Wufoo leverages the expertise and top notch hardware found at SurveyMonkey, our parent company, to ensure that the integrity of your data is kept intact.
At Wufoo, we recognize that remaining secure involves active monitoring, constant improvements and building on the knowledge that others have worked to discover. Whether it be through hardware and networking analysis from our friends at SurveyMonkey, or the generous open source software of Suhosin, htmLawed and Nagios -- among many others -- we try to incorporate as many tools as possible to ensure Wufoo remains a secure and trustworthy service.
Top Notch Data Center
Wufoo's servers are managed in-house and located in a SOC 2, Type II audited facility that is located in the United States. The data center includes high-end surveillance equipment, security guards, visitor logs and passcards/biometric recognition. With fully redundant IP connections, independent connections to T1 access providers, redundant external and internal power supplies, daily security scans and encrypted offsite backups, you can rest assured that we are doing everything we can protect your valuable data.
Encouraging the Best Coding Practices
In addition to implementing features that increase security, we have to maintain best practices on the backend to ensure your account remains secure. We monitor sessions to restrict access of your account appropriately, and have constructed Wufoo in a way that every account is isolated. Safeguards are in place to try and detect common attacks such as SQL injection and cross site scripting. Most importantly, we actively review our code for potential security concerns (in addition to evaluating all user feedback) so that we can address any issues as quickly as they arise. Also, remember that we are all bound to our privacy statement, which will ensure your data is not misused.
Secure Data Transfer and Storage
On Bona Fide and higher paid accounts we enforce the secure collection of data. Forms will be served across a protected, 128-bit SSL connection that encrypts the data before it is sent to our servers. SSL ensures that any wrong-doer who may be listening in to your network traffic is not able to actually read the data being submitted to the form.
Additionally, we're offering encrypted data storage to select plans. Our SSL offering transmit the data securely, and we're confident it will remain secure on our servers. However, some data is so sensitive that stricter requirements are in place. That is where encrypted data storage comes in. On up to 5 fields per form, eligible accounts will be able to encrypt the data storage. This means that sensitive data will not be compromised even if our physical server is stolen.
Automated spam plagues the integrity of many forms across the Internet and acts as a major annoyance to many administrators. At Wufoo, we've developed a Smart CAPTCHA system that makes it hard for robots to fill out your form, but keeps it easy for humans to fill out.
We've also implemented multiple coding checks along the submission process to see if the submission came from a human using a web browser. In the worst cases, if spam does get through, we have a very accommodating support team willing to help identify the root cause and credit your account.
Disasters happen, so being prepared for them is critical for happy data collection. You can rest easy when you store your data with Wufoo, because we are consistently replicating (backing up in real time) your data on site to another server. Additionally, we take 2 snapshots of your data every 24 hours and store them on site for two weeks. Once the two weeks have finished, we move that data to a physical tape backup. The tape backup is then transferred to an offsite location in locked, water and impact resistant containers by screened employees requiring verification upon delivery.
Just as we have backups of your data, we also have lots of redundancy across our core infrastructure. Paired database, web, file, load balancing and firewall servers sit next to each other in separate cabinets with separate power supplies. This level of redundancy helps us and you prepare for those worst case scenarios.
How We Secure the Network
We have an outside routing layer that provides basic filtering to handle and manage any potential denial of service attacks. All network traffic then has to pass through one of our redundant firewalls, which are heavily locked down and allow only specific services to be made publicly available.
Additionally, we perform periodical scans, including quarterly PCI scans by McAfee, to look for any potential vulnerabilities in our network or publicly accessible software. In regards to employees, we force outside access to the servers to use a 128-bit encrypted connection along with a strong password strength.
About Your Responsibilities
A large part of keeping data secure is in educating the end user what their responsibilities are. With all of the best intentions, an end user can still access an email containing a password through a public wifi network, which would result in anyone tracking that connection having access to the Wufoo account Specific to us, we have documentation on when to use email versus RSS, upgrading to the appropriate account level, when to encrypt data and how to share public files. We also try to proactively detect when someone may be collecting information insecurely, so that we can notify them of the problem.