Signup

Security & privacy standards at Typeform

Typeform is a flexible and customizable online form service with beautiful and easy-to-use design. For us, the security of the data you collect with our service is of the utmost importance. We have built our services with confidentiality, integrity, and availability as the pillars around our data processing practices.

Our certifications

Typeform’s security and compliance framework is certified by the following international standards. All of them are audited by independent companies annually.

ISO_27001__blue_logo_.png

ISO 27001

ISO_27701__2__blue_logo_.png

ISO 27701

SOC_2.png

SOC 2 Type II

HIPAA.png

HIPAA Type I

 

We are compliant with

image1.png

GDPR

image4.png

CS STAR Level 1

Some standards or regulations aren’t certifiable, but that doesn’t mean they are less serious or an organization shouldn’t comply with them.

The most well-known case is GDPR, the strictest international privacy regulation. As an EU-based organization, it is mandatory for us to comply with it when managing personal data.

CS STAR merges the most well-known security standards with the focus of cloud-based actors (customers and providers).

ISO 27001

ISO 27001 is an international standard based on how we manage the security of our organization’s information.

ISO27001 details requirements for establishing, implementing, maintaining and continually improving an information security management system to help ensure that Typeform is protecting the confidentiality, availability, and integrity of our clients’ data and the systems needed to provide the service from threats and vulnerabilities.

The following ISO-related documents are available upon request:

- Typeform 27001 certificate

- Typeform 27001 SOA

- 2022 January Typeform attestation report pentest (NDA only)

- 2022 February VideoAsk attestation report pentest (NDA only)

- 2022 Typeform & VideoAsk results statement

You can request these documents using this contact form, or by reaching out to your Customer Success Manager (Enterprise customers).

Note: Pentest reports can only be requested by customers on an Enterprise plan with an NDA.

ISO 27701

ISO 27701 is a privacy extension to ISO/IEC 27001. The design goal is to enhance the existing Information Security Management System (ISMS) with additional requirements in order to establish, implement, maintain, and continually improve a Privacy Information Management System (PIMS). The standard outlines a framework for Personally Identifiable Information (PII) Controllers and PII Processors to manage privacy controls to reduce the risk to the privacy rights of individuals.

The Typeform ISO 27701 certificate is available upon request. You can request it using this contact form, or by reaching out to your Customer Success Manager (Enterprise customers).

SOC 2 Type II

Is a comprehensive reporting framework put forth by the American Institute of Certified Public Accountants (AICPA) that ensures a service provider as Typeform securely manages the data entrusted by our customers to protect their interests and privacy. As with ISO 27001, the auditing procedure is carried out by independent, third-party auditors assessing and subsequently testing security controls relating to the Trust Services Criteria of Security.

The following SOC 2-related documents are available upon request:

- 2022 SOC 2 type II full report (NDA required)

- 2022 SOC 2 type II Confirmation of Opinion letter

- 2021 SOC 2 type I extract from report

You can request these documents using this contact form, or by reaching out to your Customer Success Manager (Enterprise customers).

Note: SOC 2 Type I or II reports can only be requested by customers on a paid Typeform plan. However, full SOC 2 Type I or II reports can be requested by customers on an Enterprise plan with an NDA. 

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA requires the organization to maintain reasonable and appropriate administrative, technical and physical safeguards for protecting e-PHI. The Security Rule’s confidentiality HIPAA requirements support the Privacy Rule’s prohibitions against improper uses and disclosures of PHI. Under the Security Rule, integrity means that e-PHI is not altered or destroyed in an unauthorized manner. Availability means that e-PHI is accessible and usable on demand by an authorized person.

Typeform has successfully passed the compliance assessment and as a result the final report allows the company to sign BUSINESS ASSOCIATE AGREEMENT with its clients.

The following HIPAA-related documents are available upon request:

- 2022 HIPAA type I full report (NDA required)

- 2021 HIPAA type I extract from report

You can request these documents using this contact form, or by reaching out to your Customer Success Manager (Enterprise customers).

Note: HIPAA type l extract from report can only be requested by customers on a paid Typeform plan. HIPAA type l full report can be requested by customers on an Enterprise plan with an NDA.

General Data Protection Regulation (GDPR)

Is by far the most demanding regulation on data protection and privacy in the world. It is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live in the European Union. It also addresses the transfer of personal data outside the EU and EEA areas. At Typeform, all our customers’ data is processed complying with this framework, no matter in which country they are based in.

Access to our Processors’ page

Typeform has carried out a Data Transfer Impact Assessment available to everyone upon NDA signature. Please refer them to your Typeform Customer Success Manager, if applicable, or this contact form.

CSA STAR Level 1

The Cloud Security Alliance (CSA) is a nonprofit organization led by a broad coalition of industry practitioners, corporations, and other important stakeholders. It is dedicated to defining best practices to help ensure a more secure cloud computing environment, and to helping potential cloud customers make informed decisions when transitioning their IT operations to the cloud. In 2013, the CSA and the British Standards Institution launched the Security, Trust & Assurance Registry (STAR), a free, publicly accessible registry in which cloud service providers (CSPs) can publish their CSA-related assessments.

STAR encompasses the key principles of transparency, rigorous auditing, and harmonization of standards. Publishing to the registry allows organizations to show current and potential customers their security and compliance posture, including the regulations, standards, and frameworks they adhere to. It ultimately reduces complexity and helps alleviate the need to fill out multiple customer questionnaires.

At the moment, Typeform has submitted the Consensus Assessments Initiative Questionnaire (CAIQ), where the assessment delivered is publicly available for anyone in the following link:

Link to STAR Registry.

Tap into our community knowledge