[Skip to Content]
login     1-888-282-4184 

ProntoForms Security

Security is a top priority for ProntoForms. That's why we closely follow the information security best practices prescribed by organizations like the National Institute of Standards and Technology (NIST), Cloud Security Alliance (CSA), and the SANS Institute.
HIPAA Logo
Health Insurance Portability and Accountability Act Compliant
SOC2 Logo
Service Organization Control (SOC 2 Type 2) Audit Completed
ProntoForms has successfully completed the Service Organization Control (SOC2 Type 2) audit, reviewing internal controls and processes, as well as an evaluation of the organization’s controls against the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, and the Health Information Technology for Economic and Clinical Health (HITECH) Act. SOC2 Audit and HIPAA Security Rule auditor attestation available upon request

Internal Security

Every new member of the ProntoForms team is subject to a pre-hire criminal background check. We also provide our staff with ongoing security training to help guard against threats to our operational security.

We routinely assess and monitor employees, contractors and third parties who have access to systems containing customer information. Access to our controlled areas is restricted. We're careful to track, monitor and manage all of our servers/instances and infrastructure. Any employee access to customer data is controlled using single-use credentials, and distinct permission sets.

 

Third Party Reviews and Information

We routinely self-audit the security of our operating environments. On a bi-annual basis, we also contract to receive external penetration tests which we use to identify and promptly resolve vulnerabilities.

ProntoForms subscribes to the United States Computer Emergency Readiness Team (US-CERT), Amazon Web Services (AWS), SANS, and OWASP Top 10. These security organizations actively monitor and publish vulnerability advisories and trends related to information security. Receiving that information equips us to keep ahead of potential security concerns.

 

Data Security and Encryption

Data transmitted between the ProntoForms mobile applications and cloud systems is encrypted in using TLS. Information stored on our servers is encrypted with AES-256, while information stored on the native application leverages the functionality of the mobile operating systems to encrypt stored data. Our system is designed to protect against distributed denial of service attacks (DDoS). The ProntoForms native app is also compatible with a number of leading mobile device management (MDM) systems, which may apply additional data protection, and we are compliant with AppConfig’s best practice policies for EMM systems.

Customers can enable single sign-on (SSO) for mobile app and web portal access. Leading enterprise and cloud-based identity providers that support SAML 2.0 can be integrated. Google Login can also be used for SSO.

For customers not using SSO, ProntoForms enables configurable password-complexity policies. At a minimum, all passwords are hashed and salted. Passwords can only be reset, not retrieved. We send notifications when the password for a user account has been changed.

For security and distribution of our mobile applications, we work with frameworks provided by mobile platform vendors like Apple (Managed App Configuration) and Google (Android for Work). We also partner with a number of leading enterprise mobility management (EMM) vendors like MobileIron and VMWare AirWatch, who both provide secure mobile solutions.

 

Security Monitoring

ProntoForms continually logs event and usage data at the network, server, and application levels. All logs are aggregated and scanned using leading log management services. Log archives are maintained in a read-only state indefinitely, as we never delete them. All developed code is peer-reviewed by multiple members of the engineering team using both manual and automatic testing processes.

 

Cloud Security

All of our cloud services are hosted on AWS, which maintains compliance with a wide range of international and industry-related standards. ProntoForms utilizes Virtual Private Clouds (VPC) within AWS to further secure network, application and database resources. Access to our VPC is restricted to core personnel in accordance with leading best practices. Any access to the VPC is protected by multi-factor authentication and robust password policies.

 

Solution Availability

ProntoForms has consistently maintained the availability of its cloud services above 99.9%. The ProntoForms cloud is implemented with regional redundancies, and has been designed to eliminate single points of failure. All client data is saved in redundant storage. Our operations team receives timely alerts in the event of any system performance or availability issues. All availability issues are communicated in a timely manner via our support portal.

 

GDPR Data Subject Rights

Click here to manage your Data Subject Rights.

 

Privacy Policy

Click here to view our website privacy policy.

Frequently asked questions

How does ProntoForms keep my data secure?
ProntoForms takes the security of your data very seriously. Your information is encrypted in our systems—at rest and in-transit—at all times. Our systems are tightly controlled through comprehensive security policies and multi-layered access control systems. ProntoForms critical systems are secured using an enterprise-grade corporate identity management system, including the use of multi-factor authentication and robust password policies.

We conduct ongoing compliance audits, penetration testing, and automated security scans. We offer 24/7 service operations and employ dedicated incident management teams.
How is my data secured on hosted systems in the cloud?
All customer data is encrypted with the AES-256 cipher in our cloud hosted systems. We encrypt all data over HTTPS using TLS when in-transit to and from our cloud-hosted systems to customers’ apps.
Is my data also secured on iOS and Android mobile devices?
Yes. Your data is encrypted within the ProntoForms app on iOS and Android as long as a passcode is enforced.
Can I access ProntoForms via single sign-on (SSO)?
Yes. ProntoForms supports SSO for both mobile app and web portal access.
Has ProntoForms achieved SOC 2 compliance?
Yes. We have attained SOC2 Type I and Type II compliance. Our SOC 3 report is available for download here. A detailed report is available under our non-disclosure agreement.
What's the difference between SOC 2 Type II and other compliance certifications (such as ISO)?
SOC 2 Type II is a comprehensive assessment for an ongoing period of time. ISO, and similar certifications, are assessments at a specific point in time. SOC 2 Type II compliance enables us to demonstrate an ongoing commitment to internal control environment, policies, and procedures.
Is ProntoForms HIPAA Security Rule and HITECH Act compliant?
Yes. A certified third party has verified that our controls have been evaluated against the HIPAA Security Rule and HITECH Act.

It is your responsibility to ensure you have an adequate compliance program, internal processes, and that your use of ProntoForms services aligns with HIPAA and the HITECH Act. Use of ProntoForms contributes to HIPAA compliance, but does not guarantee it.
Can ProntoForms’ employees simply view the data in our ProntoForms account?
No. ProntoForms employees are prohibited—through defined organizational policies and access control systems—from viewing the data you import. Employees can access your data only after you provide explicit permission through the ProntoForms portal
Does ProntoForms screen employees prior to hiring?
Yes. All prospective ProntoForms employees must submit to a detailed background check. The background check includes criminal, education, and past employment verification.
Do ProntoForms employees adhere to secure coding guidelines?
Yes. All ProntoForms developers are trained on secure coding practices (i.e. OWASP) annually. All code is double-checked using a comprehensive code review process, which enforces secure coding standards before going live.
Does ProntoForms sign data processing agreements?
Yes. ProntoForms has signed and works with customers to put a mutually agreed data processing agreement in place.
Does ProntoForms have 24/7 security incident management capabilities?
Yes. We employ a 24/7 service operations and engineering team that monitors and resolves incidents as they occur. We use industry leading application performance monitoring and log analysis systems.
Does ProntoForms have a disaster recovery strategy?
Yes. Our disaster recovery strategy has guidelines for competitive recovery point objective (RPO) and recovery time objective (RTO). We offer a RPO of 24 hours, which reflects the current handling of database snapshots. We offer a RTO of six hours, which is reflective of the time required to launch services and restore data to the recovery environment.

We test the reliability of our disaster recovery strategy every quarter.
What steps has ProntoForms taken to proactively mitigate Distributed Denial of Service (DDOS) attacks and other malicious attacks?
ProntoForms uses Amazon Web Services’ Web Application Firewall (WAF) and Shield to minimize the effects of a DDOS attack. Both WAF and Shield allow us to permit or limit traffic through the use of custom security rules. We can also define additional WAF rules to pre-emptively block a wide range of malicious attacks.
Does ProntoForms offer any specific technology for customers who provide regulated services, such as those in the medical field?
Yes. ProntoForms offers many special capabilities—including, but not limited to:
  • Data Pass-Through
  • Enterprise Mobility Management and Mobile Device Management
  • End-to-End Data Encryption
  • Single Sign On
  • User Policy Management
  • Authentication Management

Have questions about data security? Ask our experts.

We're always happy to answer any questions or concerns you might have around security.
Please use the form below to get in touch with our security team.
 

 
 
 

Reports and agreements are available to existing customers upon request to infosec@prontoforms.com.