Security

Update on Typeform's security, privacy and compliance features 🔏

  • 27 July 2021
  • 6 replies
  • 955 views
Update on Typeform's security, privacy and compliance features 🔏
Userlevel 1

Hey there community, I'm Pau, Director of Security at Typeform 👋. It's my job to help make sure that the Typeform platform is secure – and that you, the Typeform user, can count on the required privacy, security and compliance standards.

 

I wanted to drop by with an update of where Typeform is at in terms of security features. The security and integrity of your data is so important to us and we've been working hard to build our services around this idea. 

 

Typeform comes with enterprise-level security and compliance measures and I thought I'd share with you just what some of these are. Even if you're not the sort of person who digs security certification acronyms (what's wrong with you?!), at some point you may get a tap on the shoulder from your IT guy/gal – or even your CTO – asking about the compliance of your SaaS tools so I want to make sure you've got the info you need for when that happens!

 

I'll hit you with the bullet-form version of our security features below, but if you head over to our Help Center article, you can read about everything in more depth:

 

Certifications
 

 

Compliance
 

  • GDPR (EU): Typeform has been successfully audited on compliance with GDPR and contains the appropriate features to allow users to be compliant.

 


Internal security policies

 

  • Typeform has an information security department specifically responsible and accountable for security administration. 

  • Typeform has a password policy, data protection and classification of information policy, security in communications, continuity and contingency plans, incident management policies and procedures, incident communication procedures, acceptable use policy on workstations and mobile devices and backup policy amongst others. We review and update them at least annually or when a relevant change is done.

  • Typeform collects application, infrastructure and systems logs in a centrally managed log repository for monitoring, troubleshooting, security reviews, and analysis by authorized personnel.

  • Our development team employs secure coding techniques and best practices, focused around OWASP methodologies and with the support and  supervision of the security department.

  • Our Security department has implemented an ad-hoc S-SDLC (Secure Software Development Life Cycle).

 

Data protection policies

 

  • Access to Typeform resources is only permitted through secure connectivity (e.g.,VPN, SSH bastions), multi-factor authentication and following the Least Privilege principle.

  • All our environments are hosted in a Virtual Private Cloud (VPC) in Amazon Web Services (AWS).

  • Our main servers are located in Virginia, USA and backup servers are located in a different datacenter. They are compliant with security and privacy standards.

  • We encrypt customers’ data in-transit (end-to-end, including within the virtual private cloud at AWS) using secure TLS cryptographic protocols (TLS 1.2) and Advanced Encryption Standard (AES) is used with a 256-bit key to encrypt data at rest including the backups of the information – This protects customers’ data in case of breach.

  • We carry out recurrent penetration tests on our platform, ideally twice a year.

  • Typeform has concrete contingency and continuity plans defined according to the risks analysis performed.

 

So now you know! 

 

Ask anyone in the data security game and they will tell you that a bullet list of certifications and standards like this ain't easy to come by. There's a whole lot of work that goes into achieving compliance and for that I'd like to thank the team here at Typeform for helping to keep you and your data secure 👏👏👏

 

If there's anything you'd like to know about Typeform's security feel free to ask!


6 replies

Userlevel 7
Badge +6

:thumbsup_tone2::thumbsup_tone2:

Userlevel 7
Badge +5

Thank you!! This is so handy, @Pau Julià !

Where can I find downloadable or printable DPA ?

This version is not helpful: 

 

Userlevel 7
Badge +5

Hi @Layal The most up to date version we have is in the form you’re seeing above. I’m afraid we don’t have a printable version of this. :\

Hi @Pau Julià. My organisation has been using Typeform for a number of activities and love the product. I am part of the InfoSec team and as part of one of our Data Security activities, wanted to obtain your latest SOC2 report. The organisation purchased a plan online and don’t seem to have a contact who I can reach out. Could you please help us here? Thanks!

Userlevel 7
Badge +5

Hi @ShubhamA Our support team can actually help you with this. :grinning: If you send them an email here, they’ll provide the report for you. 

Reply