Security & Infrastructure
Here’s how we keep your data secure and available
The Forms On Fire platform provides robust and secure functionality for the rapid creation and deployment of connected, data-driven business applications, with the primary use case of replacing paper forms with mobile applications. The application architecture and failover designs leverage world-class technology to deliver a massively scalable, highly available and cost-effective software as a service offering.
Built on Microsoft Azure
Forms On Fire is hosted on Microsoft’s Azure public cloud infrastructure, which enables the ability to deliver highly scalable, available and fault-tolerant services. The application architecture is designed to leverage Azure’s strong geo-redundancy, replication and recovery options, and follows Microsoft recommended best practices and processes.
Azure meets a broad set of international and industry-specific security, privacy and compliance standards including ISO 27001, HIPAA, FedRAMP, SOC 1 and SOC 2, as well as country-specific standards like Australia IRAP, UK G-Cloud, and Singapore MTCS.
More information, including white papers and other resources, can be found at:
Utilizing industry standard tools and practices to perform software development, quality assurance, deployment and configuration is all part of the daily operations of our SaaS platform. Software and environment changes are versioned and committed to source control systems, with continuous integration tools providing automated testing and build procedures.
Application updates are deployed to a staging environment and then promoted to production using Azure’s Virtual IP address mechanism to avoid downtime. In the event of issues with the new production deployment, the environment is immediately rolled back to the prior stable version. All environmental aspects are defined via controlled configuration files, ensuring that application deployments execute on a consistent infrastructure and operating system environment.
Robust monitoring tools are employed to log, analyze and constantly measure platform performance, availability and responsiveness. Automated alerts and notifications are raised when key measures approach acceptability limits, allowing the team to respond timely and proactively to issues.
Data Replication and Backup
Data generated and stored on the platform is replicated between two physical data centers via Azure’s paired region approach. Azure geo-replication and geo-redundancy features are utilized for storage and database operations, guided by Microsoft recommended practices. Point in time backups are also automatically executed hourly for database and daily for general file storage.
System Failover and Disaster Recovery
The application architecture follows best practices to ensure failover and recovery can occur across multiple levels and scenarios. At a hosting level, the platform is deployed across a primary and secondary data center pair. These data centers are sufficiently physically distant from each other to reduce the likelihood of natural disasters, civil unrest, power outages, or physical network outages affecting both regions at once. In the event of tier failure or outright disaster, failover procedures will transition services from the primary to the secondary center.
Network and Platform Security
Server instances run behind Azure’s comprehensive firewall and load balancing solution. Inbound connections from both the Internet and remote management ports are blocked by default, with access tightly restricted to legitimate protocol and traffic only. All firewall configurations are version controlled and peer reviewed as part of the standard change management processes. For more information on Azure-specific security, refer to Microsoft’s self-assessment paper here:
Backend access to platform databases, storage accounts and server instances is restricted to qualified team members only, with all actions performed using Microsoft provided management tools across SSL secured connections.
All app, web browser and REST API interactions with the platform occur using 256 bit SSL/TLS encryption (HTTPS protocol). Users are required to log in with an email and password, and their login and access activity is recorded. API access is authenticated against a platform generated 32 character secret key token.
Passwords stored on mobile devices and platform servers are always encrypted using AES 256 bit encryption algorithms according to industry standard practices.
When a user account is terminated or deactivated, an automatic wipe of local app data is executed when/if the user next attempts to access the app.
Frequently Asked Questions
Below is a set of system and security questions commonly asked of Forms On Fire. Please note that the infrastructure and system design is subject to change and thus may result in the answers below being revised from time to time. All answers apply to our cloud services unless otherwise indicated.