Customer Trust

Start your security review
View & download sensitive information
Ask for information

Overview

For Access, Must Be On: Team, Enterprise, or Government Cloud

NOTE: TX-RAMP is only in scope for Government Cloud

FormAssembly is a web-based application that is offered as a SaaS solution. Data and the type of data to be collected depends on the company using the service to collect it.

Compliance

GDPR Logo
GDPR
ISO 27001 Logo
ISO 27001
ISO 27001 SoA Logo
ISO 27001 SoA
PCI DSS Logo
PCI DSS
SOC 2 Logo
SOC 2
TX-RAMP Logo
TX-RAMP
Visa Service Provider Logo
Visa Service Provider
VPAT Logo
VPAT
StateRAMP Logo
StateRAMP
Start your security review
View & download sensitive information
Ask for information

FormAssembly is reviewed and trusted by

AetnaAetna
Boston Medical CenterBoston Medical Center
CVS HealthCVS Health
Epic GamesEpic Games
Harvard Business SchoolHarvard Business School
UnitedHealth GroupUnitedHealth Group

Documents

All
Public
Private
Pentest Reports
ISO 27001
PCI DSS
SOC 2
Cyber Insurance
ISO 27001 Report
Network Diagram
PCI DSS
ISO 27001 SoA
VPAT
CAIQ STAR Security Questionnaire
HECVAT Full
HECVAT Lite
OWASP Questionnaire
SIG Lite
VSA Full
Access Control Policy
Asset Management Policy
Breach Investigation and Notification (BIN) Policy
Business Continuity and Disaster Recovery
Change Management
Compliance Audits and Communications
Data/Media Management Policy
Encryption Policy
HR & Personnel Security Policy
Incident Response Policy
Information Security Policy
Mobile Device Security and Media Management
Other ISO/IEC 27001 Documents
Risk Management and Risk Assessment
Secure Software Development and Product Security
System Audits, Monitoring and Assessments
Third Party Security Policy
Third Party Security, Vendor Risk Management
Threat Detection and Prevention Policy
Vulnerability Management
Code of Conduct
Disaster Recovery Test
HIPAA Self Assessment
Information Security Organization Chart

Risk Profile

Data Access LevelRestricted
Impact LevelModerate
Recovery Time Objective24 hours
View more

Product Security

Audit Logging
Data Security
Integrations
View more

Reports

ISO 27001 Report
Network Diagram
PCI DSS
View more

Self-Assessments

CAIQ STAR Security Questionnaire
HECVAT Full
HECVAT Lite
View more

Data Security

Access Monitoring
Backups Enabled
Data Centers & Physical Security
View more

App Security

Responsible Disclosure
HackerOne Mark
Bot Detection
Code Analysis
View more

Legal

SubprocessorsClearbitGoogleSalesforceNew RelicSaaSOptics
Customer Audit Rights
Cyber Insurance
View more

Data Privacy

Cookies
Data Breach Notifications
Data Privacy Officer
View more

Access Control

Data Access
Logging
Password Security

Infrastructure

Status Monitoring
Amazon Web Services
Anti-DDoS
View more

Endpoint Security

Disk Encryption
DNS Filtering
Endpoint Detection & Response
View more

Network Security

Data Loss Prevention
DNSSEC
Firewall
View more

Corporate Security

Asset Management Practices
Email Protection
Employee Training
View more

Policies

Access Control Policy
Asset Management Policy
Breach Investigation and Notification (BIN) Policy
View more

Security Grades

SecurityScorecard
FormAssembly App
Security Scorecard A grade
FormAssembly Enterprise
Security Scorecard A grade
HSTS Preload List
FormAssembly App
ImmuniWeb
FormAssembly CC
A
FormAssembly EC
A
FormAssembly App
A
View more

Knowledge Base

  • Are the policies and procedures reviewed and updated at least annually?
  • Are business continuity management and operational resilience policies and procedures established, documented, approved, communicated, applied, evaluated, and maintained?
  • Are application security policies and procedures reviewed and updated at least annually?
  • Are application security policies and procedures established, documented, approved, communicated, applied, evaluated, and maintained to guide appropriate planning, delivery, and support of the organization's application security capabilities?
  • Is compliance verified regarding all relevant standards, regulations, legal/contractual, and statutory requirements applicable to the audit?
View more

Trust Center Updates

FormAssembly 2023 ISO 27001:2013

ComplianceCopy link

FormAssembly has successfully completed an audit for ISO 27001 covering FormAssembly. The organization worked with A-LIGN to perform a detailed audit of its controls as they relate to ISO 27001.

  • Original Certification Date: June 14, 2021
  • Recertification Date: July 18, 2023
  • Expiry Date: June 14, 2024

A-LIGN Compliance and Security, Inc. certifies that the organization operates an Information Security Management System that conforms to the requirements of ISO/IEC 27001:2013.

The certificate and report can now be downloaded in the portal.

Published at N/A

FormAssembly 2023 SOC 2 Type 2

ComplianceCopy link

FormAssembly's controls are assessed by A-LIGN, who specialize in compliance across multiple industries, on an annual basis.

FormAssembly annually performs a SOC-2 Type-2 assessment. Our most recently available report covers from December 1, 2022 - May 31, 2023. An updated review period is scheduled with our auditors, and we expect an updated report to be available in mid-2023.

The SOC 2 report includes management’s description of FormAssembly’s trust services and controls as well as A-LIGN’s opinion of FormAssembly’s system design. You can find it under the Reports section of this Security Portal.

We maintain a SOC 2 Type 2 certification as a result of this regular audit activity and can share the most recent SOC 2 report with our customers upon request and under a non-disclosure agreement. The SOC 2 is a report based on the Auditing Standards Board of the American Institute of Certified Public Accountants' (AICPA) existing Trust Services Criteria (TSC). The purpose of this report is to evaluate an organization’s information systems relevant to security.

The scope of this report covers controls supporting the FormAssembly App and Enterprise/Compliance plans.

Published at N/A

Updated Policies Added

ComplianceCopy link

The following policies had be updated and added back to the security portal:

  • Access Control
  • Breach Investigation and Notification (BIN)
  • Compliance Audits and Communications
  • Data/Media Management
  • Encryption
  • Information Security
  • Mobile Device Security and Media Management
  • Risk Management and Risk Assessment
  • Secure Software Development and Product Security
  • System Audits, Monitoring and Assessments
  • Third Party Security
  • Threat Detection and Prevention
  • Vulnerability Management
Published at N/A

The following policies had be updated and added back to the security portal:

  • Business Continuity and Disaster Recovery
  • Business Continuity and Disaster Recovery Plan
  • Incident Response Policy
Published at N/A

Version 4.04 of CAIQ Security Questionnaire

ComplianceCopy link

Version 4.04 of CAIQ Security Questionnaire has been uploaded and is ready for download.

Published at N/A

Version 3.03 of Higher Education Community Vendor Assessment Toolkit

ComplianceCopy link

HECVAT Lite Version 3.03 is now in the FormAssembly Customer Trust Portal

Published at N/A

Version 3.03 of Higher Education Community Vendor Assessment Toolkit has been uploaded and is ready for download.

Published at N/A

ISO 27001 Surveillance Assessment Year 2 Final Report

ComplianceCopy link

FormAssembly's ISO 27001 Surveillance Assessment Year 2 Final Report is now available to request and download.

Published at N/A

FormAssembly SOC 2 Type 2 Report

ComplianceCopy link

FormAssembly's SOC 2 Type 2 Report is now available to request and download.

Published at N/A

If you need help using this Trust Center, please contact our Cybersecurity Risk team.

Contact Support

If you think you may have discovered a vulnerability, please send us a note.

Report Issue
Powered bySafeBase Logo