Our information security policies and practices are based on ISO27001, the Australian Government Information Security Manual, ACSC cyber security principles and guidelines including the Essential Eight Model, the Australian Privacy Principles and Privacy Act.
You own your data
Your organisation owns the form response data and file upload data. Snapforms will only access your data at your request. To protect your data from unauthorised access, we have logs with alerts set to notify us of suspicious activity.
You can download your information or delete your information from our system at any time.
Password and authentication
Snapforms enforces strong passwords that lockout the user after several failed attempts to log in. Password have an eight-character minimum and must include upper case, lower case and numeric characters. Common and simple passwords are banned.
Users are encouraged not to re-use passwords used anywhere else and to use multi-factor authentication for additional security.
Snapforms is hosted on Amazon Web Services (AWS) infrastructure located in Australia. We made a strategic choice to use the world’s leading cloud IT infrastructure provider that provides a high performing, robust and secure infrastructure set to meet the needs of our users.
Amazon maintains several compliance certifications including ISO 27001, SOC1, SOC2, SOC3, PCI DSS, IRAP, ISO 9001, CSA, ICO 27017 and ISO 27018.
Data is encrypted at rest. All submission data is disk encrypted under AES-256.
Our network security helps protect your data against the most sophisticated electronic attacks. Network security practices include Firewalls and other boundary devices, TLS encrypted communication, intrusion detection/prevention systems, control and audit and virus scanning.
Data in transit is protected by TLS 1.3 to provide end-to-end communication security.
Web Application Firewalls are in place to monitor and control web traffic at the application level. We employ only best practice coding and have constructed Snapforms so that every account is isolated. We have safeguards in place to detect common attacks such as SQL injection, cross-site scripting, cross site request forgery and more.
We engage third parties to perform regular audits and penetration testing against our applications. These are run on at least a bi-annual basis with frequency increased if there are significant changes.
Redundancy and business continuity
We have designed our systems and infrastructure with high availability and redundancy in mind. This includes backup, mitigation and handling in case of server failure, power failure, fire or other disaster
Snapforms has a business continuity and disaster recovery plan that allows customers to continue to run our Forms application in the unlikely event of an outage.
Data backup and replication
We back up and replicate data as follows:
Nightly snapshots are taken of our application database cluster. These daily backups are stored for 30 days.
Data backups are also encrypted using AES-256.
Security monitoring and testing
Our application is configured for appropriate logging of activities to enable detection of security incidents. These incidents are reviewed and identified anomalies are investigated for a possible compromise. All logged activities are sent to a centralised logging infrastructure for audit purposes.
Internal Vulnerability Scans are run at least monthly.
Snapforms has a PCI Approved Scanning Vendor (ASV) run external vulnerability scans at least quarterly.
Penetration testing for our Forms application, network, and segmentation are run on at least a bi-annual basis by a third-party security vendor.
All security testing may be run more frequently as a result of significant changes.
Snapforms does not allow external testing of our environment, including performance testing.
Snapforms employee access
Access to IT assets is granted to Snapforms employees on the 'Need to Know' and 'Least Privilege' principles.
We will only access your data at your request. To protect your data from unauthorised access, we have logs with alerts set to notify us of suspicious activity.
Background checks are conducted for all personnel engaged in delivering service to customers. These include thorough police checks as well as specialised background checks where relevant.
Incident response and data breach response
Snapforms has documented Incident Response and Data Breach Response Plans which outline the processes to respond to security events and incidents, including breaches of personal or protected data.
Snapforms' goal is to notify customers of an actual security incident within 24 hours after becoming aware of that incident.
Our organisation addresses cyber security risks in our risk management processes to identify critical assets, threats, and vulnerabilities.
Snapforms performs risk-based due diligence on new and existing vendors to determine if the vendor is using appropriate technical controls and organisation measures to protect data.
Recovery Time (RTO) and Recovery Point (RPO)
As part of our High Availability setup we use multi availability zone data replication to provide additional resiliency and support low RPO and RTO requirements.
Failures of this nature where RPO and RTO would typically apply are extremely rare (zero instances in the last eight years) however as we maintain separate synchronous copies of the data in separate data centres our RPO under all but the most extreme circumstances is zero and RTO of one-five minutes.
Our tried and tested solution
When it comes to building form solutions, there are many moving parts that come together to produce the final outcome. We use a rigorous set of testing processes and tools to mitigate potential issues that can be introduced by human error or changes in external factors that are out of our control. These include functional testing, usability testing, compatibility testing, performance testing and security testing.
For over eight years our platform has served online forms of every type, to hundreds of thousands of users each year. This helps us continually identify and handle possible bugs, issues and usability improvements. All of our customers benefit from the underlying software improvements we make as a result of this constant fine-tuning.
Service Level Agreement
Snapforms guarantees 99.99% service (http, https, admin, forms) to our Enterprise plan customers. Should we fail to deliver this for any given calendar month, your account will be refunded a pro-rated amount for the duration of excessive downtime.
View SLA information
We understand that privacy is important to you – it is important to us, too. That’s why we respect your personal information and are committed to protecting it when providing products and services to you. Snapforms is hosted and operated entirely within Australia, giving you the confidence that your data and privacy are both entirely held onshore and will never be sold or shared.