Encrypted Forms Support for Workflows

Workflows supports the use of encrypted forms to collect data as well as to map data while building out your workflow. All users with access to Workflows will be able to use this feature. For more information on setting up an encrypted form for the first time, check out our article here. When selecting a form for your workflow step, you'll notice an encrypted badge to indicate which forms have this feature setup, as pictured below. 




 

Feature Capabilities

• Ability to map fields into an encrypted form to a Documents or Sign step.

• Ability to map fields from another form (encrypted or unencrypted) or a Forms for Salesforce form to an encrypted form.

• If a submission or mapping to/from an encrypted form fails due to a poor password, the previously stored encryption password is deleted and the user will be prompted to re-enter the password. 

• Ability to remove the encryption password from a workflow if needed. 

Feature Limitations

• Fields from encrypted forms cannot be mapped into notification emails, whether you've set them up in Formstack Forms or Formstack Sign.
   

Compliance Information 

• Workflows uses AWS Key Management Service (KMS) to manage encryption keys and uses the AES-GCM algorithm with key derivation, signing, and key commitment.

• Form encryption passwords are always securely encrypted before they are stored.

• Application Developers do not have access to keys. They can only be accessed programmatically through the system application and access to AWS KMS is controlled and monitored.

• Encryption algorithm details

  • Algorithm: AES-GCM

  • Key Length: 256 bits

  • Key Derivation algorithm: HKDF with SHA-384

  • Signature algorithm: ECDSA with P-384 and SHA-384

  • Key Commitment: HKDF with SHA-512