The ProntoForms SaaS security journey

protection of data seriously. That’s why we actively and continuously seek validation of our security protocols on several fronts. Since our humble beginnings, ProntoForms has made security part of our DNA with a security and compliance journey to match.

HIPPA Certification

Our first milestone, achieved in 2017 and upheld since, certifies that the applications we release on the SalesForce AppExchange meet industry best security standards. This was followed in 2018 by a successful audit for compliance with the HIPAA Security Rule, conducted by third party security auditing specialist KirkpatrickPrice. The Health Insurance Portability and Accountability Act (HIPPA), passed in 1996, set a national standard to protect medical records and other personal health information (PHI). As an app solution for enterprises including medical device and life science institutions, we recognize the responsibility our in reducing organizational risks associated with data security. ProntoForms assures the confidentiality, integrity and availability of electronic protected health information, by upholding HIPPA certification standards that measure the effectiveness of our administrative, technical, and physical security. 

SOC 2 Type 1 & SOC 2 Type 2 Certification

ProntoForms took another step that same year down the Service Organization Controls (SOC) certification path. Our journey led to a successful SOC 2 Type 1 audit that verified our internal control designs meet with Trust Services Criteria. In March of 2019, ProntoForms successfully earned SOC 2 Type 2 compliance, verifying the operating effectiveness and reliability of these controls over an extended (18 month) period of time.

This significant milestone in ProntoForms compliance journey reiterated our dedication to the protection of data.

“Achieving compliance with the HIPAA Security Rule and receiving a SOC 2 Type II attestation is a great accomplishment for ProntoForms – especially when you consider that Trust Services Criteria that were included in the SOC 2 Type II audit. This commitment to compliance should provide clients with assurance that ProntoForms is handling data in a secure, reliable way,” said Joseph Kirkpatrick, President of KirkpatrickPrice.

Our journey though doesn’t end with SOC 2 Type 2 certification. A key and ongoing component of SOC 2 Type 2 certification involves employees at ProntoForms—from physical security in the office to acting as a human firewall against phishing attacks.

Phishing is big cybercrime business. It comes in targeted variants: phone, email, SMS text messages, fraudulent web pages, and misleading links. Part of our security compliance journey has involved ongoing phishing testing. Simulated phishing attacks are overseen, monitored, and addressed by KirkpatrickPrice. When ProntoForms first started on their phishing journey in November 2016, the baseline test had a 45.7% failure rate. At the time of writing, our phishing email failure rate has dropped sharply to a sustained 2.5%, with 71% of failures attributed to false emails form HR.

FDA Title 21 CFR Part 11 Certification

We recently extended the scope of our security compliance audits to include FDA Title 21 CFR Part 11. This regulation, issued by the US FDA, sets out security criteria for Electronic Records and Electronic Signatures (ERES) captured on electronic documents.

Obtaining Part 11 compliance augments our already very strong HIPAA and SOC 2 Type 2 compliance story. It demonstrates that we’re committed to growing our compliance footprint and that we take the security of sensitive data collected in the field very seriously. When working with compliance-sensitive companies, like biotech, pharma, healthcare, and medical device organizations, this is imperative.

When we set out on our SaaS security journey a few years back we faced a blank slate of unknowns. We began working in manageable chunks and now, after a lot of hard work and internal training, it’s become an integral part of ProntoForms’ DNA. In 2020 and beyond, we’ll pursue ongoing compliance certifications driven by the compliance needs of the industries we serve.

Related articles
The Importance of Data Security
5 ways medical device manufacturers can leverage custom apps to meet COVID-19 crisis
The Importance of Data Security