Doculicious provides a powerful way to collect and manage a wide variety of data based on any type of business form. We have implemented many security features to ensure that this data is securely transmitted and stored. Below is an outline of the features we have enabled, some of which you must choose to use when implementing your forms, and others which we enforce and will automatically occur.

Secure, encrypted communication using 128 Bit SSL

Doculicious provides secure communications between client browsers and our servers using the industry standard SSL protocol. We enforce SSL on many parts of the site, including account creation and login, changing passwords and when viewing your stored entries or downloading them as PDF files. Our developer API also forces the use of SSL, dissallowing any connection not using it. This is to ensure that access to your data and account is always conducted in a safe and secure manner.

We also give account holders the choice to secure their form submissions and PDF downloads using SSL. This is an implementation choice that you must make, taking into account your knowledge of the data your form is collecting, and its sensitivity. To implement SSL on your forms you only need to change the URL that calls your form from using HTTP at the beginning to using HTTPS. ie: The form used on one of our Working Example pages uses the following code to embed on a webpage -

<iframe scrolling="no" height="480" frameborder="0" allowtransparency="true" style="border: medium none; width: 540px;"
src="http://www.doculicious.com/do/doc?dbt=7b12cd4d960e33c4-7cd6a6d29b5dae36&m=edit"/>

To change this to use SSL we only need to change the SRC part to have HTTPS at the beginning:

src="https://www.doculicious.com/do/doc?dbt=7b12cd4d960e33c4-7cd6a6d29b5dae36&m=edit

All submissions to this form would then be securely transmitted when the form is submitted, and the PDF download would also be secure.

PDF downloads

If you enable the "Download PDF" option so that the user who fills in the form can download the completed PDF, the PDF will be accessible for 90 minutes so that the user can download it. Please note though, that the URL it is accessible from is public. However, it is unique, only shown to the user who filled in the form and is constructed to be extremely difficult to guess. Also, after 90 minutes, the PDF is deleted from our servers, and can then only be downloaded through your account, using the secure entries page or via the API. If you have enabled SSL for the form, the PDF download URL given to the user will be transmitted using SSL.

If you have very sensitive data being collected in your PDF forms, and wish for more security when providing the PDF to your user, please consider using the Doculicious API to provide the PDF. The API allows you to securely access the completed PDF file after form submission, and then stream it to your own server over SSL so that you can provide it to the client directly, without Doculicious needing to save it to our servers and create a public URL. You could also use the API to save the file to an account your client may already have setup on your own website.

Email Notifications

Emails sent from Doculicious are not encrypted. If you are using the PDF or CSV attachment funtionality to have notifications also send you the completed entry, please be aware that this should not be considered secure. If data sensitivity is an issue, you should consider using the API to securely access your entries and their PDF files - perhaps by using the notification email as a trigger to tell your system when to download new entries.

Internal data and server security

Doculicious uses a world class hosting partner to provide our online services. All database access is only permitted to limited Doculicious employees. All data is backed up on a daily basis to a separate secure server. Monthly snapshots are kept in a secure, offsite facility which is accessible only to Doculicious database administrators. Our servers are only accessible to Doculicious server admins, and our hosting provider administrators. All sensitive software and services on our servers are password protected and accessible only by the relevant Doculicious employees. We follow best practices when it comes to code security, and actively follow up and resolve any issues as quickly as possible after they arise, and constantly keep up-to-date with the latest security threats to ensure that we can pro-actively secure our services before issues arise.

Please note that even though we backup the Doculicious databases on a regular basis, we cannot offer individual restoration of account data that you may have deleted by accident. Meaning, if you delete the data from your account, it is gone. The API allows you to extract all entries made to your forms in multiple text based formats, and we strongly suggest that you use this functionality to backup any business critical data in your account.