ProntoForms Security

Security is a top priority for Prontoforms. That's why we closely follow the information security best practices prescribed by organizations like the National Institute of Standards and Technology (NIST), Cloud Service Alliance (CSA), and the SANS Institute.

Internal Security

Every new member of the ProntoForms team is subject to a pre-hire criminal background check. We also provide our staff with ongoing security training to help guard against threats to our operational security.

We routinely assess and monitor employees, contractors and third parties who have access to systems containing customer information. Access to our controlled areas is restricted. We're careful to track, monitor and manage all of our servers/instances and infrastructure. Any employee access to customer data is controlled using single-use credentials, and distinct permission sets.

 

Third Party Reviews and Information

We routinely self-audit the security of our operating environments. On a bi-annual basis, we also contract to receive external penetration tests which we use to identify and promptly resolve vulnerabilities.

ProntoForms subscribes to the United States Computer Emergency Readiness Team (US-CERT), Amazon Web Services (AWS), SANS, and OWASP Top 10. These security organizations actively monitor and publish vulnerability advisories and trends related to information security. Receiving that information equips us to keep ahead of potential security concerns.

 

Data Security and Encryption

Data transmitted between our native application and cloud systems is encrypted in transit using SSL. Information stored on our servers is encrypted with AES-256, while information stored on the native application leverages the functionality of the mobile operating systems to encrypt stored data. Our system is designed to protect against distributed denial of service attacks (DDoS). The ProntoForms native app is also compatible with a number of leading mobile device management (MDM) systems, which may apply additional data protection, and we are compliant with AppConfig’s best practice policies for EMM systems.

All data records are kept in the ProntoForms cloud for 45 days from their date of creation, after which time they will be archived and retained for as long as Your account is active. Optionally, customers can enable “data pass-through”, which greatly restricts the footprint and duration of time that data is stored by ProntoForms.

Customers can enable single sign-on (SSO) for mobile app and web portal access. Leading enterprise and cloud-based identity providers that support SAML 2.0 can be integrated. Google Login can also be used for SSO.

For customers not using SSO, ProntoForms enables configurable password-complexity policies. At a minimum, all passwords are hashed and salted. Passwords can only be reset, not retrieved. We send notifications when the password for a user account has been changed.

For security and distribution of our mobile applications, we work with frameworks provided by mobile platform vendors like Apple (Managed App Configuration) and Google (Android for Work). We also partner with a number of leading enterprise mobility management (EMM) vendors like MobileIron and VMWare AirWatch, who both provide secure mobile solutions.

The ProntoForms app is designed to work with pre-approved payment apps that process all credit transactions according to payment card industry (PCI DSS) regulations. These payment apps do not store any sensitive information and industry standard encryption methods are used to protect customer data.

 

Security Monitoring

ProntoForms continually logs event and usage data at the network, server, and application levels. All logs are aggregated and scanned using leading log management services. Log archives are maintained in a read-only state indefinately, as we never delete them. All developed code is peer-reviewed by multiple members of the engineering team using both manual and automatic testing processes.

 

Cloud Security

All of our cloud services are hosted on AWS, which maintains compliance with a wide range of international and industry-related standards. ProntoForms utilizes Virtual Private Clouds (VPC) within AWS to further secure network, application and database resources. Access to our VPC is restricted to core personnel in accordance with leading best practices. Any access to the VPC is protected by multi-factor authentication and robust password policies.

 

Solution Availability

ProntoForms has consistently maintained the availability of its cloud services above 99.9%. The ProntoForms cloud is implemented with regional redundancies, and has been designed to eliminate single points of failure. All client data is saved in redundant storage. Our operations team receives timely alerts in the event of any system performance or availability issues. All availability issues are communicated in a timely manner via our support portal.

 

Reporting Security Issues

If you believe you have discovered a vulnerability with ProntoForms or have a security incident to report email trust@prontoforms.com