Security Overview
MyForms24/7 is built with enterprise-grade security at every layer. Here’s how we protect your data, your employees’ information, and your business.
Encryption in Transit (HTTPS/TLS)
Every connection to MyForms24/7 is encrypted using industry-standard TLS (Transport Layer Security). Data traveling between your browser and our servers is fully encrypted — protecting employee information, form submissions, and e-signatures from interception. SSL certificates are automatically managed and renewed.
Password Security (bcrypt Hashing)
User passwords are never stored in plain text. All passwords are hashed using bcrypt — an industry-standard one-way hashing algorithm — before being saved. Even in the unlikely event of a data breach, stored passwords cannot be reversed into their original form.
Authentication & Session Security
Server-side session validation ensures that every protected API route verifies the user’s identity before returning data. Built-in CSRF (Cross-Site Request Forgery) protection prevents malicious sites from performing actions on behalf of your users. Role-based access control restricts admin, employer, and employee access to only the features and data they are authorized to see.
Payment Security (Stripe / PCI-DSS Level 1)
MyForms24/7 never stores, processes, or transmits credit card numbers on its own servers. All payment data is handled exclusively by Stripe, which holds PCI-DSS Level 1 certification — the highest level of payment security in the industry. Card information flows directly from the user’s browser to Stripe’s secure infrastructure.
Cloud File Storage (AWS S3)
Uploaded files — documents, signatures, employee forms — are stored in Amazon Web Services (AWS) S3 cloud storage. Files are private by default and not publicly accessible unless explicitly configured. Secure, time-limited download links (pre-signed URLs) are generated on-the-fly so that only authenticated users with proper authorization can access files.
Database Security
All database connections are encrypted. Connection pooling with strict concurrency limits (max 25 connections) and statement timeouts prevent abuse and runaway queries. Database credentials are stored as server-side environment variables — never hardcoded in source code or exposed to browsers.
Minimal Cookie Footprint
MyForms24/7 uses only strictly necessary cookies — authentication tokens and CSRF protection. We do not use third-party tracking cookies, advertising cookies, or analytics cookies. This minimizes attack surface and protects user privacy.
Secrets & Configuration Management
All sensitive credentials (database connection strings, API keys, payment processor keys, cloud storage credentials) are stored as server-side environment variables in a secure configuration layer. Secrets are never included in client-side code, browser-accessible files, or version-controlled source code.
A Note on Security
No system can guarantee 100% security, but MyForms24/7 is built with multiple layers of protection following industry best practices. We continuously monitor and update our security measures to address emerging threats. If you have specific security questions or require additional documentation for compliance purposes, please contact us at [email protected].