Our Enhanced Data Security Add-On packages security features found in our Formstack for Healthcare plans as an add-on for use with single app Forms plans and Suite. This add-on can be purchased by non-covered entities requiring more security. Reach out to your account manager or our sales team to see if the Enhanced Data Security add-on is right for your account.
Feature Capabilities:
Forms
Only integrations that don’t pass PII or have entered into a BAA with Formstack are approved to be used with this add-on.
Available Integrations:
- Amazon S3
- Box
- Dropbox
- Formstack Documents (formerly WebMerge)
- Paypal (not PayPal Pro)
- Salesforce
- Salesforce Marketing Cloud
- Smartsheets
- Stripe
- Google Calendar
- Google Contacts
- Google Drive
- Google Sheets
Emails and SMTP
SMTP is required to send form field data. Emails with form field data can only be sent to users on the Formstack account.
If SMTP is not used, emails can be sent to non-users, but all non-custom messages will include links back to Formstack to view the submission or a custom message (without form field data).
- Custom messages will hide the form fields so users cannot add them to messages.
- If the account has legacy accounts, messages default to sending all form data or if the custom message had selected fields, those fields will not appear on outgoing messages.
For added security, verification of SSL cert is required.
Without using SMTP, users can only email fields and submitted data to other Formstack users.
| Uploading file uploads to emails is not allowed. Using default HTML in emails is not allowed. |
Confirmation emails are restricted to custom emails without a field panel.
API
- Submit actions and webhooks cannot be created. When creating a submission, attachments are not allowed.
Other:
- SAML Authorization will not log data to ensure PII or other sensitive data is not captured in Formstack’s systems.
- You cannot share filters in submission sharing.
- Access to the integrations credentials page is prohibited.
- Confirmation pages are restricted from using field data.
Granular Controls for Enhanced Data Security
This feature gives qualifying accounts the ability to enable Granular Controls as part of the Enhanced Data Security Add-On. By default, when the Add-On is enabled, the account defaults to maximum security, meaning all granular controls are initially turned OFF.
Enabling Granular Controls
Only Org Admins can enable this setting. To turn on Granular Controls:
Navigate to:
Admin Panel > Security Settings > Forms Data and Security (visible only to Org Admins)
Note: Once enabled, all forms in the account will gain additional security controls.
Where to Find Granular Settings on a Form
After enabling the feature at the org level, form editors (any user with edit access to a form) will see the new options in:
Form → Settings → Security
Granular Control Options
There are four settings that become available at the form level:
1. Public Form Submission Links
Controls whether submission sharing is available.
| Setting | Behavior |
|---|---|
| OFF | “Sharing” links in Submissions are hidden. |
| ON | “Sharing” links in Submissions are available. |
Sharing Off Example
2. Email Non-Users (SMTP Control)
By default, the Enhanced Data Security Add-On restricts notification emails to Formstack users only when SMTP is enabled. This setting allows emails to be sent to non-Formstack users, even when using SMTP.
| SMTP Setting | Email Non-Users OFF | Email Non-Users ON |
|---|---|---|
| SMTP ON | Cannot email non-users | Can email non-users |
| SMTP OFF | Can always email non-users | (Default behavior) |
3. Include Fields & Attachments in Emails
Without SMTP, Enhanced Security users cannot include form fields or file attachments in email notifications. This control allows them to override that behavior.
| SMTP Setting | Fields & Attachments OFF | Fields & Attachments ON |
|---|---|---|
| SMTP OFF | Cannot include fields/attachments | Can include fields/attachments |
| SMTP ON | This option is always available | — |
4. Integration Access
By default, Enhanced Data Security accounts have limited integration access, including:
-
Stripe
-
PayPal (not PayPal Pro)
-
Dropbox
-
Box.net
-
Salesforce
-
Salesforce Marketing Cloud
-
Smartsheet
-
Google Calendar
-
Google Contacts
-
Google Drive
-
Google Sheets
-
Amazon S3
Turning this setting ON enables access to all available Formstack integrations (including premium ones like Salesforce and HubSpot—note that access to premium integrations still depends on your account plan).
Visibility Tip: Integrations used on each form are now included in the Form List Export on the Home page.
Feature Limitation
Granular Controls are applied globally:
-
Once enabled by an Org Admin, all forms in the account will display these settings.
-
All Forms users with edit access can view and configure these settings per form.
-
Controls cannot be limited to specific forms or users.
Documents (Forms/Documents Multi-App and Suite Version Only)
When sending an error email about a failed delivery, file attachments are not included with the email unless the email is being sent via SMTP.
When sending an error email about failed delivery, if no “error email” is specifically set, it will not send the email.
The option to save merge data for re-merge for both Routes and Documents is not available.