Security, Compliance & Data Protection
People, processes, and infrastructure you can trust
Some of the world’s largest, most advanced technology and security companies administer their flexible benefits on Forma. Forma has deployed best practices and tools to maintain security on all levels: across our company, within the infrastructure, and in the product itself. For more technical detail, visit Forma’s real-time control monitor.
Corporate security
We comply with global data protection and security frameworks
User Authentication
Forma has strict access controls for all internal and external systems. All critical systems are accessed via SSO through Forma’s identity management solution. Most systems also require multi factor authentication.
Role Based Access Control (RBAC)
Access to Forma’s information is restricted. Forma employees and contractors are only granted access to information required by their work as defined by their user role.
Acceptable Use
Forma’s network, cloud services, and all information assets are subject to Forma’s Acceptable Use Policy. All employees and contractors accept the policy prior to access.
Risk Assessments
Forma conducts regular risk assessments to thoroughly understand any potential risks to security, availability, and privacy in our products and services.
Human Resources Security
All employees are subject to reference and background checks and sign off on a non-disclosure agreement and security policies. Access privileges are centralized and are immediately revoked with termination.
Training and Awareness
All Forma employees take security training annually. Forma’s Head of Security and Compliance also monitors external threats and will certify employees as needs arise.
Infrastructure security
We're built to secure your most sensitive data
Incident Response
Forma’s Incident Response Plan details how incidents are to be classified, handled, and reported. All incidents are to be handled by the Head of Security and Compliance.
Third-Party Audits and Certifications
Forma has multiple certifications to adhere to industry standards and security best practices, including SOC2 Type 2 certification.
Penetration Testing
Forma works with trusted auditors annually to conduct complete network and application scans.
Continuous Integration and Continuous Delivery (CI/CD)
Forma’s infrastructure has fully automated deployment flows and lacks persistent storage. The only way to change production environments is through CI/CD and is subject to restricted privileges, multi-factor authentication, and peer review controls.
Third-Party Risk Management
Forma conducts risk assessments (which includes a compliance, security, and privacy review) for every third-party service or vendor with access to customer, confidential, or personal information.
Data Encryption
All data is encrypted at rest and in motion, is only stored in production databases and blob storage, and is continuously monitored.
Key Management
Keys can only be accessed by approved admins through multi-layered secure authentication, are rotated periodically, and are only stored in our approved key management system.
Vulnerability Scans
Forma has built in continuous infrastructure monitoring to look for and remediate any potential system vulnerabilities and ensure compliance with the required configuration baseline.
Product security
Our developers keep security top of mind
Privacy
Forma is committed to compliance with all applicable data, health, GDPR and financial privacy laws.
SSO
Forma’s network, cloud services, and all information assets are subject to Forma’s Acceptable Use Policy. All employees and contractors accept the policy prior to access.
Roles & Permissions
Forma works with trusted auditors annually to conduct complete network and application scans.
Integrations
Forma has built in continuous infrastructure monitoring to look for and remediate any potential system vulnerabilities and ensure compliance with the required configuration baseline.