Our security protocols
Our enterprise-class Software-as-a-Service (SaaS) receives, processes and stores tens of thousands of form submissions and data records each day for more than 6,000 active clients who rely on our platform. Our platform is set up with extremely high availability and redundancy to meet the resiliency and availability needs of our clients. Founded in 2012, we have built a reputation for providing highly reliable and secure services.
Our information security policies and practices are based on ISO 27001, the Australian Government Information Security Manual, ACSC cyber security principles and guidelines including the Essential Eight Model, the Australian Privacy Principles and Privacy Act.
All data is stored in Australia. Your organisation owns the form response data and file upload data. Snapforms will only access your data at your request. You can download your information or delete your information from our system at any time.
Snapforms is hosted on Amazon Web Services (AWS) infrastructure located in Australia. We made a strategic choice to use the world’s leading cloud IT infrastructure provider that provides a high-performing, robust and secure infrastructure set to meet the needs of our users. Amazon maintains several compliance certifications, including ISO 27001, SOC1, SOC2, SOC3, PCI DSS, IRAP, ISO 9001, CSA, ICO 27017 and ISO 27018.
We employ several network security and monitoring techniques to achieve multiple layers of protection and defence. We have firewalls in place to protect our network from unauthorised access and malicious traffic. Our systems are split into separate networks to protect sensitive data. Testing and development systems are hosted in a separate network from production infrastructure. All unnecessary users, protocols, and ports are disabled and monitored. In addition to using automated security software and services, our security team continuously monitors and triggers notifications for suspicious behaviour.
Our platform is designed to be both scalable and redundant in all areas. In the event of a server failure, another machine will be ready to take over immediately, allowing users to carry on as usual.
Intrusion detection and prevention
We employ the latest in network and host-based monitoring tools which detect and prevent malicious attacks against our services. We tightly control the attack surface, using intelligent detection controls at data entry points, and deploying technologies that automatically handle dangerous situations, as well as blocking known threats in the first place. On the network level we rely on both signature-based security and algorithm-based security to detect malicious traffic. At the application layer, we utilise a WAF which operates using both whitelist and blacklist rules.
Every change we develop is governed by a change management policy to ensure it is authorised before implementation into production. Our development team adheres to secure coding guidelines, and we screen all code changes for potential security or performance issues with our code analysis tools, vulnerability scanners, and manual review processes. Our security framework is based on OWASP standards, and is implemented in the application layer to mitigate threats including SQL injection, cross site scripting and DOS attacks.
We operate a multi-tenant SaaS application. Multi-tenancy is a key feature of Snapforms that enables multiple customers to share one instance of the Snapforms application layer while isolating each customer tenant’s application data. We have secure protocols in place to ensure tenants are logically separated so that the actions of one customer cannot compromise the data or service of other customers. Every user ID is associated with one tenant, which is then used to access the Snapforms applications. Your data is owned by you, and not by Snapforms. We do not share this data with any third party without your consent. Customers on the Enterprise plan have the option to host their tenant on a dedicated, single-tenant data server and domain to further physically and logically segregate data.
Data at Rest: All data in Snapforms is encrypted at rest using 256-bit Advanced Encryption Standard (AES). Encryption keys are managed through our KMS and are rotated in accordance with our security policy.
Data in Transit: Data transmitted to our servers is encrypted in transit using Transport Layer Security (TLS 1.2/1.3). We have enabled the HTTP Strict Transport Security header (HSTS) to all web connections and we flag all our authentication cookies as secure.
Data retention and disposal
We retain your data within your account as long as you choose to use our services.
Customers have the ability to remove individual form responses or bulk delete via the admin interface or the data API.
On termination of your account, the data belonging to you will be removed from the live production database and all file attachments uploaded will be removed within 14 days. Your data will remain in encrypted backups until those backups fall out of the 30-day backup retention window and are destroyed in accordance with our data retention policy.
Several methods exist for you to export data from Snapforms:
- Direct Export – Data can be exported directly into CSV (comma-separated values) files, or Excel files with one click.
- Power Automate – Snapforms provides a Power Automate Connector to push from Snapforms to Microsoft Power Automate, which allows data to be pushed to hundreds of other services or platforms.
- Snapforms API – Data can be exported to and from the system though our API at any time or via a number of built-in features.
- Partner Tools – There are also many pre-integrated partner tools, some of which you may already own that may be leveraged.
Media storage devices used to store customer data are classified by AWS as critical, and treated accordingly as high impact throughout their life cycles. AWS has exacting standards on how to install, service, and eventually destroy the devices when they are no longer useful. When a storage device has reached the end of its useful life, AWS decommissions media using techniques detailed in NIST 800-88. Media that stored customer data are not removed from AWS control until they have been securely decommissioned.
Production data is not used in testing and development environments. Test data is carefully selected to ensure no personally identifiable information is used.
Web content security
Our application and system have input validation and output encoding to ensure data accuracy and prevent malicious access via, for example, code injection, SQL injection, Cross Site Scripting (XSS), etc. We employ a restrictive Content Security Policy (CSP) as an added layer of security to help detect and mitigate these types of attacks.
Identity and Access control
Single Sign-On (SSO)
Snapforms supports single sign-on (SSO) on our Enterprise plan, which allows customers to integrate their company’s identity provider (IDP) when they log in to Snapforms.
Multi-Factor Authentication (MFA)
Snapforms supports MFA in addition to the password. This reduces the risk of unauthorised access if a user’s password is compromised.
Snapforms enforces strong passwords that lock out the user after several failed attempts to log in. Notifications for incorrect login attempts are sent to the account owner by email. Passwords have a nine-character minimum and must include upper case, lower case, special and numeric characters. Common and simple passwords are banned. Users are encouraged not to re-use passwords used anywhere else and to use multi-factor authentication for additional security.
Customers on our Enterprise plans have the option to set their own password policies.
Snapforms utilises an appropriately short session timeout to protect users whose devices may be compromised, lost or stolen.
Snapforms supports the provision of a unique Snapforms login to every staff member, with the ability to set different levels and areas of access for different staff members.
Snapforms access to customer data
All data collected from our customers and their forms is classified with the highest level of sensitivity. Snapforms will not access your form data without your authorisation. We have technical measures and internal policies in place to prevent employees from accessing user data. We adhere to the principles of least privilege to minimise the risk of data exposure.
Staff access to services is managed using a combination of restricted VPN, strong passwords, two-factor authentication, and SSH keys. We log and audit all the operations.
Logging and monitoring
We collect application, infrastructure and systems logs in a centrally managed log repository for monitoring, troubleshooting, security reviews, and analysis. Logs are preserved in accordance with regulatory requirements to assist in the case of a security incident. Detailed audit logging covering all operations performed by the user, including the organisation’s staff users, is available to the customers in the Snapforms platform.
We engage third parties to perform regular audits and penetration testing against our applications. These are run on at least a bi-annual basis with frequency increased if there are significant changes. We have a policy in place in which additional periodic internal vulnerability scans and penetration tests are performed on all information systems and hosted applications. The frequency and comprehensiveness of scans are defined by security categorisation of the system, data sensitivity and specific regulatory requirements.
We utilise third-party software to conduct continuous application vulnerability scanning against our production environments in addition to automated and manual penetration testing efforts.
All vulnerabilities discovered during penetration tests are entered into the central ticketing system and are assigned an internal vulnerability ranking according on the OWASP risk rating framework based on likelihood and impact. These issues are tracked through to resolution in accordance with company policy and industry best practice recommendations.
Malware and spam protection
We support DMARC as a way to prevent spam and verify messages are authentic. We also use our own detection services and algorithms for identifying abuse of Snapforms services, including phishing and spam activities. We monitor the signals from the software and handle abuse complaints.
We operate a comprehensive backup program where our backup measures are designed in line with system recovery requirements. With respect to customer and application data we use the snapshot feature of Amazon RDS (Relational Database Service) to create automated daily backups of each RDS instance. Amazon RDS snapshots are retained for 30 days with support for point-in-time recovery and are encrypted using AES-256 encryption. Backup data are not stored offsite but are replicated to multiple data centres within a particular AWS region in Australia. We also perform quarterly testing of our backups.
Business continuity and Disaster Recovery
We have designed our systems and infrastructure with high availability and redundancy in mind. This includes backup, mitigation and handling in case of server failure, power failure, fire or other disaster.
A Business Continuity and Disaster Recovery Plan is in place and is both reviewed and tested on at least an annual basis. This includes strategies, procedures and contact information to be used in the event of an incident.
As part of our High Availability setup, we use multi-availability zone data replication and point-in-time backup to provide additional resiliency and support a low Recovery Point Objective (RPO) of 5 mins and Recovery Time Objective (RTO) of 30 mins.
Employee background checks
Background checks are conducted by reputed external agencies for all employees engaged in delivering service to customers. These include thorough police checks as well as specialised background checks where relevant.
We have a comprehensive set of information security policies to guide our employees in making the right security decisions. During onboarding, all employees sign a non-disclosure agreement and agree to our acceptable use policy. We provide information security, privacy, compliance and incident response training during onboarding and on a regular basis. We provide additional specialised training on specific aspects of security based on the role.
Dedicated security and privacy teams
Our dedicated security and privacy teams manage our security and privacy programs. These teams are responsible for developing and maintaining our systems, reviewing processes, monitoring our networks and providing consulting to other teams.
Internal audit and compliance
Our security, privacy and legal teams regularly review our compliance obligations, monitor these requirements and ensure we comply with applicable regulatory and industry requirements. We conduct periodic internal audits against these obligations and our wider goals.
We use an endpoint management system for all hosts, which includes anti-virus software, content filtering and threat detection. The endpoints themselves are heuristically monitored and anomalous activity alerts the SIEM for quarantine or investigation. All files are scanned upon access. We maintain a register of corporate-owned/issued devices (including laptops) and BYOD devices. Our policies do not allow the storage or processing of customer data outside the production environment or the administration of customer data from BYOD devices.
We have documented Incident Response and Data Breach Response Plans which outline the processes to respond to security events and incidents, including breaches of personal or protected data, the key principles of which include:
- Anticipate and prepare for security incidents and response
- Contain, resolve and recover from incidents
- Invest in people, processes and technologies to ensure we can manage security incidents when they occur
- Treat protecting customer data as the top priority
- Regularly test the incident response plan
- Continously improve the incident management process
- Communicate security incidents to all relevant stakeholders
Scenarios covered include Data Breach, Outage of Forms Service, Public Relations Event, and Security Breach.
Snapforms’ goal is to notify customers of a notifiable incident within 24 hours of becoming aware of that incident. Our Incident Response Plan (IRP) is periodically tested and kept up to date. Notification may include phone contact by Snapforms Customer Support or email to the customer’s administrator.
Snapforms has formal policies and procedures defined, implemented and governed by management that integrate the risk management process with the change management process.
Our change management process covers all system and software configuration changes. These are reviewed and updated at least annually and controls include at a minimum:
- Documenting the impacts of the change
- Peer review of technical scope
- Management review for timing and impact scope
- Testing of operational functionality
- Back-out procedures
- Changes covered
- Documentation of the change
Our change management process requires testing and approvals from relevant stakeholders before being released into production. We maintain policies and procedures to ensure consideration of security, quality and availability throughout the software development lifecycle.
Any changes or fixes to the application (i.e., fixing vulnerabilities, etc.) are seamless and mandatory. Customers are notified of changes to the application via the ‘Updates’ page within their account. Any major changes that we determine may impact customer activities in the application are communicated in advance to allow the customer to raise any concerns or include the change in their change management process.
We have a vendor management policy which guides how we evaluate and qualify vendors. Our finance, legal and procurement teams review invoices, contracts, SLAs, and vendor internal policies to manage risks associated with security, availability, and confidentiality. We also perform functional risk assessments as needed based on the risk profile. Risk assessments are revisited as part of policy renewal and anytime the relationship with the supplier changes significantly.
Protecting access to your data and responses is a shared responsibility involving Snapforms and our customers. Security procedures that customers should consider include:
- Using a unique, strong password
- Using multi-factor authentication
- Using the latest browser and operating system versions with any security patches applied
- Exercising precaution when sharing data out of Snapforms
- Monitor phishing and malware threats by closely reviewing unfamiliar emails or links that may be impersonating Snapforms.
We understand that privacy is important to you – it is important to us, too. That’s why we respect your personal information and are committed to protecting it when providing products and services to you. Snapforms is hosted and operated entirely within Australia, giving you the confidence that your data and privacy are both entirely held onshore and will never be sold or shared.
Last updated: Dec 2023