor reviews are performed prior to authorizing a new vendor. We conduct at least annual risk assessments to identify any potential threats.

GDPR

Formspree is fully GDPR compliant and believes in the mission of advancing privacy worldwide. GDPR compliance is shown through actions, not through certifications. GDPR compliance is included in our Privacy Policy. We rely on Standard Contractual Clauses (SCCs) as a data processor.

SOC 2 Type II

Formspree has achieved SOC 2 Type 2 compliance and been audited by an independent third-party auditor. Our auditor is certified by the American Institute of Certified Public Accountants (AICPA) to evaluate a service organizations controls related to the Trust Services Criteria. If you'd like a copy of our audit report, please reach out to security@formspree.io.

CCPA

We ensure California consumers can exercise their rights under CCPA. This includes the right to know, right to delete, right to opt-out, and right to non-discrimination.