Entrusting your data to a third-party service provider requires rigorous security measures. The security and integrity of your data is critically important for us, and we’ve built our services around this idea. A risk assessment is repeated at regular intervals and those assessments provide security measures and controls to reduce the risks to an appropriate level.

This article describes the technologies and processes that we use to secure your data, and explains our security culture. We need to be clear and understandable from a legal perspective – unfortunately that doesn’t always make for the simplest explanations. If you find anything hard to understand, please get in touch using the Contact Support button at the bottom of this page.

Security organization

Typeform has an information security department specifically responsible and accountable for security administration. The Security department directly manages and oversees risk assessment, development of policies, standards, and procedures, testing, and security reporting processes.

A security committee, formed by the highest-level decision and management in the Organization in matters related to information security is in place. The Security Committee assumes responsibility for ensuring compliance with the corporate security principles, to define the initiatives that in matters of security and continuity of the business are rushed in the company and to ensure the security within the company and the platform.

Physical security

Typeform’s infrastructure is hosted by Amazon Web Services (AWS). Our main servers are located in Virginia, USA and backup servers are located in Frankfurt, Germany. They are compliant with security and privacy standards.

Our offices and facilities also include 24 hour access monitoring, cameras, visitor logs and physical security controls following industry best practices.

Network security

All our environments are hosted in a Virtual Private Cloud (VPC) in Amazon Web Services. Our production networks are separated between public and internal services. No inbound internet traffic is allowed on the private subnets, and all application servers only reside in private subnets without public IP addresses. Only Amazon managed and maintained load balancers have ingress access to the application internal servers. Tight security groups control inbound and outbound access to the servers.

Firewalls, Intrusion Detection Systems, Web Application Firewalls, and other security state of the art perimetral controls are installed at the edge locations to provide an additional layer of internal and external network security.

In short, all the networks we use are as secure as we can manage. Access to our servers we use is strictly limited, and no outside traffic is permitted on them.

Access control

Access to Typeform resources is only permitted through secure connectivity (e.g.,VPN, SSH bastions) and multi-factor authentication. We follow the principle of least privilege, and every single access is audited, tracked and monitored to ensure that employees only have the permissions necessary to perform their duties.

This means employees can only access Typeform systems with an extra-secure connection. As soon as anyone leaves the company, their access is blocked.

Security policies and awareness

We have a comprehensive set of information security policies following the ISO 27001 standard to ensure compliance, and to guide our employees and contractors in making the right security decisions. Examples include a password policy, data protection and classification of information policy, security in communications, continuity and contingency plans, acceptable use policy on workstations and mobile devices and backup policy amongst others. We review and update them at least annually or when a relevant change is done.

We have non-disclosure agreements with all employees and contractors, and run various security awareness training courses within the company. All our service providers and contractors processing the personal data you have entrusted us are required to sign data processing agreements in line with European data protection laws, and ensuring an adequate level of protection.

This all means that all of us here at Typeform follow internal security guidelines. We get training on these, and they are updated regularly.

Penetration tests

As part of our security strategy, we hire well recognized security research firms to perform penetration tests on our platform. Vulnerabilities and findings are ranked according to severity and prioritized accordingly.

This means we allow security experts to come in and test the limits of our security infrastructure, to help us find any weaknesses.

Data protection measures

Once your information enters Typeform’s systems, it’s secured with multiple levels of encryption and access controls. We encrypt your data in-transit (end-to-end, including within the virtual private cloud at AWS) using secure TLS cryptographic protocols (TLS 1.2) and Advanced Encryption Standard (AES) is used with a 256-bit key to encrypt data at rest including the backups of the information.

All workstations and Typeform devices are fully encrypted to guarantee the confidentiality of the information they contain.

Access to customer data is restricted based on role: only the minimum authorized employees have access to data. Every single access to the repositories of information is audited and controlled.

Access is revoked immediately upon employee termination.

Data is retained for as long as necessary in respect of the purposes for which it was collected and according to the applicable laws. You can request to delete your data at any time.

Typeform is designed to be both scalable and fault-tolerant. If one machine fails, another will be ready to take over immediately. This redundancy is found in all levels of the platform.

Also in alignment with AWS best-practices, a Multi-availability Zone architecture is in place. Should an entire Availability Zone fail, remaining machines in the functioning availability zone have the capacity to run the entire service.

Redundant backups of critical data are also in place and moved to a different account to ensure business continuity in case of disaster.

Typeform implements different integrity security controls on its services and servers to maintain the quality, the accuracy and completeness of data over its entire lifecycle.

Compliance

The Typeform platform uses a company called Stripe to accept or process credit card information securely in accordance with these standards, always using the Payment question.

The use of Stripe ensures compliance with the Payment Card Industry’s Data Security Standards (PCI DSS 3.2) and the Revised Directive on Payment Services (PSD2) In addition, our platform is hosted on Amazon Web Services, which is certified in various frameworks from SOC2 to ISO27001. Typeform is currently working towards achieving official certification in these frameworks, and continues to apply them in practice.

Read more about GDPR compliance.

Security monitoring and auditing

Typeform collects application, infrastructure and systems logs in a centrally managed log repository for monitoring, troubleshooting, security reviews, and analysis by authorized personnel. Logs are preserved in accordance with regulatory requirements to assist in the case of a security incident.

Data retention

Customer data is retained for as long as necessary in respect of the purposes for which it was collected and according to the applicable laws. In addition, by law, we are obliged to keep some data for indefinite periods of time. However, in the event you would like your data to be completely removed from the Typeform platform, you can request us to delete your data at any time through our standardized process and procedure.

Asset management

Typeform maintains an asset management policy including an identification, classification, retention, and disposal of information and assets. Typeform devices are equipped with full hard disk encryption and up-to-date antivirus software. Only Typeform and verified devices are allowed to access corporate networks.

Information security incident management

Typeform has a security incident response policy and procedures associated to provide a full set of actions to deal with security incidents and provide initial response, investigation, and customer and authorities notification according the applicable laws

We are committed to keeping our customers fully informed of any matters relevant to the security of their account and to providing customers all information necessary for them to meet their own regulatory reporting obligations.

Continuity

Typeform has concrete contingency and continuity plans defined according to the risks analysis performed. In the event of an emergency, the specific contingency plan is ready to enable the continuation of critical business processes while protecting the integrity of the data while an organization operates in emergency mode.

Development

Our development team employs secure coding techniques and best practices, focused around the OWASP Top Ten under the supervisión of the security department. Developers are periodically trained in secure practices upon hire.

Test and production environments are isolated and separated. All changes are reviewed for performance, audit, and security purposes before getting fully applied to the production environment. Typeform never uses real data in the development and test environments.

Shared responsibility

Protecting access to your data and responses requires that as Typeform customer, you maintain the security of your account by using secure passwords and protecting them as necessary. Find out more about good password behavior.