Documentation

Ultimate Forms is available in two versions:

1. On-premises version, installed directly on your SharePoint server. It is internal to your network and does not interact with external services, unless configured to do so by your administrators. You should adhere to your regular network security procedures.
2. Microsoft 365 app version has components that execute either directly in the browser or on Azure App Services and Azure Functions platform. This document deals exclusively with this version.

Data Security

• Ultimate Forms does not store any customer data. The only information stored in our Azure SQL Server is the configuration settings for various components, which contain no customer data.
• Customer data is accessed by various components at runtime. For example, the Alerts components will read the item properties to be able to generate an alert based on the item. All such data is encypted in transit via TLS and cannot be accessed by 3rd parties.
• Authentication and authorization mechanisms are handled by Azure/Microsoft 365 using OAuth2 protocols. Whenever the app attempts to access customer data, it is granted a temporary access token by Azure, based on the presented app credentials. App is authorized to access the tenant via a permission grant requested at install time. Tenant administrator can revoke the grant at any time
• Browser-based components are built upon JSLink-embedded scripts (in Classic UI) and SPFX (SharePoint Platform) web components (in Modern UI). In both cases, they run within the security context of the client and do not interact with any external services, beside SharePoint.
• Server-side components are executed by a set of Azure App Services applications running in various geographic locations. All app services are protected by Azure Defender security suite.

EU Regulations

In accordance with General Data Protection Regulation (GDPR) of the European Union, all customer transaction with server-side components of Utlimate Forms are automatically redirected to be handled by Azure App Services locations in Western Europe. Additionally, any timer-based processed initiated by Ultimate Forms on its own, without direct user involved, are automatically configured to be executed by EU-based locations.

Intrusion Detection

Azure App Services provide a comprehensive system of intrusion detection and prevention that constantly monitors all traffic for patterns of suspicious activity.

Personnel and Access Monitoring

Only experienced and vetted employees are allowed access to Azure App Services being used by Ultimate Forms. All development activities are performed on separate platforms.

Monitoring

All system are monitored by a combination of Azure Application Insights monitoring suite as well as a set of custom-built uptime monitors. Any service interruption automatically raises text message alarms to our support team.

Disaster Recovery

All server-side services, including Azure App Services / Azure Functions and Azure SQL databases are built with full redudancy. In case of catastrophic failure, traffic will be automatically re-routed to failover locations.

Incident Notification

We have the following capabilities to notify customers of security-related and general incidents:

• In-app notifications - real time error banners within the app itself can be triggered from within our system. (high/medium severity)
• Email notifications - all registered Ultimate Forms users can be notified via our mass-mailing system. (high/medium severity)
• Blog - incidents reports can be posted as blog articles on our website (low severity)