Wufoo leverages the expertise and top-notch hardware found at SurveyMonkey, our parent company, to ensure that the integrity of your data is kept intact.
At Wufoo, we recognise that remaining secure involves active monitoring, constant improvements and building on the knowledge that others have discovered through their work. Whether it be in the form of hardware and networking analysis from our friends at SurveyMonkey or the generous open source software of Suhosin, htmLawed and Nagios (among many others), we try to incorporate as many tools as possible to ensure that Wufoo remains a secure and trustworthy service.
Top-Notch Data Centre
Wufoo's servers are managed in-house and located in a SOC 2, Type II audited facility that is located in the United States. The data centre includes high-end surveillance equipment, security guards, visitor logs and passcards/biometric recognition. With fully redundant IP connections, independent connections to T1 access providers, redundant external and internal power supplies, daily security scans and encrypted offsite backups, you can rest assured that we are doing everything we can to protect your valuable data.
Encouraging the Best Coding Practices
In addition to implementing features that increase security, we have to maintain best practices on the backend to ensure that your account remains secure. We monitor sessions to restrict access of your account appropriately and have constructed Wufoo in such a way that every account is isolated. Safeguards are in place to try and detect common attacks such as SQL injection and cross site scripting. Most importantly, we actively review our code for potential security concerns (in addition to evaluating all user feedback) so that we can address any issues as soon as they arise. Also, remember that we are all bound by our privacy statement, which will ensure that your data is not misused.
Secure Data Transfer and Storage
On Bona Fide and higher paid accounts we enforce the secure collection of data. Forms will be served across a protected, 256-bit SSL connection that encrypts the data before it is sent to our servers. SSL ensures that any wrong-doer who may be listening in to your network traffic is not able to actually read the data being submitted to the form.
Additionally, we're offering encrypted data storage to select plans. Our SSL offering will transmit the data securely and we're confident it will remain secure on our servers. However, some data is so sensitive that stricter requirements are in place. That is where encrypted data storage comes in. On up to five fields per form, eligible accounts will be able to encrypt the data storage.
Automated spam plagues the integrity of many forms across the Internet and acts as a major annoyance to many administrators. At Wufoo, we've developed a Smart CAPTCHA system that makes it hard for robots to fill in your form but keeps it easy for humans to fill out.
We've also implemented multiple coding checks throughout the submission process to see if the submission came from a human using a web browser. In the worst case scenario, if spam does actually get through, we have a very accommodating support team which is willing to help identify the root cause and credit your account.
Disasters happen, so being prepared for them is critical for happy data collection. You can rest assured when you store your data with Wufoo because we are consistently replicating (backing up in real time) your data on the site to another server. Additionally, we take two snapshots of your data every 24 hours and store them on site for two weeks. Once the two weeks are up, we move that data to a physical tape backup. The tape backup is then transferred to an offsite location in locked, water- and impact-resistant containers by screened employees requiring verification upon delivery.
Just as we have backups of your data, we also have lots of redundancy across our core infrastructure. Paired database, web, file, load balancing and firewall servers sit next to each other in separate cabinets with separate power supplies. This level of redundancy helps us and you to prepare for those worst case scenarios.
How We Secure the Network
We have an external routing layer that provides basic filtering to handle and manage any potential denial of service attacks. All network traffic then has to pass through one of our redundant firewalls, which are heavily locked down and allow only specific services to be made publicly available.
Additionally, we perform periodical scans, including quarterly PCI scans by McAfee, to look for any potential vulnerabilities in our network or publicly accessible software. With regard to employees, we force external access to the servers to use a 256-bit encrypted connection along with a strong password strength.
About Your Responsibilities
A large part of keeping data secure involves educating the end-user about their responsibilities. With the best will in the world, an end-user can still access an email containing a password via a public Wi-Fi network, which would result in anyone tracking that connection having access to the Wufoo account. Specific to us, we have documentation about when to use email versus RSS, upgrading to the appropriate account level, when to encrypt data and how to share public files. We also try to proactively detect when someone may be collecting information insecurely so that we can notify them of the problem.