Advanced

Security & Compliance

Enterprise-grade security to protect your data. GDPR compliant, HIPAA ready, and built with security best practices from the ground up.

Security Overview

Encryption

All data encrypted in transit (TLS 1.3) and at rest (AES-256). Your data is always protected.

Secure Storage

Enterprise-grade infrastructure with automatic backups, redundancy, and 24/7 monitoring.

Compliance

GDPR compliant and HIPAA ready for healthcare applications. Built with security best practices.

Privacy Controls

Granular privacy settings, data retention controls, and easy data export/deletion.

Data Encryption

Encryption in Transit
TLS 1.3: Latest encryption protocol for all data in transit
HTTPS Everywhere: All forms and API endpoints enforce HTTPS
HSTS Enabled: Forces browsers to always use HTTPS
Perfect Forward Secrecy: Each session has unique encryption keys
Encryption at Rest
AES-256 Encryption: Military-grade encryption for all stored data
Encrypted Backups: All backups are encrypted with separate keys
File Encryption: All uploaded files encrypted individually
Key Management: Secure key rotation and management practices

Access Controls

Authentication & Authorization
Password Requirements: Enforced minimum 8 characters with complexity rules
Two-Factor Authentication (2FA): Optional 2FA via authenticator apps
SSO Support: SAML-based Single Sign-On (Business plan)
Session Management: Automatic timeout after 30 days of inactivity
API Key Security: Scoped API keys with granular permissions
Team & Role Management

Role-Based Access Control (RBAC)

Assign different permission levels to team members:

Owner
Full access including billing and deletion
Admin
Manage forms, users, and settings
Editor
Create and edit forms
Viewer
View forms and submissions only

GDPR Compliance

WorkForm is fully compliant with the General Data Protection Regulation (GDPR). We provide all the tools you need to respect your visitors' privacy rights.

GDPR Features
Data Processing Agreement (DPA): Available for all paid plans
Right to Access: Export any user's data in machine-readable format
Right to Deletion: Permanently delete user data on request
Data Portability: Export submissions as CSV or JSON
Consent Management: Built-in consent checkboxes and privacy notices
Data Retention Controls: Set automatic deletion policies
EU Data Residency: Option to store data in EU (Business plan)
Adding GDPR Consent to Forms

Add a required consent checkbox to your forms:

HIPAA Compliance

Business plan includes HIPAA-compliant features for healthcare organizations handling Protected Health Information (PHI).

HIPAA Features (Business Plan)
Business Associate Agreement (BAA): Signed BAA provided
Enhanced Encryption: Additional encryption layers for PHI
Audit Logs: Complete audit trail of all data access
Access Controls: Strict authentication and authorization
Data Backup: Encrypted backups with secure retention
Breach Notification: Incident response procedures in place
Enabling HIPAA Compliance

HIPAA compliance must be explicitly enabled. Contact our sales team to upgrade to Business plan, sign a BAA, and enable HIPAA features for your account.

Infrastructure Security

Hosting & Infrastructure
• Hosted on secure cloud infrastructure
• Enterprise-grade data centers
• Multi-region redundancy
• DDoS protection
• 24/7 infrastructure monitoring
Application Security
• Regular security audits
• Penetration testing quarterly
• Dependency vulnerability scanning
• Web Application Firewall (WAF)
• Automated security updates
Data Backups
• Automatic daily backups
• 30-day backup retention
• Encrypted backup storage
• Point-in-time recovery
• Geographically distributed backups
Monitoring & Alerts
• Real-time threat detection
• Anomaly detection
• Failed login attempt monitoring
• Automated incident response
• 24/7 security team

Data Protection Practices

How We Protect Your Data

File Upload Security

  • • Malware scanning on all uploads
  • • File type validation and restrictions
  • • Size limits enforced per plan
  • • Isolated storage with no public access
  • • Automatic virus quarantine

Data Sanitization

  • • All input sanitized to prevent XSS attacks
  • • SQL injection prevention
  • • CSRF token protection
  • • Content Security Policy (CSP) headers
  • • Input validation on all fields

Data Retention

  • • Configure custom retention policies
  • • Automatic deletion after specified period
  • • Soft delete with 30-day recovery window
  • • Permanent deletion on request
  • • Audit logs for all deletions

Privacy Controls

Form-Level Privacy Settings
IP Address Collection: Choose whether to collect visitor IP addresses
Geolocation: Optional geolocation tracking with opt-out
Analytics Tracking: Disable analytics for sensitive forms
Cookie Control: Minimal cookies, no third-party tracking
Anonymous Submissions: Allow submissions without identifying data

Compliance Standards

GDPR Compliant

Built to comply with EU General Data Protection Regulation requirements and best practices.

HIPAA Ready

HIPAA-compliant infrastructure with BAA available for healthcare organizations (Business plan).

Security Best Practices

Built following industry-standard security practices including encryption, access controls, and monitoring.

Data Protection

Comprehensive data protection with encryption at rest and in transit, regular backups, and secure deletion.

Security Best Practices
Enable 2FA: Require two-factor authentication for all team members.
Use strong passwords: Enforce complex passwords and regular updates.
Limit API key scope: Create API keys with minimal required permissions.
Review team access: Regularly audit who has access to sensitive forms.
Set data retention: Configure automatic deletion for old submissions.
Use custom domains: Host forms on your domain with SSL for trust.
Monitor audit logs: Review access logs for suspicious activity (Business plan).
Reporting Security Vulnerabilities

If you discover a security vulnerability, please report it responsibly:

• Email: security@getworkform.com
• Include detailed description and steps to reproduce
• We respond within 24 hours
• Bug bounty program for verified vulnerabilities
• Please allow us time to fix before public disclosure

Related Documentation

Custom Domains
SSL certificates and HTTPS