Hey there community, I'm Pau, Director of Security at Typeform . It's my job to help make sure that the Typeform platform is secure – and that you, the Typeform user, can count on the required privacy, security and compliance standards.
Â
I wanted to drop by with an update of where Typeform is at in terms of security features. The security and integrity of your data is so important to us and we've been working hard to build our services around this idea.Â
Â
Typeform comes with enterprise-level security and compliance measures and I thought I'd share with you just what some of these are. Even if you're not the sort of person who digs security certification acronyms (what's wrong with you?!), at some point you may get a tap on the shoulder from your IT guy/gal – or even your CTO – asking about the compliance of your SaaS tools so I want to make sure you've got the info you need for when that happens!
Â
I'll hit you with the bullet-form version of our security features below, but if you head over to our Help Center article, you can read about everything in more depth:
Â
Certifications
Â
-
HIPAA-compliance certification
-
Our payments partner Stripe is PCI DSS 3.2 and PSD2 certified
Â
Compliance
Â
-
GDPR (EU): Typeform has been successfully audited on compliance with GDPR and contains the appropriate features to allow users to be compliant.
Â
Internal security policies
Â
-
Typeform has an information security department specifically responsible and accountable for security administration.Â
-
Typeform has a password policy, data protection and classification of information policy, security in communications, continuity and contingency plans, incident management policies and procedures, incident communication procedures, acceptable use policy on workstations and mobile devices and backup policy amongst others. We review and update them at least annually or when a relevant change is done.
-
Typeform collects application, infrastructure and systems logs in a centrally managed log repository for monitoring, troubleshooting, security reviews, and analysis by authorized personnel.
-
Our development team employs secure coding techniques and best practices, focused around OWASP methodologies and with the support and supervision of the security department.
-
Our Security department has implemented an ad-hoc S-SDLC (Secure Software Development Life Cycle).
Â
Data protection policies
Â
-
Access to Typeform resources is only permitted through secure connectivity (e.g.,VPN, SSH bastions), multi-factor authentication and following the Least Privilege principle.
-
All our environments are hosted in a Virtual Private Cloud (VPC) in Amazon Web Services (AWS).
-
Our main servers are located in Virginia, USA and backup servers are located in a different datacenter. They are compliant with security and privacy standards.
-
We encrypt customers’ data in-transit (end-to-end, including within the virtual private cloud at AWS) using secure TLS cryptographic protocols (TLS 1.2) and Advanced Encryption Standard (AES) is used with a 256-bit key to encrypt data at rest including the backups of the information – This protects customers’ data in case of breach.
-
We carry out recurrent penetration tests on our platform, ideally twice a year.
-
Typeform has concrete contingency and continuity plans defined according to the risks analysis performed.
Â
So now you know!Â
Â
Ask anyone in the data security game and they will tell you that a bullet list of certifications and standards like this ain't easy to come by. There's a whole lot of work that goes into achieving compliance and for that I'd like to thank the team here at Typeform for helping to keep you and your data secureÂ
Â
If there's anything you'd like to know about Typeform's security feel free to ask!