In preparing for GDPR, our developers used the effort as an opportunity to add some new features to the platform that will help better secure and manage your data going forward.

Security Improvements

New Password Policy Options

To date, the platform enforces a simple 6 character minimum length password, with a focus on making it easy for users to get started with the service. A Password Policy drop-down is now added to the Organization Setup page which gives you more control over user password requirements. Aside from the default Basic policy, there will be two further options based on current best practice recommendations:

  • NIST SP 800-63
    • A phrase-based policy based on the latest recommendations of NIST, which encourages human-friendly passwords that are still hard to crack.
  • OWASP 2017
    • A strict policy which favors complex passwords that are hard to crack but also harder for people to remember.

Both of these new policy options will add stronger password security requirements for your user accounts, so consider what is best for you. For now, the platform will continue to set our Basic 6 character minimum policy as the default on new company accounts, but you can change this at any time. When you change the Password Policy, this will be applied to existing users when they next change their passwords.

Maximum Password Attempts Lockout

A temporary lockout feature to user accounts is being added which will be applied when an incorrect password is attempted more than 5 times in a row. This is based on NIST recommendations and provides better security against brute force password attacks. For now, this will apply to the web platform, but will be extended to app logins within the next few months.

Validation of Passwords Against 10,000 Most Common

The10,000 most common passwords has been loaded into the system – as found by NIST linked security researchers – and will be blocking users from setting/updating their passwords to be any of these. This enforces NIST and OWASP guidance on preventing users from having easily crackable passwords.

Regenerable Integration API Keys

When working with the API there has been only one secret Key value per company account, and this Key value was fixed at the date of account creation. We’re adding a second Key which works just the same as the existing one, thus allowing you to rotate between using Key 1 and 2 in your integrations. This also unlocks the ability to regenerate an unused Key at any time, thus enabling you to enact greater security procedures (i.e. key rotation/regeneration) when using the API.

New Personal Data Options

Our developers wanted to make it easier for you to export data out of the platform while still being able to meet obligations you may have around personal data. Basic user account information like name and email is also considered to be personal data by default. For other data that you control, the developers have added a new “Is Personal Data” checkbox into key areas of the platform including Forms, Data Sources and Connectors.

This new checkbox allows you to indicate that a field or column may contain personal/sensitive data. In of itself, this option does not add any further security or protection, but it enables the platform to offer anonymization of those data values when exporting. You’ll notice this through new “Anonymize Personal Data” options that will appear on most system exports and Form Connectors when the presence of personal data has been indicated.

For API users, a new set of “Anonymize” Keys have been added. These work the same as existing Full Access keys, with the difference being that any responses to requests authenticated on Anonymize keys will result in personal data values being converted to non-human readable formats.

Roadmap Work Resuming Soon!

The work in reaching GDPR compliance, as well as for the features above, has been more than planned or expected, but thankfully we see the light at the end of the tunnel. Most of next week is dedicated to shipping the above features and addressing any issues found with our data protection efforts. Once that settles down, our developers will be moving back onto planned roadmap work. We’re super excited to ramp back up on all the new features planned and we’ll be sharing more about that soon!

Thanks for your support and attention, and please get in touch if you have any questions!