[Skip to Content]
login     1-888-282-4184 

ProntoForms Security

Security is a top priority for Prontoforms. That's why we closely follow the information security best practices prescribed by organizations like the National Institute of Standards and Technology (NIST), Cloud Security Alliance (CSA), and the SANS Institute.
Health Insurance Portability and Accountability Act Compliant
SOC2 Logo
Service Organization Control (SOC 2 Type 2) Audit Completed
ProntoForms has successfully completed the Service Organization Control (SOC2 Type 2) audit, reviewing internal controls and processes, as well as an evaluation of the organization’s controls against the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, and the Health Information Technology for Economic and Clinical Health (HITECH) Act. SOC2 Audit and HIPAA Security Rule auditor attestation available upon request

Internal Security

Every new member of the ProntoForms team is subject to a pre-hire criminal background check. We also provide our staff with ongoing security training to help guard against threats to our operational security.

We routinely assess and monitor employees, contractors and third parties who have access to systems containing customer information. Access to our controlled areas is restricted. We're careful to track, monitor and manage all of our servers/instances and infrastructure. Any employee access to customer data is controlled using single-use credentials, and distinct permission sets.


Third Party Reviews and Information

We routinely self-audit the security of our operating environments. On a bi-annual basis, we also contract to receive external penetration tests which we use to identify and promptly resolve vulnerabilities.

ProntoForms subscribes to the United States Computer Emergency Readiness Team (US-CERT), Amazon Web Services (AWS), SANS, and OWASP Top 10. These security organizations actively monitor and publish vulnerability advisories and trends related to information security. Receiving that information equips us to keep ahead of potential security concerns.


Data Security and Encryption

Data transmitted between the ProntoForms mobile applications and cloud systems is encrypted in using TLS. Information stored on our servers is encrypted with AES-256, while information stored on the native application leverages the functionality of the mobile operating systems to encrypt stored data. Our system is designed to protect against distributed denial of service attacks (DDoS). The ProntoForms native app is also compatible with a number of leading mobile device management (MDM) systems, which may apply additional data protection, and we are compliant with AppConfig’s best practice policies for EMM systems.

Customers can enable single sign-on (SSO) for mobile app and web portal access. Leading enterprise and cloud-based identity providers that support SAML 2.0 can be integrated. Google Login can also be used for SSO.

For customers not using SSO, ProntoForms enables configurable password-complexity policies. At a minimum, all passwords are hashed and salted. Passwords can only be reset, not retrieved. We send notifications when the password for a user account has been changed.

For security and distribution of our mobile applications, we work with frameworks provided by mobile platform vendors like Apple (Managed App Configuration) and Google (Android for Work). We also partner with a number of leading enterprise mobility management (EMM) vendors like MobileIron and VMWare AirWatch, who both provide secure mobile solutions.

The ProntoForms app is designed to work with pre-approved payment apps that process all credit transactions according to payment card industry (PCI DSS) regulations. These payment apps do not store any sensitive information and industry standard encryption methods are used to protect customer data.


Security Monitoring

ProntoForms continually logs event and usage data at the network, server, and application levels. All logs are aggregated and scanned using leading log management services. Log archives are maintained in a read-only state indefinately, as we never delete them. All developed code is peer-reviewed by multiple members of the engineering team using both manual and automatic testing processes.


Cloud Security

All of our cloud services are hosted on AWS, which maintains compliance with a wide range of international and industry-related standards. ProntoForms utilizes Virtual Private Clouds (VPC) within AWS to further secure network, application and database resources. Access to our VPC is restricted to core personnel in accordance with leading best practices. Any access to the VPC is protected by multi-factor authentication and robust password policies.


Solution Availability

ProntoForms has consistently maintained the availability of its cloud services above 99.9%. The ProntoForms cloud is implemented with regional redundancies, and has been designed to eliminate single points of failure. All client data is saved in redundant storage. Our operations team receives timely alerts in the event of any system performance or availability issues. All availability issues are communicated in a timely manner via our support portal.


GDPR Data Subject Rights

Click here to manage your Data Subject Rights.


Privacy Policy

Click here to view our website privacy policy.

Have questions about data security? Ask our experts.

We're always happy to answer any questions or concerns you might have around security.
Please use the form below to get in touch with our security team.


Reports and agreements are available to existing customers upon request to infosec@prontoforms.com.