Account Security

Modified on Wed, 18 Sep at 11:05 AM

TABLE OF CONTENTS

Verify Account
PCI Compliance
Account Security Settings
Formstack and GDPR
Two Factor Authentication
Why am I being asked for a code to log in to my Formstack account?
Formstack IP Addresses for Whitelisting
Resetting Two-factor Authentication(2FA)
Troubleshooting Two-factor Authentication Issues
Grant Temporary Access to My Account

Verify Account

Formstack requires all accounts to be verified to securely reduce spam or fraudulent activity.

Verify your account

If you are the admin who signed up for the account, find the Formstack email sent to the email address you signed up with and click the Verify Account button.

Or if you did not receive the initial verification email or are not the original admin who signed up for the account, click the Resend link in the verification banner in-app to send another verification email.

NOTE: Resending the verification email will void any verification emails previously sent.

My verification email expired

Verification emails are active for 24 hours after the account has been created. If the email was not verified during this time, log in to Formstack and select the Resend link from the verification banner to receive a new verification email.

NOTE: The verification email is sent to your email address used to sign up for the account.

I did not receive a verification email

Contact Support to have your Formstack team manually verify the account. Before opening a case, ensure the email address matches the one used for signing up and review spam or filtered folders within your inbox.

Additionally, accounts created prior to July 2023 are automatically marked as verified. There is no action needed from this subset of accounts.

Limitations for unverified accounts

Without a verified account, your account usage is limited:

Unverified Forms users

Cannot send notification or confirmation emails (must be a paid and verified account)
Cannot send test notification or confirmation emails (must be a paid and verified account)
Cannot collect submissions from non-logged-in users
Cannot collect Partial Submissions

Unverified Documents users

Cannot complete merged documents without being verified

Additional Formstack features and functionality may only be accessed once an account has been purchased.

PCI Compliance

What is PCI Compliance?

Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards any company that intends to accept or process card payments must follow.

What changes will I experience using a PCI Compliant Formstack?

Password Length Minimum - We now require a password that’s at least 6 characters in length. Users with a shorter password will be required to reset their passwords upon next login. See below for additional security requirements if you need to be PCI Compliant.
Logging In - Users will now be locked out of their accounts for 30 minutes after 6 failed login attempts.
iFraming Admin Pages - Formstack now blocks any /admin/ pages from being displayed in iFrames. If you or your users have been displaying shared reports with others via iFrames this will no longer work.
More Account Security Settings - We’re providing more granular control over password and session time settings. See more information here.

What steps must I take to ensure my Formstack Account is PCI Compliant?

Be sure you’re processing payments using our secure Credit Card Field and a Payment Processor integration.
- If you need to securely collect full credit card data, please contact our Support team to discuss your options.
- Do not collect customer credit card information using short answer or number fields
- Be sure to follow your PCI obligations, if any.
Enable the following password settings:
- Minimum length for a password - 7 characters (will trigger a password reset for users)
- Require both numeric and alpha characters - On (will trigger a password reset for users)
- Require users to change password every 90 days - On
- Do not allow users to set a password the same as their previous 4 passwords - On
- (If the above 90-day change requirement is ON)
Set your account session time (the time period an account can stay logged in while idle) to 15 minutes

These settings are available on the Account Security Settings page located in your Account Admin user’s profile menu.

Account Security Settings

Platform Admins can set account-wide security settings such as password requirements, session duration, and 2FA. Security settings set on the screen in the image below (the main “Security Settings” section of your Admin Panel) will be applied to all products and users on the account. Force_2FA1.1.png

Password Settings

Admins can determine four different settings regarding user passwords:

Minimum Length (6 as the default/minimum accepted) setting
Alpha + Numeric characters both required (off by default)
Require password change every 90-days (off by default)
Password must be different than previous four passwords (off by default)

Session Time Settings

This setting determines how long a session can remain inactive before timing out and forcing the user to log back in. The options available for the timeout settings include, 15 or 30 minutes, 1, 2, 4 (default setting), 6, 8, 12, and 24 hours.

Forcing Two-Factor Authentication

Under the “Account Security” header, you as a Platform Admin can enable two-factor authentication (2FA) for all users.

To enable this functionality, click on the toggle.

At that point, a modal will popup to confirm this action. If you want to confirm, select “Yes, Force Login Via 2FA”

After you select “Yes…” you will return to the “Security Settings” screen, where you need to select “Save Changes” in the top right corner.

At that point, any changes made will be reflected on all accounts.

If you want to set 2FA up for you individual account, click here .

The General Data Protection Regulation, or GDPR, is an impactful data privacy law update. The EU regulation significantly enhances the protection of personal data for EU citizens. Read more on GDPR Compliance in the Formstack Trust Center.

To meet the security compliance standards of the GDPR, Formstack has taken measures to ensure you have complete control of the information you collect, store, and manage with Formstack.

Data Processing Addendum: A standard, pre-signed copy of our DPA is available to download directly from your profile.
Privacy Policy Updates: We've updated our Privacy Policy to ensure you know exactly what we're doing with your data.
International Data Transfers: We comply with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework.
Incident Management: Formstack's engineers are on-call 24/7 and receive monitoring alerts regarding any incident.
Data Accessibility: You have full control of the information you collect with Formstack. Contact us to learn more.

Learn how online forms can help you fast-track compliance by downloading our easy-to-use guide.

Additionally, Formstack provides a Standard BAA for all Formstack for Healthcare accounts/plans. Custom BAA requests are evaluated on a case-by-case basis. Request a BAA here.

Two Factor Authentication

Your Formstack account password
An authentication code sent to a mobile device via an app like Duo or Authy, or SMS

Note - Turning on 2FA makes it harder for anyone to access your account without your permission.

Once 2FA is set up, upon login, Formstack will send an authentication code to the user’s mobile device. Depending on the selected delivery method, the code will either be generated by an application on your mobile device or sent as a text message (SMS).

You must have both the user’s Formstack password and the authentication code. We strongly encourage users to turn 2FA on for the safety of their accounts. If you’re an admin, see how to force this functionality for all users on in your org.

Enabling Two-Factor Authentication

Org Admins can enable 2FA on their Profile pages by navigating to their Admin page by selecting “Administration” in the product switcher. Alternatively, you can navigate directly to the Admin page using https://admin.formstack.com.

CleanShot%202024-04-24%20at%2012.13.26.jpeg

Org Standard Users can navigate to the Admin page by clicking on their name in the app header and selecting ‘Update Your Profile’

CleanShot%202024-04-24%20at%2012.19.56.jpeg

Next, From the“Your Profile” page and scroll down to the “Profile security” section. From there, select toggle Two-factor authentication on.

CleanShot%202024-04-24%20at%2011.03.21.jpeg Next, follow the directions on the screen to set up 2FA with an authenticator app

Choosing an Authenticator App

You can set up 2FA using a variety of authenticator apps. Here are a few that are widely used:

Google Authenticator (Android/iPhone/BlackBerry)
Duo Mobile (Android/iPhone)
Authy (iOS, Android, Blackberry, Mac, Windows, Linux)
Amazon AWS MFA (Android)
Authenticator (Windows Phone)

Once you’ve downloaded the app to your device,, open the app and scan the provided QR code when directed.

Note: If the QR code is not accepted by your app you can produce a shared key by clicking on the link next to the QR code and type the code manually into the app instead.

Finally, enter the authentication code generated by the app and click ‘Verify code

Once the code is successfully verified, The setup process is complete.

Setting up 2FA using SMS

You also have the option to set up 2FA using SMS, which is more convenient but less secure than using an authenticator app.

CleanShot%202024-04-24%20at%2011.09.37.jpeg

Click the ‘Authenticate via SMS link at the bottom of the setup modal. Then, enter your phone number.

CleanShot%202024-04-24%20at%2011.10.15.jpeg

When you click “Next”, a text message will be sent to the phone number you entered with a 6-digit code. Enter that code into the modal and click ‘Verify code’.

If you do not receive a text message within a minute, click the ‘Resent code’ link as shown below.

CleanShot%202024-04-24%20at%2011.14.10.jpeg

The setup process is complete once you’ve verified the code.

Setting up Backup Options

Now that you've enabled two-factor authentication it's important to have a backup plan just in case you forget to take your phone out of your pocket before jumping in the pool or decide to do your own "Will it Blend?" test at home.

CleanShot%202024-04-24%20at%2011.19.18.jpeg

If you set up two-factor authentication using an app click the "View Backup Verification Codes" button and copy them down in a safe place somewhere other than your phone.

For a universal back up option, click the "Setup a Backup SMS Number" and enter a different mobile phone number than the one you are currently using to receive authentication code texts.

Changing Two-Factor Authentication Methods

Changing Two-Factor Authentication is easy! Just return to your profile settings and click the pencil icon next to the Two-factor authentication setting.

CleanShot%202024-04-24%20at%2011.22.23.jpeg

Then, follow the directions above to either set up 2fa with an authenticator app or SMS text messaging.

Removing Two-Factor Authentication Methods

While not advised, you can remove two-factor authentication by simply clicking the toggle OFF next to the setting on your profile page off.

Note: If your Organization Admin requires all users on your account to have 2FA turned on, you will not be able to toggle this setting off.

Why am I being asked for a code to log in to my Formstack account?

To prevent unauthorized access to your account, a verification code will be sent to the email address associated with your user if the following are true:

You haven’t logged in to your Formstack account in 90 days
You don’t have two-factor authentication (2FA) turned on

CleanShot%202024-04-25%20at%2011.57.11.jpeg

You will need to enter the code within an hour of receiving it to login to your account or you’ll need to request a new code.

To avoid the need to go through this process in the future turn on two-factor authentication (2FA) in your profile settings.

What if I received an email with a verification code, but I didn’t log in?

If you received an email from Formstack with a verification code but you did not attempt to log in, your Formstack credentials may be compromised and we strongly suggest that you reset your password.

What if I logged in and was asked to enter a code but I never received the verification email?

First, check your spam folder to make sure emails from Formstack are not going directly there. If your search comes up empty, please reach out to our Support team so they can help restore your access. Be prepared to answer questions that will help us verify your identity such as information about the contents of your account, the billing of your account, or other users on your account.

Formstack IP Addresses for Whitelisting

If your organization utilizes a firewall or other security mechanisms to only grant access to certain IP addresses, you’ll need to whitelist the IP addresses to ensure optimal usage of Fromstack products (i.e. Forms, Documents, Sign). This list is subject to change in the future. To stay up to date with future IP address changes, sign up for Formstack updates on the Formstack Status Page.

Formstack Forms IPs

Add the following IP addresses to your allow list to ensure proper Formstack Forms functionality:

52.71.30.102
3.227.148.190
44.196.66.47
54.69.216.81
52.37.95.20
52.24.103.36

Formstack Documents Server IPs

Adding the following IP addresses to your allow list will ensure proper Formstack Documents functionality:

35.161.145.189
44.232.178.116
44.208.250.1
54.156.32.206
54.80.153.135
54.187.70.0 - 54.187.70.255
34.213.28.0 - 34.213.28.255
52.34.185.0 - 52.34.185.255
44.238.71.140
44.233.97.41

Formstack Documents Email IPs

Incoming emails from Formstack Documents will come from one of these IP Addresses which should be whitelisted to ensure delivery of emails from the Documents platform:

167.89.85.149
149.72.164.215

Note: If you’re using your own SMTP servers, data will come from a Server IP.

Resetting Two-factor Authentication(2FA)

Note: Organization Admins can reset 2FA for all types of users while Org Standard users can only do so for other Standard users. When 2FA is reset, it will no longer be active on the user’s account, so setting it back up should be the priority of the user.

Resetting 2-factor Authentication

There are two ways to reset 2FA for a user:

From the user’s profile page
From the Users page

Resetting 2FA from the user’s profile page

From the Admin Panel, navigate to the user’s profile page who requested the reset.

Scroll down to the Profile Security section and find 2-factor authentication setting.

Click Reset next to the 2-factor authentication setting.

Confirm that you want to reset 2FA

Resetting 2FA from the Users page

From the Admin Panel, navigate to the Users page
Find the user who requested the 2FA reset
Click the Actions menu icon on the right of the user
Select ‘Reset 2FA’

5. Confirm that you want to reset 2FA

Note: It is not possible to reset 2FA for yourself in this manner.

Once 2FA has been reset for the user, they will receive an email notification letting them know that 2FA has been reset for their user and that they should turn 2FA back on as soon as possible. If 2FA is required for the organization, the user will be required to set 2FA back up on their next login.

Resetting 2FA for the only Admin on the account

If 2FA needs to be reset for the sole Admin on the account and the Admin does not have access to their backup codes, they must reach out to Formstack Support for assistance with resetting their 2FA.

Troubleshooting Two-factor Authentication Issues

If you or a user on your account is having trouble with two-factor authentication, we recommend using the following troubleshooting methods before contacting support for further assistance:

1. Use a backup code

Formstack provides users with backup codes when setting up 2FA using either an authentication app or SMS. These are important to keep handy in the event that your two-factor authentication device is lost or no longer functions as they can take the place of the code that is auto-generated by your auth app or sent to your device via SMS.

To view, download, or regenerate your backup codes, login to your account, visit your profile page in the admin panel, and click the ‘backup codes’ link under your 2FA security settings.

2. Contact an org administrator on your account to reset 2FA for your user

There may be situations where your two-factor authentication (2FA) device gets lost or no longer functions and you can’t log in to your 2FA-protected Formstack account. If this occurs, Organization Admins and Org Standard users with User Management permissions can reset 2-factor authentication (2FA) for you and other users in their organization who don’t belong to another organization. Learn more here.

Note: Organization Admins can reset 2FA for all types of users while Org Standard users can only do so for other Standard users. When 2FA is reset, it will no longer be active on the user’s account, so setting it back up should be the priority of the user.

3. Are you the only admin on your account? Contact Support.

If you are the only Org Admin of your account and have not previously saved your backup codes, you will need to contact our Support team in order to access your Formstack account again if your 2FA set up is not working properly.

Please be ready to provide your Support representative with key identifying information such as billing information in order to verify your identity and gain access to your account quickly.

Grant Temporary Access to My Account

Here is how to grant your Formstack Support Team temporary access to your organization’s account to troubleshoot and review features.

The feature is located within your profile settings in the Admin Panel. You can access this page directly by clicking your name in the header of any application and clicking ‘Update your profile’. You can also go directly there by logging into the admin panel at https://admin.formstack.com/profile.

Profile Image for Access to Formstack Profiles

Once in your profile, scroll to the section labeled “Profile security” and within that section, an option labeled, "Troubleshooting Access". Click “No Access” and select a time duration from the list. Your options are:

1 week
1 month
2 months

Note: If you select the 1 month or 2 months options you will receive a notification email every two weeks reminding you that troubleshooting access is turned on.

Granting Access for Support Profile Image

Review the agreement and select, "I understand" to allow temporary access. Moving forward, authorized Formstack Support Users can impersonate your account and view your Formstack Organization at your permission level for one month before automatically expiring.

Screenshot 2024-02-08 at 6.28.25 PM.png

Can I revoke access earlier than the expiration date?

Yes. If your troubleshooting case has been resolved earlier than the duration you set, return to your Profile tab and click “Revoke access”

Revoke Access Image

Can I extend access for longer than one month?

Access expiration cannot be set for longer than a month. If you wish to grant access longer than one month, revoke access and then re-select the 1 month option to extend access by another month.

What type of users can grant access?

Admin and Standard users may grant temporary access to Formstack and multiple persons from one account may grant access at the same time. However, Formstack Support may only access your account at your permission level. For some troubleshooting cases, it may be necessary to have an Admin’s permission to view more features.

What happens when I grant access?

Support will be granted access to your account at your permission level apart from viewing encrypted form submissions. Access to your account will be logged internally and will automatically expire after one month.

Can Formstack members view my account without my permission?

In order to troubleshoot in-app features, the access setting must be turned on to view. However, in emergency situations, authorized Formstack persons may forgo a customer’s permission to view their account. These one-off entries are logged and reviewed by Formstack’s Security and Legal teams.