Use the following questions and answers to learn more about information security at ProntoForms.
- How does ProntoForms keep my data secure?
- How is my data secured on hosted systems in the cloud?
- Is my data also secured on iOS, Android, and Windows devices?
- Can I access ProntoForms via single sign-on (SSO)?
- Has ProntoForms achieved SOC 2 compliance?
- What’s the difference between SOC 2 Type II and other compliance certifications (such as ISO)?
- Is ProntoForms HIPAA Security Rule and HITECH Act compliant?
- Can ProntoForms’ employees simply view the data in our ProntoForms account?
- Does ProntoForms screen employees prior to hiring?
- Do ProntoForms employees adhere to secure coding guidelines?
- Does ProntoForms sign data processing agreements?
- Does ProntoForms have 24/7 security incident management capabilities?
- Does ProntoForms have a disaster recovery strategy?
- What steps has ProntoForms taken to proactively mitigate Distributed Denial of Service (DDoS) attacks and other malicious attacks?
- Does ProntoForms offer any specific technology for customers who provide regulated services, such as those in the medical field?
How does ProntoForms keep my data secure?
ProntoForms takes the security of your data very seriously. Your information is encrypted in our systems—at rest and in-transit—at all times. Our systems are tightly controlled through comprehensive security policies and multi-layered access control systems. ProntoForms’ critical systems are secured using an enterprise-grade corporate identity management system, including the use of multi-factor authentication and robust passwords.
We conduct ongoing compliance audits, penetration testing, and automated security scans. We offer 24/7 service operations and employ dedicated incident management teams.
How is my data secured on hosted systems in the cloud?
All customer data is encrypted with the AES-256 cipher in our cloud hosted systems. We encrypt all data over HTTPS using TLS when in-transit to and from our cloud-hosted systems to customers’ apps.
Is my data also secured on iOS, Android, and Windows devices?
Yes. Your data is encrypted within the ProntoForms app on iOS, Windows, and Android as long as a passcode is enforced. Additionally, we recommend the use of BitLocker on all Windows devices.
Can I access ProntoForms via single sign-on (SSO)?
Yes. ProntoForms supports SSO for both mobile app and web portal access.
Has ProntoForms achieved SOC 2 compliance?
Yes. We have attained SOC2 Type I and Type II compliance. Our SOC 3 report is available for download on our website. A detailed report is available under our non-disclosure agreement.
What’s the difference between SOC 2 Type II and other compliance certifications (such as ISO)?
SOC 2 Type II is a comprehensive assessment for an ongoing period of time. ISO, and similar certifications, are assessments at a specific point in time. SOC 2 Type II compliance enables us to demonstrate an ongoing commitment to internal control environment, policies, and procedures.
Is ProntoForms HIPAA Security Rule and HITECH Act compliant?
Yes. A certified third party has verified that our controls have been evaluated against the HIPAA Security Rule and HITECH Act.
It is your responsibility to ensure you have an adequate compliance program, internal processes, and that your use of ProntoForms services aligns with HIPAA and the HITECH Act. Use of ProntoForms contributes to HIPAA compliance, but does not guarantee it.
Can ProntoForms’ employees simply view the data in our ProntoForms account?
No. ProntoForms employees are prohibited—through defined organizational policies and access control systems—from viewing the data you import. Employees can access your data only after you provide explicit permission through the ProntoForms portal.
Does ProntoForms screen employees prior to hiring?
Yes. All prospective ProntoForms employees must submit to a detailed background check. The background check includes criminal, education, and past employment verification.
Do ProntoForms employees adhere to secure coding guidelines?
Yes. All ProntoForms developers are trained on secure coding practices (i.e. OWASP) annually. All code is double-checked using a comprehensive code review process, which enforces secure coding standards before going live.
Does ProntoForms sign data processing agreements?
Yes. ProntoForms has signed and works with customers to put a mutually agreed data processing agreement in place.
Does ProntoForms have 24/7 security incident management capabilities?
Yes. We employ a 24/7 service operations and engineering team that monitors and resolves incidents as they occur. We use industry leading application performance monitoring and log analysis systems.
Does ProntoForms have a disaster recovery strategy?
Yes. Our disaster recovery strategy has guidelines for competitive recovery point objective (RPO) and recovery time objective (RTO). We offer a RPO of 24 hours, which reflects the current handling of database snapshots. We offer a RTO of six hours, which is reflectiveof the time required to launch services and restore data to the recovery environment.
We test the reliability of our disaster recovery strategy every quarter.
What steps has ProntoForms taken to proactively mitigate Distributed Denial of Service (DDoS) attacks and other malicious attacks?
ProntoForms uses Amazon Web Services’ Web Application Firewall (WAF) and Shield to minimize the effects of a DDoS attack. Both WAF and Shield allow us to permit or limit traffic through the use of custom security rules. We can also define additional WAF rules to pre-emptively block a wide range of malicious attacks.
Does ProntoForms offer any specific technology for customers who provide regulated services, such as those in the medical field?
Yes. ProntoForms offers many special capabilities—including, but not limited to:
- Data Pass-Through
- Enterprise Mobility Management and Mobile Device Management
- End-to-End Data Encryption
- Single Sign On
- User Policy Management
- Authentication Management