SECURITY PRACTICES SUMMARY
Forma is on a mission to help companies build great workplace culture, without needing a team of hundreds. To do that, we need to make sure your data is secure, and protecting it is one of our most important responsibilities. Capitalized terms not defined herein shall have the meaning set forth in the Terms and Conditions.
1. ORGANIZATIONAL SECURITY
Forma is establishing an state-of-the-art security program, dedicated to ensuring customers have the highest confidence in our custodianship of their data.
2. PERSONNEL SECURITY
Forma’s personnel practices apply to all members of the Forma workforce (“workers”)—regular employees and independent contractors—who have direct access to Forma’s internal information systems (“systems”) and / or unescorted access to Forma’s office space. All workers are required to understand and follow internal policies and standards.
Before gaining initial access to systems, all workers must agree to confidentiality terms, pass a background screening, and attend security training. This training covers privacy, security and data protection topics, including device security, acceptable use, preventing malware, physical security, data privacy, account management, and incident reporting.
Upon a worker’s termination of work at Forma, all of the worker’s access to Forma systems is removed immediately. Forma enforces Single Sign On to various Forma systems where applicable, and access to Single Sign On is revoked upon employee termination. Forma also maintains a record of personnel with the level of access to Forma’s systems and the roles assigned to such personnel; this record is audited for accuracy upon a worker’s termination.
3. POLICIES AND STANDARDS
Forma maintains a set of policies, standards, procedures and guidelines (“security documents”) that provide the Forma workforce with the “rules of the road” for operating Forma’s information security management system (ISMS). Our security documents help ensure that Forma customers can rely on our workers to behave ethically and for our service to operate securely. Security documents include, but are not limited to:
● Fair, ethical, and legal standards of business conduct
● Acceptable uses of information systems
● Classification, labeling, and handling rules for all types of information assets
● Practices for worker identification, authentication, and authorization for access to system data
● Secure development, acquisition, configuration, and maintenance of systems
● Workforce requirements for transitions, training, and compliance with ISMS policies
● Use of encryption
● Description, schedule, and requirements for retention of security records
● Planning for business continuity and disaster recovery
● Classification and management of security incidents
● Control of changes
4. SECURED BY DESIGN
Forma assesses the security risk of each software development project according to our Secure Development Lifecycle. Before completion of the design phase, the engineering team undertakes an assessment to qualify the security risk of the software changes introduced.
This risk analysis leverages the Open Web Application Security Project (OWASP) Top 10 to categorize every project as High, Medium, or Low risk. Based on this analysis, our engineering team creates a set of requirements that must be met before the resulting change may be released to production.
All code is checked into a version-controlled repository. Code changes are subject to peer review and continuous integration testing. Significant defects identified by this process are reviewed and followed to resolution by the engineering Team.
5. CONTROLLING SYSTEM OPERATIONS
Forma controls changes, especially changes to production systems, very carefully. This covers any and all changes to hardware, software or applications. It also includes modifications, additions or changes to the LAN/WAN, network or server hardware and software.
Changes potentially impacting customer data are documented, tested, and approved before deployment. Forma appoints on-call personnels to run health checks, network scans and vulnerability assessments after the change has taken place to ensure system integrity.
If the change affects SLA, such as scheduled maintenance or service upgrades, customer would be notified prior to the scheduled change.
6. FILE CHANGE MANAGEMENT
Forma maintains the configuration of its production servers by using a configuration management system (CMS) that runs frequently to check that only the authorized version of key are deployed.
7. AUDITS, COMPLIANCE AND 3RD PARTY ASSESSMENTS
Forma has contracts with third parties to conduct external penetration test and vulnerability scans. Reports and findings are available upon request (subject to any applicable confidentiality terms and other conditions included in agreements with our customers).
8. AUDIT & LOG
All access to Forma’s internal system are logged on the application and the infrastructure level.
Information logged includes, without limitation, the following:
● unique identifier (email, id) of user, if available
● device used
● all commands directly initiated by the user
● all identification and authentication attempts
● files and resources accessed.
In Forma’s hosted environments, control of network devices is achieved by the hosting provider. For that reason, Intrusion Detection / Intrusion Prevention are performed using host-based controls. For example, Forma logs, monitors, and audits system calls and has created alerts for system calls that indicate a potential intrusion. Forma may, immediately upon notice to its customers, suspend access to any service, at its discretion for a threat to the technical security or technical integrity of any services provided to its customers or the Forma platform.
9. PENETRATION TESTING
Forma conducts regular application-level internal penetration testing. Results of these tests are shared with Forma’s management. Forma’s engineering team reviews and prioritizes the reported findings and tracks them to resolution.
10. LEGAL COMPLIANCE
Forma engages dedicated legal and compliance professionals with extensive expertise in data privacy and security. Forma also has a business code of conduct that documents Forma’s legal, ethical and socially responsible choices and actions which are fundamental to our values and defines standards for meeting those goals.
11. DATA REQUEST
Individuals seeking access to or removal/deletion of Customer Data should contact Customer regarding such requests. Customer generally controls the Customer Data and is responsible for deciding how to respond to such requests. While Forma does defer to Customer for most decisions regarding requests for access to or removal of Customer Data, as described in the Customer Terms of Service, Forma reserves the right to remove Customer Data that violates its policies or applicable law.
12. PROTECTING CUSTOMER DATA
The focus of Forma’s security program is to prevent unauthorized access to customer data. To this end, we pride ourselves in taking exhaustive steps to identify and mitigate risks, implement best practices, and constantly evaluate ways to improve.
13. DATA ENCRYPTION IN TRANSIT AND AT REST
Forma transmits data over public networks using strong encryption. This includes data transmitted between Forma clients and the Forma service. Forma supports the latest recommended secure cipher suites to encrypt all traffic in transit, including use of TLS 1.2 protocols, AES256 encryption, and SHA2 signatures, as supported by the clients.
Forma utilizes Amazon Web Services (AWS) as its infrastructure and data storage. Data stored in Forma’s production network is automatically encrypted using AES256 compliant encryption standards. This applies to all types of data at rest within Forma’s systems—relational databases, file stores, database backups, etc.
The Forma service is hosted in data centers maintained by industry-leading service providers. Data center providers offer state-of-the-art physical protection for the servers and related infrastructure that comprise the operating environment for the Forma service. These service providers are responsible for restricting physical access to Forma’s systems to authorized personnel.
14. AUTHORIZING ACCESS
To minimize the risks posed to the privacy and security of data, Forma adheres to the “principle of least privilege”, under which our workers are only authorized to access data that they reasonably must handle in order to fulfill their current job responsibilities. To ensure that users are so restricted, Forma employs the following measures:
● All systems used at Forma require users to authenticate, and users are granted unique identifiers for that purpose.
● Forma employs 2 factor authentication (2FA) for personnel who have access to data and related services to minimize the risk of unauthorized access or other breach.
15. DATA AND MEDIA DISPOSAL
Forma employs measures to ensure Customer data is securely deleted and disposed of. Forma hard deletes all information from currently running production systems. Backups are destroyed within 14 days. Forma follows industry standards and advanced techniques for data destruction. Forma adheres to policies and standards requiring media be properly sanitized once it is no longer in use. Forma’s hosting provider is responsible for ensuring removal of data from disks allocated to Forma’s use before they are repurposed.