Security at Typeform
Entrusting your data to a third-party service provider requires rigorous security measures. The security and integrity of your data is critically important for us, and we’ve built our services around this idea. A risk assessment is repeated at regular intervals and those assessments provide security measures and controls to reduce the risks to an appropriate level.
This article describes the technologies and processes that we use to secure your data, and explains our security culture. Click on a section header in the list below to read more about that topic. We need to be clear and understandable from a legal perspective – unfortunately that doesn’t always make for the simplest explanations. If you find anything hard to understand, please get in touch using the Contact Support button at the bottom of this page.
- Security at Typeform
- Compliance
- Security monitoring and auditing
- Security organization
- Physical security
- Segregation levels
- Network security
- Access control
- Access to customer data by Typeform
- Security policies and awareness
- Penetration tests
- Data protection measures
- Data retention
- Asset management
- Information security incident management
- Continuity
- Development
- Shared responsibility
- Virtualization security
- Secret authentication information management
Security at Typeform
Typeform is a flexible and customizable online form service with beautiful and easy to use design. We also have the objective to guarantee the security of the data collected. The confidentiality, integrity, and availability of your data is critically important for us, and we’ve built our services around this idea.
Our goal is to facilitate our clients’ security while using Typeform, and to help them achieve the certifications and compliance with certain regulations using our platform. For that purpose, the security and compliance framework of our company is certified on the following international standards. All of them have been audited by independent companies.
Compliance
ISO 27001
Is an international standard based on how we manage the security of our organization’s information. ISO27001 details requirements for establishing, implementing, maintaining and continually improving an information security management system to help ensure that Typeform is protecting the confidentiality, availability, and integrity of our clients’ data and the systems needed to provide the service from threats and vulnerabilities.
ISO 27701
Is a privacy extension to ISO 27001. The design goal is to enhance the existing Information Security Management System (ISMS) with additional requirements in order to establish, implement, maintain, and continually improve a Privacy Information Management System (PIMS). The standard outlines a framework for Personally Identifiable Information (PII) Controllers and PII Processors to manage privacy controls and reduce the risk to the privacy rights of individuals.
System and Organization Controls 2 (SOC2)
Is a comprehensive reporting framework put forth by the American Institute of Certified Public Accountants (AICPA) that ensures a service provider as Typeform securely manages the data entrusted by our customers to protect their interests and privacy. Same as with ISO 27001, the auditing procedure is carried out by independent, third-party auditors assessing and subsequently testing security controls relating to the Trust Services Criteria of Security.
In addition, our platform is hosted on Amazon Web Services, which is certified in various frameworks from SOC2 to ISO27001.
General Data Protection Regulation (GDPR)
Is by far the most demanding regulation on data protection and privacy in the world. It is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live in the European Union. It also addresses the transfer of personal data outside the EU and EEA areas. At Typeform, all our customers’ data is processed complying with this framework, no matter which country it belongs to.
Read more about GDPR compliance.
Health Insurance Portability and Accountability Act (HIPAA)
Is a federal law on which we are audited that requires the creation of national standards to protect sensitive patient health information from being disclosed without the patients’ consent or knowledge.
HIPAA requires the organization to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI. The Security Rule’s confidentiality HIPAA requirements support the Privacy Rule’s prohibitions against improper uses and disclosures of PHI. Under the Security Rule, integrity means that e-PHI is not altered or destroyed in an unauthorized manner. Availability means that e-PHI is accessible and usable on demand by an authorized person.
At the moment, the organization successfully passed the first compliance assessment, and as a result, the final report allows the company to sign a BUSINESS ASSOCIATE AGREEMENT with its clients.
We also ensure our security by following best practices in different standards:
PCI DSS
The Typeform platform does not store payment data. We use a PCI DSS certified 3rd party for that purpose to accept or process credit card information securely in accordance with these standards, always using the Payment question.
The use of such a PCI DSS certified 3rd party ensures compliance with the Payment Card Industry’s Data Security Standards (PCI DSS 3.2) and the Revised Directive on Payment Services (PSD2).
OWASP
We follow OWASP on our secure development and testing of our applications.
NIST
We follow the NIST Cybersecurity Framework that provides a policy framework of computer security guidance for how to assess and improve the ability to prevent, detect, and respond to cyber attacks.
FIPS
We follow FIPS standards in our systems that require any cryptographic method.
Security monitoring and auditing
Typeform collects application, infrastructure and systems logs in a centrally managed log repository for monitoring, troubleshooting, security reviews, and analysis by authorized personnel. Logs are preserved in accordance with regulatory requirements to assist in the case of a security incident.
Security organization
Typeform has an information security department specifically responsible and accountable for security administration. The Security department directly manages and oversees risk assessment, development of policies, standards, and procedures, testing, and security reporting processes.
A security committee, formed by the highest-level decision and management in the Organization in matters related to information security is in place. The Security Committee assumes responsibility for ensuring compliance with the corporate security principles, to define the initiatives that in matters of security and continuity of the business are rushed in the company and to ensure the security within the company and the platform.
Physical security
Typeform’s infrastructure is hosted by Amazon Web Services (AWS). Our main servers are located in Virginia, USA. They are compliant with security and privacy standards.
As of 2022, Typeform is a 100% worldwide remote company, so the only physical premises are AWS’ data centers.
All physical security measures applying to AWS premises are covered by the AWS Shared Responsibility Model.
Segregation levels
We segregate access to our data at different levels:
- Tenant level: Multi-tenant. Infrastructure is shared.
- Network level: We have established different VPCs, depending on the environment and a VPC for the production environment, segregated from the development environment and others.
- AWS resource level: Data is segmented among different databases and S3 buckets, based on the type of data (e.g, attached files are stored in a specific AWS resource, responses from typeforms are in a specific database, analytics shown in the builder from the responses are in a different one, etc.).
- Application level: Customers are segmented at logical level in the Application layer.
Network security
Each of our environments are hosted in separate Virtual Private Clouds (VPCs) within Amazon Web Services. Our production networks are separated between public and internal services. No inbound internet traffic is allowed on the private subnets, and all application servers only reside in private subnets without public IP addresses. Only AWS managed and maintained load balancers have ingress access to the application internal servers. Tight security groups control inbound and outbound access to the servers.
Firewalls, Intrusion Detection Systems, Web Application Firewalls, and other security state of the art perimetral controls are installed at the edge locations to provide an additional layer of internal and external network security.
Access to our servers is strictly limited, by default no ingress traffic is permitted on them.
Access control
Access to Typeform resources is only permitted through secure connectivity (e.g.,VPN, SSH bastions) and multi-factor authentication. We follow the principle of least privilege, and every single access is audited, tracked and monitored to ensure that employees only have the permissions necessary to perform their duties.
This means employees can only access Typeform systems with an extra-secure connection. As soon as anyone leaves the company, their access is blocked.
Access to customer data by Typeform
All data collected from our customers and their respondents is classified with the highest levels of criticality. We don't allow any provider to access respondents’ data, and only the minimum authorized Typeform employees have access to it. Every single access to the repositories of information is audited and controlled.
Typeform stores personally identifiable information (PII) from the following subjects:
- From our customers, in order to be able to provide the service, customer support and for billing (basic identification and contact data plus basic billing data; except credit card information or bank account, which is handled by a PCI DSS certified 3rd party).
- From our customer’s respondents, as we store their answers to the forms (we can’t provide which data the customers are collecting; this is open to them).
Security policies and awareness
We have a comprehensive set of information security policies following the ISO 27001 standard to ensure compliance, and to guide our employees and contractors in making the right security decisions. Examples include a password policy, data protection and classification of information policy, security in communications, continuity and contingency plans, acceptable use policy on workstations and mobile devices and backup policy amongst others. We review and update them at least annually or when a relevant change is done.
We have non-disclosure agreements with all employees and contractors, and run various security awareness training courses within the company. All our service providers and contractors processing the personal data you have entrusted us are required to sign data processing agreements in line with European data protection laws, and ensuring an adequate level of protection.
This all means that all of us here at Typeform follow internal security guidelines. We get training on these, and they are updated regularly.
Penetration tests
As part of our security strategy, we hire well recognized security research firms to perform penetration tests on our platform. Vulnerabilities and findings are ranked according to severity and prioritized accordingly.
This means we allow security experts to come in and test the limits of our security infrastructure, to help us find any weaknesses.
Vulnerability assessment and penetration test are performed as a part of our Cybersecurity Control policy and our S-SDLC procedure:
- Web application reviews for web vulnerability detection for all web services exposed to the Internet should be reviewed at least once a quarter.
- Tests of intrusion or expert security reviews to detect nonconformities with security requirements and robustness before these types of attacks.
Data protection measures
Once your information enters Typeform’s systems, it’s secured with multiple levels of encryption and access controls. We encrypt your data in-transit (end-to-end, including within the virtual private cloud at AWS) using secure TLS cryptographic protocols (TLS 1.2 & TLS 1.3), and Advanced Encryption Standard (AES) is used with a 256-bit key to encrypt data at rest including the backups of the information.
All workstations and Typeform devices are fully encrypted to guarantee the confidentiality of the information they contain.
Data retention
Customer data is retained for as long as necessary in respect of the purposes for which it was collected and according to the applicable laws. In addition, by law, we are obliged to keep some data for indefinite periods of time. However, in the event you would like your data to be completely removed from the Typeform platform, you can request us to delete your data at any time through our standardized process and procedure.
Typeform is designed to be both scalable and fault-tolerant. If one machine fails, another will be ready to take over immediately. This redundancy is found in all levels of the platform.
Also in alignment with AWS best-practices, a Multi-availability Zone architecture is in place. Should an entire Availability Zone fail, remaining machines in the functioning availability zone have the capacity to run the entire service.
Redundant backups of critical data are also in place and moved to a different location to ensure business continuity in case of disaster. Backup retention is 15 days.
Typeform implements different integrity security controls on its services and servers to maintain the quality, the accuracy and completeness of data over its entire lifecycle.
Asset management
Typeform maintains an asset management policy including an identification, classification, retention, and disposal of information and assets.
Typeform devices are equipped with full hard disk encryption and up-to-date antivirus software that reports to a centralized control system, using scanless technology monitoring in real time.
Access to Typeform devices is protected by MFA and MDM technologies providing an extra layer of security. Only Typeform and verified devices are allowed to access corporate networks.
Information security incident management
Typeform has security incident response policies and procedures which comply with articles 34 & 35 of GDPR. They provide the necessary steps to deal with security incidents, provide initial response, investigation, and notification according to the applicable laws. The company has also established a Personal Data Breach Notification procedure to notify both the EU & US supervisory authorities and the affected data subjects according to GDPR and other data protection regulations.
All suspected or confirmed privacy or data security incidents must be reported in accordance with the security policies. Typeform employees that identify a potential incident will initially classify the incident severity based on their perception. All incidents are to be notified as soon as possible after they are identified without undue delay.
We are committed to keeping our customers fully informed of any matters relevant to the security of their account and to providing customers all information necessary for them to meet their own regulatory reporting obligations.
You can communicate with our Security department through our Community or through the Contact Support button.
Continuity
Typeform has concrete contingency and continuity plans defined according to the risks analysis performed. In the event of an emergency, the specific contingency plan is ready to enable the continuation of critical business processes while protecting the integrity of the data while an organization operates in emergency mode.
Development
Our development team employs secure coding techniques and best practices, focused around the OWASP Top Ten under the supervisión of the Security department. Developers are periodically trained in secure practices upon hire.
Test and production environments are isolated and separated. All changes are reviewed for performance, audit, and security purposes before getting fully applied to the production environment. Different approvals are needed before implementing changes into production to mitigate risks, even from insiders. Typeform never uses real data in non-production environments.
Any affectation to the service can be checked at any time on the Typeform status page.
Shared responsibility
Protecting access to your data and responses is a shared responsibility involving Typeform and our customers. Both sides need to follow secure procedures to manage what they are accounted for. Find out more about security features and good practices here.
Virtualization security
Typeform applications are built using a microservice architecture with a container orchestration system for automatic software deployment, scaling, and management. On top of it there is a service mesh for facilitating service-to-service communications between microservices, providing secure connections and monitoring of services.
Typeform has controls to secure workloads at different stages (build, deploy, and runtime), such as image scanning, securing CI/CD pipelines, secrets management, encryption, observability, and threat detection.
Secret authentication information management
Typeform customers can authenticate with a local password, or they can sign up with Google or Microsoft. If they sign up with a local password, their credentials are stored in a third-party service authentication cloud, using salted bcrypt with a high number of rounds to protect passwords.
Customers can reset their passwords or unlock their accounts using their pre-configured email addresses at any time.
Typeform provides a two-factor authentication (2FA) mechanism that can be easily enabled by the customer.
Customers on an Enterprise plan can set up their Typeform account for SSO, so they can configure a SAML or an OIDC authentication protocol using their own identity provider.