Security at Typeform
Entrusting your data to a third-party service provider requires rigorous security measures. The security and integrity of your data is critically important for us, and we’ve built our services around this idea. A risk assessment is repeated at regular intervals and those assessments provide security measures and controls to reduce the risks to an appropriate level.
This article describes the technologies and processes that we use to secure your data, and explains our security culture. Click on a section header in the list below to read more about that topic. We need to be clear and understandable from a legal perspective – unfortunately that doesn’t always make for the simplest explanations. If you find anything hard to understand, please get in touch using the Contact Support button at the bottom of this page.
- Security at Typeform
- Security monitoring and auditing
- Security organization
- Physical security
- Network security
- Access control
- Security policies and awareness
- Penetration tests
- Data protection measures
- Data retention
- Asset management
- Information security incident management
- Shared responsibility
Security at Typeform
Typeform is a flexible and customizable online form service with beautiful and easy to use design. We also have the objective to guarantee the security of the data collected. The confidentiality, integrity, and availability of your data is critically important for us, and we’ve built our services around this idea.
Our goal is to facilitate our clients’ security while using Typeform, and to help them achieve the certifications and compliance with certain regulations using our platform. For that purpose, the security and compliance framework of our company is certified on the following international standards. All of them have been audited by independent companies.
Is an international standard based on how we manage the security of our organization’s information. ISO27001 details requirements for establishing, implementing, maintaining and continually improving an information security management system to help ensure that Typeform is protecting the confidentiality, availability, and integrity of our clients’ data and the systems needed to provide the service from threats and vulnerabilities.
Is a comprehensive reporting framework put forth by the American Institute of Certified Public Accountants (AICPA) that ensures a service provider as Typeform securely manages the data entrusted by our customers to protect their interests and privacy. Same as with ISO 27001, the auditing procedure is carried out by independent, third-party auditors assessing and subsequently testing security controls relating to the Trust Services Criteria of Security.
In addition, our platform is hosted on Amazon Web Services, which is certified in various frameworks from SOC2 to ISO27001.
Is by far the most demanding regulation on data protection and privacy in the world. It is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live in the European Union. It also addresses the transfer of personal data outside the EU and EEA areas. At Typeform, all our customers’ data is processed complying with this framework, no matter which country it belongs to.
Read more about GDPR compliance.
Is a federal law on which we are audited that requires the creation of national standards to protect sensitive patient health information from being disclosed without the patients’ consent or knowledge.
HIPAA requires the organization to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI. The Security Rule’s confidentiality HIPAA requirements support the Privacy Rule’s prohibitions against improper uses and disclosures of PHI. Under the Security Rule, integrity means that e-PHI is not altered or destroyed in an unauthorized manner. Availability means that e-PHI is accessible and usable on demand by an authorized person.
At the moment, the organization successfully passed the first compliance assessment, and as a result, the final report allows the company to sign a BUSINESS ASSOCIATE AGREEMENT with its clients.
We also ensure our security by following best practices in different standards:
Although the Typeform platform does not store payment data, we use a PCI DSS certified 3rd party for that purpose called Stripe to accept or process credit card information securely in accordance with these standards, always using the Payment question.
The use of Stripe ensures compliance with the Payment Card Industry’s Data Security Standards (PCI DSS 3.2) and the Revised Directive on Payment Services (PSD2).
We follow OWASP on our secure development and testing of our applications.
We follow the NIST Cybersecurity Framework that provides a policy framework of computer security guidance for how to assess and improve the ability to prevent, detect, and respond to cyber attacks.
We follow FIPS standards in our systems that require any cryptographic method.
Security monitoring and auditing
Typeform collects application, infrastructure and systems logs in a centrally managed log repository for monitoring, troubleshooting, security reviews, and analysis by authorized personnel. Logs are preserved in accordance with regulatory requirements to assist in the case of a security incident.
Typeform has an information security department specifically responsible and accountable for security administration. The Security department directly manages and oversees risk assessment, development of policies, standards, and procedures, testing, and security reporting processes.
A security committee, formed by the highest-level decision and management in the Organization in matters related to information security is in place. The Security Committee assumes responsibility for ensuring compliance with the corporate security principles, to define the initiatives that in matters of security and continuity of the business are rushed in the company and to ensure the security within the company and the platform.
Typeform’s infrastructure is hosted by Amazon Web Services (AWS). Our main servers are located in Virginia, USA. They are compliant with security and privacy standards.
Our offices and facilities also include 24 hour access monitoring, cameras, visitor logs and physical security controls following industry best practices.
All our environments are hosted in a Virtual Private Cloud (VPC) in Amazon Web Services. Our production networks are separated between public and internal services. No inbound internet traffic is allowed on the private subnets, and all application servers only reside in private subnets without public IP addresses. Only Amazon managed and maintained load balancers have ingress access to the application internal servers. Tight security groups control inbound and outbound access to the servers.
Firewalls, Intrusion Detection Systems, Web Application Firewalls, and other security state of the art perimetral controls are installed at the edge locations to provide an additional layer of internal and external network security.
In short, all the networks we use are as secure as we can manage. Access to our servers we use is strictly limited, and no outside traffic is permitted on them.
Access to Typeform resources is only permitted through secure connectivity (e.g.,VPN, SSH bastions) and multi-factor authentication. We follow the principle of least privilege, and every single access is audited, tracked and monitored to ensure that employees only have the permissions necessary to perform their duties.
This means employees can only access Typeform systems with an extra-secure connection. As soon as anyone leaves the company, their access is blocked.
Security policies and awareness
We have a comprehensive set of information security policies following the ISO 27001 standard to ensure compliance, and to guide our employees and contractors in making the right security decisions. Examples include a password policy, data protection and classification of information policy, security in communications, continuity and contingency plans, acceptable use policy on workstations and mobile devices and backup policy amongst others. We review and update them at least annually or when a relevant change is done.
We have non-disclosure agreements with all employees and contractors, and run various security awareness training courses within the company. All our service providers and contractors processing the personal data you have entrusted us are required to sign data processing agreements in line with European data protection laws, and ensuring an adequate level of protection.
This all means that all of us here at Typeform follow internal security guidelines. We get training on these, and they are updated regularly.
As part of our security strategy, we hire well recognized security research firms to perform penetration tests on our platform. Vulnerabilities and findings are ranked according to severity and prioritized accordingly.
This means we allow security experts to come in and test the limits of our security infrastructure, to help us find any weaknesses.
Data protection measures
Once your information enters Typeform’s systems, it’s secured with multiple levels of encryption and access controls. We encrypt your data in-transit (end-to-end, including within the virtual private cloud at AWS) using secure TLS cryptographic protocols (TLS 1.2) and Advanced Encryption Standard (AES) is used with a 256-bit key to encrypt data at rest including the backups of the information.
All workstations and Typeform devices are fully encrypted to guarantee the confidentiality of the information they contain.
Access to customer data is restricted based on role: only the minimum authorized employees have access to data. Every single access to the repositories of information is audited and controlled.
Access is revoked immediately upon employee termination.
Customer data is retained for as long as necessary in respect of the purposes for which it was collected and according to the applicable laws. In addition, by law, we are obliged to keep some data for indefinite periods of time. However, in the event you would like your data to be completely removed from the Typeform platform, you can request us to delete your data at any time through our standardized process and procedure.
Typeform is designed to be both scalable and fault-tolerant. If one machine fails, another will be ready to take over immediately. This redundancy is found in all levels of the platform.
Also in alignment with AWS best-practices, a Multi-availability Zone architecture is in place. Should an entire Availability Zone fail, remaining machines in the functioning availability zone have the capacity to run the entire service.
Redundant backups of critical data are also in place and moved to a different location to ensure business continuity in case of disaster. Backup retention is 15 days.
Typeform implements different integrity security controls on its services and servers to maintain the quality, the accuracy and completeness of data over its entire lifecycle.
Typeform maintains an asset management policy including an identification, classification, retention, and disposal of information and assets. Typeform devices are equipped with full hard disk encryption and up-to-date antivirus software. Only Typeform and verified devices are allowed to access corporate networks.
Information security incident management
Typeform has a security incident response policy and procedures associated to provide a full set of actions to deal with security incidents and provide initial response, investigation, and customer and authorities notification according the applicable laws
We are committed to keeping our customers fully informed of any matters relevant to the security of their account and to providing customers all information necessary for them to meet their own regulatory reporting obligations.
Typeform has concrete contingency and continuity plans defined according to the risks analysis performed. In the event of an emergency, the specific contingency plan is ready to enable the continuation of critical business processes while protecting the integrity of the data while an organization operates in emergency mode.
Our development team employs secure coding techniques and best practices, focused around the OWASP Top Ten under the supervisión of the security department. Developers are periodically trained in secure practices upon hire.
Test and production environments are isolated and separated. All changes are reviewed for performance, audit, and security purposes before getting fully applied to the production environment. Typeform never uses real data in the development and test environments.
Protecting access to your data and responses requires that as Typeform customer, you maintain the security of your account by using secure passwords and protecting them as necessary. Find out more about good password behavior.