How to Create a Secure Form
This article provides advices and instructions for FormSmarts customers to safeguard access to their account, protect the confidentiality of the data submitted though their forms, and keep data stored in their account safe.
The information in this document only applies to Business account. Free and Pro accounts do not support two-step verification and form owners cannot securely access form responses online, so these accounts not suitable for collecting personal information.
Secure Your AccountThe first step towards securing your account and the data you store with FormSmarts is to prevent unauthorized access: set a strong password and enable two-step verification.
Check the Strength of Your Password
Please check the strength of your current password by typing it in the password field on FormSmarts' registration page. If the score reported by the strength meter is anything other than ‘good’ or ‘great’, change your password immediately.
Here is a password security check list to help you choose a new password:
- Passwords must contain a minimum of 8 characters, with a maximum of 100 characters. 10 characters or more is recommended
- Do not use a password you already use on another site
- Do not use simple passwords based on dictionary words or character patterns like 'qwerty' or '87654321'
- MiX uPpER and loWercaSEs.
- Use numbers and special characters: ~!@#$%;(^_…
- Avoid obvious substitutions like '0' for 'o' and '1' for 'l'
- Passwords may contain non-English characters (ñ, 美,…) if your browser allows them and whitespaces. Whitespaces are ignored at the start and end of a password.
To change your FormSmarts password now, visit this page.
- Do not use a password you already use on another site
- Do not share your password with anyone, if needed create sub-users to allow others to access your account
- Ensure your password is not written anywhere where it could be accessed by a third party
- Never click on ‘reset password’ requests in emails — instead go directly to the FormSmarts homepage and follow the password reset link on the login screen
- FormSmarts staff will never ask you for your password
- Turn on two-step verification
If your forms are sent to multiple email recipients that need to sign in to FormSmarts to retrieve uploaded documents, create a guest user account for each of them and only give individual users access to specific forms. Do not share your FormSmarts account admin credentials with others within your organization.
Use Two-Step Verification
We recommend you turn on two-step verification to enhance the security of your account. Two-step verification adds another layer of security to the log in process and helps prevent unauthorized access to your account and protect the data you store with FormSmarts.
Two-step authentication is required for members with forms using Advanced Protection.
Monitor & Audit the Security of Your Account
The Account Activity dashboard allows you to:
- Monitor and audit recent account activity, for both the account administrator and invited users
- Log a user out immediately
Make sure how you use your FormSmarts account, who can access it, and how you secure your account (e.g. password strength requirement and protection, use of multi-factor authentication) is and stays consistent with your usage of the service.
For example, if you created a FormSmarts account to supports a basic contact form or internal reporting and your usage evolved over the years to include applications collecting more personal data, make sure you upgrade how your protect your account accordingly.
Ensure Forms are Submitted via a Secure Connection
Over last decade, the Internet has moved from a situation where only specific services like payment and log in pages were offered over a secure encrypted connection (SSL/TLS), to the current situation where Internet traffic is encrypted by default.
In line with this, FormSmarts forms were not necessarily loaded or submitted over a secure SSL/TLS connection at the time.
HTTPS uses the SSL/TLS security protocol to ensure that:
- Information is encrypted while in transit to prevent snooping by third parties
- Information is indeed submitted to and retrieved from FormSmarts servers
Most customers regularly change their online forms as their business needs evolve and naturally update the FormSmarts embed code when they refresh their website. But if the following statements apply to you, make sure you review your forms as explained in the rest of this section to ensure they only use HTTPS URLs:
- You created a FormSmarts account many years ago
- You are still using old forms
- You have embedded forms onto your website instead of linking to their FormSmarts.com URLs
Update Form URLs
To protect from the risk of a third-party accessing form data when a form is submitted, make sure the FormSmarts.com URLs or f8s.co shortened URLs you share with form users start with https://.
Note that FormSmarts' HTTP Strict Transport Security (HSTS) policy, which is pre-loaded in all modern browsers, ensures that data is only transferred to and from FormSmarts servers over a secure TLS connection, even if the URL requested starts with http://. But you should still make sure you only use HTTPS form URLs for the benefit of users with older browsers.
Update the Form Embedding Code
If you created a form and added it to your site many years ago, the URL or embed code may not be using a HTTPS URL. You'll need to update your site to change this.
If the form you would like to secure is embedded onto your site, edit the FormSmarts code snippet as follows:
https:on line 2 (if
https:is already there, go to the next step)
- If needed, replace
httpson line 3
<style> … <iframe class="fs_embed" src="https://formsmarts.com/form/1o7f?mode=h5embed&lay=1" allowfullscreen="true"> <a href="https://formsmarts.com/form/1o7f?mode=h5">Can't see the form? Click here</a>. </iframe>
If the FormSmarts embed code you're using doesn't look like the one above, please switch to the current version of FormSmarts forms.
Use the Secure URL for Standalone FormsIf you want to share a form's FormSmarts.com URL or f8s.co shortened URL with your users so they use the standalone version of a form, simply change the protocol part of the URL from
https://formsmarts.com/form/1o7fThe same applies to the shortened URL:
The Advanced Protection mode activates a number of security features on FormSmarts to protect access to your account and the data it contains.
Securing Form Responses
Data is always encrypted when you access form responses on FormSmarts or export entries to an Excel spreadsheet.
After implementing (if applicable) the changes discussed in the last section, all information transiting between form respondents and FormSmarts when someone submits a form will be exchanged using the standard secure protocol (TLS).
However if you rely on receiving form responses by email, the connection may not always be encrypted when FormSmarts delivers email to your mail host, depending on your mail host.
Risks of Receiving Form Responses by Email
There are three risks associated with receiving form responses by email:
- The risk of someone accessing the content of the email while the message is in transit from FormSmarts to your email host
- The risk of someone getting access to the data submitted on a form if the email account of one of its destination emails is compromised even years after the form was submitted (probably a far greater risk given that most people keep messages archived in their email account forever).
- The risk of an email server being compromised (due to misconfiguration, leak by a rogue employee or hacking), allowing an unauthorized party to access all messages hosted on the system. For example, tens of thousands of on-premise Microsoft Exchange servers have been hacked in early 2021 due to a previously unknown vulnerability, allowing hackers to access all emails hosted on the systems affected.
Currently, FormSmarts uses opportunistic TLS to encrypt the connection with a form recipient's email provider:
- FormSmarts delivers email using an encrypted connection if supported by the mail host. Most mail providers nowadays support encryption (TLS), but that doesn't necessarily apply to basic email hosting offered as part of web hosting packages.
- If the destination email server does not support TLS, we deliver form responses via an insecure connection.
For this reason and to address the two other risks, you can set up yours forms to use Advanced Protection1 or encrypted email.
With FormSmarts Advanced Protection, email notifications do not contain form data, but only a link allowing authorized users to access the form response on FormSmarts after signing in (if they aren't already signed in).
Advanced Protection activates a number of other security features on FormSmarts. If you would like to set up a form with Advanced Protection, please contact us.
Data storage must be enabled with Advanced Protection. The data submitted is not shown in email notifications with Advanced Protection, so data will be lost unless data storage is enabled for that form.
Secure Encrypted Email
In addition to Advanced Protection, FormSmarts can deliver form responses by encrypted email.
FormSmarts encrypted email uses asymmetric encryption (also known as public-key cryptography) to encrypt the message before it is sent in such a way that only the form recipient can decrypt it. The email message is encrypted, not just the connection used to deliver it to its destination.
With encrypted email, a form response is encrypted in FormSmarts' backend and only decrypted by the email app on your computer or phone, once it has reached your inbox.
FormSmarts secure email is based on the S/MIME standard that is supported by most desktop and mobile email apps.
- Advanced Protection is only available with FormSmarts Business Max package and higher.