Form Bank FAQs

What level of security is used?

Terminalfour generates a unique RSA public/private key pair. The public part of this key pair is uploaded to Form Bank. This upload can only be completed over Secure HTTP (HTTPS). The private part of the key pair remains on your server at all times. Forms and their submissions are encrypted in transit using HTTPS/TLS and encrypted at rest using AES-128-bit encryption and the generated RSA public key. This data cannot be decrypted without the private key.

See Form Bank Configuration for more information.

How do email notifications work?

You can configure who receives a notification email when a new submission is created; this includes Terminalfour Users and Groups. You can also add the email addresses of non-Terminalfour users. The mail that is sent includes the submission content and is HTML.

Does the Form Builder require the live website to interact with the Terminalfour server?

No - a connection between the web server and the Terminalfour server is not required. Please see the architecture section for further information.

How are the submissions stored?

Submissions are stored temporarily on the Form Bank servers. The Form Bank does not require direct access to the Terminalfour server. However, the Terminalfour server needs access to download the configured forms and the generated submissions. On a timed basis (via a scheduled task), the Terminalfour application will connect to the Form Bank server (using HTTPS). Once correctly authenticated, the application will download all new encrypted form data. When the encrypted form data has been downloaded, it is decrypted using the customer's unique private key and added to the Terminalfour database.

Once this download has been completed successfully, the data is deleted from the Form Bank server. When the first submissions for a form are downloaded to the Terminalfour server, a Content Type is created. The submission is then saved in the Content Type in a hidden Section or the section you have specified submissions to save to in the Form's settings. This Section can be accessed from the form listing page. Please note that submissions can then be mirrored into a Section and published as regular content.

Since downloaded submissions on Terminalfour are decrypted, other appropriate security measures should be implemented to safeguard access to submissions. Such measures include applying Edit Rights to the submission Section and the form's Content Type, encryption of the Terminalfour database, and implementing processes for processed submissions (deleting the submission or editing confidential information).

Can file upload sizes be limited on a per-upload field basis?

When selecting and configuring file input fields, you have the option to specify a max-upload size under the "Validation" tab. By default it will use the Terminalfour server's max upload size.

Can we restrict file types on a per-upload field basis?

Yes, it is possible to specify permitted file extensions under the validation options for File inputs.

Are the files scanned for malicious code/viruses upon upload?

This is dependent on the anti-virus setup on the user's PC and the Terminalfour server.

How are the files stored/accessed? Is it possible to have them easily downloaded?

Submitted files cannot be easily accessed outside of Terminalfour. They are protected using the client's license and encrypted using the private key generated when connecting to the Form Bank. Once the file is downloaded to Terminalfour, it is attached to the submission content and can be published like any other file that is part of the system.

Please see "How are submissions stored?".

Where are the Form Bank servers located?

We currently have four locations available as follows:

1. Ireland
2. North Virginia, USA 
3. Sydney, Australia
4. Central Canada

What redundancy is provided for the Form Bank servers?

The Form Bank servers comprise multiple nodes in a cluster. This will provide both the performance and resilience required for this service.

What happens if my Terminalfour server is down?

The submissions will be stored on the Form Bank server until the scheduled task on the Terminalfour server requests to download them.

The forms will still operate as they are called from the Form Bank server.

Can I use my own Form Bank server?

At the moment, you can use the SaaS Form Bank servers provided by Terminalfour. If there are sufficient requests for client-specific Form Bank servers, we will consider this in the future.

Do I need SSL on the web server?

It is recommended but not required. The form will work via a web server with http, as it will be loaded over https and submitted over https on the Form Bank server. If the site has https, then the browser will display it as being secure; this is why we recommend the site also runs over https.

Is there any spam protection on forms?

A Cross-Site Request Forgery (CSRF) token guarantees one-time form submissions to prevent spam. When the form is requested, the browser is given a token. The form can only be submitted once with the token and before the token expires.

In addition, reCAPTCHA can be added to your form.