1. About Form2
Form2 is a Software as a Service data collection platform (the “Services”) operated by The University of Manchester in the United Kingdom. As such Form2 abides by the University of Manchester’s Privacy Policy with regards to website use and data protection generally where it acts as Data Controller
https://www.manchester.ac.uk/discover/privacy-information/data-protection/
The Form2 Services enable our Clients to, among other things, create and distribute Forms to collect specific data. We also provide other related services, such as real-time data analytics.
1.1 Terms
In this privacy policy, these terms have the following meanings:
“Client” is any organisation or individual who purchases, or is granted, a licence to use Form2 as a Software as a Service
“User” is a person a Client may add to the system through our Services with the purpose of collecting data from them. For example, if you are a Client, a student or staff member added to your Instance of Form2 would be a User
“Personal Information” means any information that identifies or can be used to identify a Client, a User, or a Visitor, directly or indirectly. Examples of Personal Information include, but are not limited to, first and last name, date of birth, email address, gender, occupation, or other demographic information.
“Website(s)” means any website(s) we own and operate (such as www.fromsquared.com).
An “Instance” is a dedicated instance of the Form2 service which is managed and maintained solely by a single Client and only accessible to Users that are added by that Client. Form2 staff may access the Instance for the proposes of resolving issues when requested to do so by the Client.
“Visitor” means any person who visits any of our Websites.
A “Data Controller” determines the purposes and means of processing personal data as defined by the GDPR Regulations
A “Data Processor” is responsible for processing personal data on behalf of a controller as defined by the GDPR Regulations
A “System Administrator” is an individual nominated by a Client who is responsible for managing their Instance of the Service on behalf of the Client.
A “Local’ account is a User account on the Service that is held solely on Form2 and does not require authentication through a third-party system
A “Remote” account is where your email and password is validated via a third-party service such as Shibboleth using Security Assertion Markup Language (SAML)
2. Visitor Privacy
This section applies to Personal Information that we collect and process through our Websites and in the usual course of our business, such as in connection with our support, sales and marketing activities.
The University of Manchester is committed to looking after any information that is made available to us when you visit our websites in accordance with data protection law.
This notice outlines what categories of information we retain and how we use it. Our other privacy notices are also available from this website.
2.1 Personal data
You don’t have to create an account or provide us with any personal information to access Form2 websites. However, we may ask for some personal details if you wish to gain more information about our services.
In this case the only personal data we store and process is your contact details specifically your name and email address.
We will ensure that all personal data you supply is held in accordance with data protection law. We do not sell or otherwise transfer personal data to any third parties unless you have consented to this or this is permitted by law.
2.2 Visits to Form2 websites
When you visit any of the Form2 websites the following information is received and stored by our web servers: anonymised details of your IP address, browser type and operating system; and the web pages you visited. This data is known as web server logs. We use this information strictly to analyse how the Form2 websites are used by our visitors and we may archive this information in an anonymous form for historical records.
2.3 Cookies
Our websites use ’cookies’ which are text files placed on your computer when you visit a site which help us understand how you use our websites. Cookies don’t collect personal data from your computer, only the data created by your browsing. Some cookies remain on your computer after you leave the website; these are called ‘persistent’ cookies. Others are deleted automatically when you close your browser and others simply expire. We use the following cookies on our websites:
2.3.1 Analytics cookies and advertising cookies set by Google Analytics
We may collect non-person-identifying information relating to your use of our sites via Google Analytics technology. This may include: which pages you see; how long you stay; what you click on our pages; if you visit the website again; which country and city you are browsing from; etc. This data is collected for the purpose of monitoring and understanding the effectiveness of our websites. We also collect data relating to the demographics and interests of our users via Google Analytics and cookies set by Google advertising networks. This data is used in aggregated form to help improve the site and the University’s marketing efforts.
Further information and instructions for opting out of Google Analytics tracking
2.4 How to delete and manage cookies in your browser
You can choose not to accept cookies and delete existing cookies on your computer or mobile device using your browser settings. Please use the links below to find out how to do this for your browser:
For browsers not listed here, please refer to the manufacturer’s website.
2.5 Protection Rights
You have the following data protection rights:
- To access, correct, update, or request deletion of your Personal Information: Form2 takes reasonable steps to ensure that the data we collect is reliable for its intended use, accurate, complete, and up to date. You may contact us directly at any time about accessing, correcting, updating, or deleting your Personal Information, or altering your data or marketing preferences by emailing us at info@formsqured.com We will consider your request in accordance with applicable laws.
- In addition, if you are a resident of the EEA, you can object to processing of your Personal Information, ask us to restrict processing of your Personal Information or request portability of your Personal Information. Again, you can exercise these rights by emailing us at info@formsqured.com
We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws. We may ask you to verify your identity in order to help us respond efficiently to your request.
3. Client Privacy
This section applies to the Personal Information we collect and process from a Client or potential Client through the provision of the Services.
3.1. Information We Collect
The Personal Information that we may collect broadly falls into the following categories:
3.1.1 Information you provide to us:
In the course of engaging with our Services, you may provide Personal Information about you and your Organisation. Personal Information is often, but not exclusively, provided to us when you sign up for and use the Services, consult with our Staff, send us an email, integrate the Services with another service (for example, when you use the SAML Provision), or communicate with us in any other way.
By giving us this information, you agree to this information being collected, used and disclosed as described in your Licence Agreement signed when you purchase Form2
This information may include:
- Registration information: You need a System Administrator account to use the Services as a Client. When you purchase an Instance, you will be asked to provide certain basic information, specifically the name and email address of the System Administrator. These will be used to set up the Instance
- Billing and communications information: If you purchase our Services, you may also need to provide us with contact details of your Finance department. All financial transactions and communications are carried out through the University of Manchester Purchasing Department and no financial data such as credit card or bank details are held in the Form2
3.1.2 Information we collect automatically:
When you use the Services, we may automatically collect certain information about your device and usage of the Services. We use this in order to resolve any technical issues with the Service
This information may include:
- Device information: We collect information about the device and applications you use to access the Services, such as your IP address, your operating system, your browser ID, and other information about your system and connection.
- Log data: Our web servers keep log files that record data each time a device accesses those servers and those log files contain data about the nature of each access, including originating IP addresses.
- Product usage data: We collect usage data about you whenever you interact with our Services, which may include the dates and times you access the Services and your browsing activities. We also collect information regarding the performance of the Services, including metrics related to the deliverability of emails and other communications you send through the Services. This information allows us to improve the content and operation of the Services, and facilitate research and analysis of the Services.
3.1.3 Information from the use of our mobile app:
When you use our mobile app, we may collect certain device and usage-related information in addition to information described elsewhere in this privacy policy.
- Device information: We may collect information about the type of device and operating system you use. We do not ask for, access, or track any location-based information from your mobile device at any time while downloading or using our mobile apps or Services.
3.2. Use of Personal Information
We may use the Personal Information you provide for a range of reasons, including:
- To bill and collect money owed to us by you. This includes sending you emails, invoices, receipts, quotes, licences, etc
- To send you system alert messages. For example, we may inform you about temporary or permanent changes to our Services, such as planned outages, new features, version updates, releases, abuse warnings, and changes to this privacy policy.
- To communicate with you about your account and provide customer support.
- To enforce compliance with our Terms of Use and applicable law
- Other purposes. To carry out other legitimate business purposes, as well as other lawful purposes about which we will notify you.
- For marketing. We may occasionally contact you to inform you of new features or products available through the University of Manchester. You have the right to opt-out of any such emails simply by emailing us at any point. We may also ask to use your organisation’s name and logo in our own marketing literature or material, but will never do so without your explicit written consent in each individual case.
3.3. Data Protection Rights
You and your Users may have the following data protection rights:
- To access, correct, update or request deletion of Personal Information. Form2 takes reasonable steps to ensure that the data we collect is reliable for its intended use, accurate, complete and up to date. As a Client, you can ask us to update the System Administrator details at any point by emailing us.
- You can also manage information about your Users within the Administration page of the Form2 Service to assist you with responding to requests to access, correct, update or delete information that you receive from your Users.
- In addition, individuals who are residents of the EEA can object to processing of their Personal Information, ask to restrict processing of their Personal Information or request portability of their Personal Information. If any of your Users wishes to exercise any of these rights, they should contact you directly.
- Similarly, if Personal Information is collected or processed on the basis of consent, the data subject can withdraw their consent at any time. Withdrawing consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your Personal Information conducted in reliance on lawful processing grounds other than consent. If, as Client, you receive these requests from Users you should comply immediately.
- The right to complain to a data protection authority about the collection and use of Personal Information. For more information, please contact your local data protection authority. Contact details for data protection authorities in the EEA are available here.
4. User Privacy
This section applies to the information processed about Clients’ Users. Our Services are intended for use by our Clients. As a result, for all the Personal Information and other data collected and processed about Users through the Services, we act as a processor on behalf of our Clients. Form2 is not responsible for the privacy or security practices of our Clients, which may differ from those set forth in this privacy policy. Please check with your individual Client organisation about the policies they have in place.
4.1. Information Form2 Collect and how we use it
The Personal Information that we may collect or receive about you broadly falls into the following categories:
4.1.1 Information we receive about Users to set up an account:
A Client will need to add your email address and name to the Services in order to create a User account. You may have the opportunity to update this information by logging in to the system and amending your profile settings. If you have a “Local’ account, then the Service will hold an encrypted password for your account that can be amended by you in your profile page on Form2. If you hold a “Remote” account then only your email and name will be held on the Service.
If you wish to amend or remove your details you should contact the Client organisation to which you belong.
We use this Information solely to authenticate your identity when logging into the Service or Form2 app
4.1.2 Information we collect automatically:
When you interact with Form2 we may collect information about your device and interaction with the Service. We use cookies and other tracking technologies to collect some of this information.
- Device information: We collect information about the device and applications you use to access emails sent through our Services, such as your IP address, your operating system, your browser ID, and other information about your system and connection.
4.2. Information Collected by the Client
The Client may use Form2 to collect any data about you as they feel appropriate. This may include Personal Information or Confidential Information. In all cases, the Client is acting as Data Controller and all data collected by the Client using the Service is covered by the Clients own Privacy Policy and Data Protection Policies. We will never access this data without the explicit permission of the Client who has collected the data and then only for the purposes of resolving issues reported by the Client or the User. Form2 will never delete, amend, transfer or circulate any data about a User collected and stored on the Service unless instructed to do so by the Client in writing.
All Information collected by a Client and stored on the Service is stored securely according to Industry best practice.
5. Form2 Security
Form2 is aware of its obligation to keep your data as safe as possible. Under the GDPR https://www.eugdpr.org/ it is each Client’s responsibility, as Data Controllers, to ensure they are satisfied that any personal and sensitive data is stored and processed securely. The following document is designed to support this decision, by providing information about security measures that Form2 employs to reduce the risk of data breaches.
5.1 Form2 Security Details
5.1.1 Cloud Hosting
Form2 is hosted on Amazon Web Services (AWS)
Form2 uses AWS Servers hosted in the European Union (Ireland)
AWS Complies with all Industry Security Standards and offers a range of security features
As an IaaS (Infrastructure as a Service) provider, AWS comply with CISPE
Our Virtual Private Cloud (VPC) uses an infrastructure-level firewall to protect our instances.
Access to our AWS account is protected by multi-factor authentication (MFA).
5.1.2 Data Storage
Live data is stored on AWS’s Elastic Block Store (EBS), Relational Database Service (RDS) and Simple Storage Service (S3).
Our RDS instances provide up to 35 days of automated backups, with restoration possible to a specific second.
All data stored in EBS, RDS and S3 is encrypted, with keys managed by AWS.
Access to our instances is limited to 3 individuals, with access controlled using private key authentication.
Client’s data is only accessed by the Form2 developer with the explicit permission of the Client in order to resolve technical issues or restore backups
Data is stored on Form2 within AWS until it is deleted by the Client
5.1.3 Form2 App
Form2 uses TLS encryption to protect data transferred from the iOS App on user devices to the Form2 application on AWS
All data stored on the device is deleted automatically each time the user logs out of the App
5.1.4 User access
Form2 provides a SAML provider service to link to Clients own authentication system, such that no passwords are stored on Form2
Local Accounts in Form2 enforces a minimum password length of 8 characters
Form2 provides MFA authentication as additional security. This can be applied by the client to system administrators or to all users. Form2 recommend applying MFA to system administrators as a minimum.
5.1.5 Security and Back Up Policies
Form2 maintains server software and security patches – either via AWS’s automated patching updates or through regular maintenance – to reduce the risk of malware or security breaches
Form2 retains encrypted backups for 35 days. For data stored in RDS, this can be restored to a specific second. Clients can request data to be restored from the back-ups as a charged service.
If Form2 staff need to access data either via the database or the web-application in order to diagnose or resolve a technical issue, they will seek the permission of the Client before doing so.
In the unlikely event of a data breach, Form2 will inform Clients as soon as they are aware of it. Form2 will work with the Client in order to identify and address any such data breach. The GDPR defines a data breach as: “Data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”
A Web Application Vulnerability Assessment was carried out by an Independent company on the Form2 application in 2017 with no serious risks identified. All other (medium) risks associated with the application have now been addressed. Clients are welcome to carry out their own Penetration tests or vulnerability assessments on Form2 but must provide at least 4 weeks’ notice in writing.
5.1.6 Data Transfer
Form2 provides an API service that follows a RESTful approach, with JSON as the serialisation format. Access control is managed using the OAuth 2.0 Client Credentials Grant.
Form2 will never download or transfer data to another system or storage device unless asked to do so, in writing, by the Client as Data Controller.