Mobile Forms Security - Device Magic Data Protection Measures

Mobile Forms Security

Device Magic takes the security of your mobile forms data very seriously. Paper forms are often kept confidential or even kept secure in locked areas, so why not your digital data? Speed and efficiency isn’t the only reason to use digital forms, security improvement is a great reason as well. Mobile form input data should always be kept private and accessible to only those you and your organization choose. Explore our data collection app and mobile forms security measures and features below.

Data Security Measures

We encrypt data during entry, transmission, and storage. From your team’s mobile devices, through processing, and delivery to your company’s data destinations, your data is kept secure. We even have minimum complexity requirements for passwords.

Data Transmission Encryption (In-Transit Data Security)

Data collection and transmission are critical to the usefulness of a mobile forms solution. And that form data needs to be transmitted on a secure path to its destination. All Device Magic form data transmissions are performed over HTTPS / TLS, including images and all other data. Our transmission protocols receive an ‘A’ or better ratings in the Qualys SSL Labs tests on all our endpoints. This ensures that all data is securely sent from the device to your selected Data Destinations.

Data Storage Encryption and Protection

While Device Magic form data is at rest (stored as files and in databases), it is encrypted and securely stored with Amazon Web Services on the East Coast of the United States. These secure servers are deployed across multiple availability zones, so we are resilient against any single data center failure. They are also kept up-to-date and are regularly patched for vulnerabilities. Access to the servers and any corresponding form data is limited to key employees.

We also integrate with Secure File Transfer Protocol (SFTP) to allow you to use its system to to securely transfer data to your own servers.
Learn more about our SFTP Integration

All data stores are backed up at least once daily, and stored for a minimum of 30 days.

Mobile Security: On-Device Storage

Our mobile application encrypts stored data, including form submission data and reference data, when the underlying platform supports it. All communication from our app to our servers is encrypted with HTTPS / TLS (Beware that older versions of Android do not support TLS 1.1+). Submission delivery from the app to the servers is done in multiple steps (to support intermittent slow connectivity) with each step including integrity checking and retries of uploaded data.

To retain data on devices after form completion, administrators can configure data retention periods after successful submissions. This can also be set up to included captured images in albums or galleries. When devices are removed from your organization, the Device Magic app will erase this and other stored data related to your organization.

Payment Information Security

Company and contact information is stored securely for Device Magic customers. The Device Magic website and all sub-domains are secured with SSL Certificates. All payment information is submitted over a secure 128-bit SSL connection and is processed and stored by our partner, Recurly.

See how the International Committee of the Red Cross uses Device Magic to securely collect data from the field.
Learn More

Internal Security

For many companies, confidentiality and internal security are important as well. Some business information is on a need-to-know basis. Device Magic’s mobile forms solution includes the following measures to help you keep your data safe internally.

User Roles and Permissions

You can also control who in your organization can see certain things within the account. Your Device Magic account allows you to set up Users, or User Groups, with different permissions. This allows you to control which users have access to which forms and which data. Using these options, you can ensure that only the proper individuals see certain confidential information.
Learn more about User Roles and Permissions

Two Factor Authentication Security

Device Magic gives administrators the option of using two factor user authentication. With this option enabled, administrators and users will be required to log in and input an OPT code sent via SMS or Google Authenticator. Only once the correct code is input will the user be able to login. This ensures that the identity of the user is verified before any data is displayed or accessible.
Learn more about our Two Factor Authentication

Audit Logs

Device Magic uses audit logs to track activity in your organization’s account. Our mobile forms software Enterprise Plans come with audit logs, which allow you to view and keep track of all actions within your account. This way, you can see which users and which devices have made changes, and submitted or accessed data.
Learn more about Audit Logs

Single Sign On

Also available in our Enterprise Plans, Single Sign On allows your users to log into Device Magic using your organization’s login credentials. Simply, securely tie-in Device Magic with your organization’s platform, and allow users to access Device Magic using the same single point of entry as your other programs.

Device Magic Internal Personnel Security

Device Magic also strictly regulates our employees and who has access to customer data. Our employees receive background checks, including employment verification and criminal checks. All employees sign a confidentiality agreement in order to protect customer data, and administrator access is limited only to team members who require such access to perform their jobs. Two factor authentication is mandatory for all Device Magic employees.


Security FAQ
Is my data submitted and stored securely? This is a complicated question and depends on many factors. Please explore the FAQ topics in this section and if you have additional questions, vist our Help Center.
How is form data submitted from my device? All form data transmission is performed over HTTPS, including images and other data.
Where are Device Magic's servers located and are they secure? Currently Device Magic hosts our forms processing and delivery infrastructure hosted on Amazon Web Services on the US east coast. They are kept in a secure environment with an up-to-date technology stack that is regularly patched for any vulnerabilities. Access to our servers and corresponding data is limited to key employees.
Is my data secure during delivery to Box, DropBox, Google Drive, and other Device Magic Destinations? This depends on the Destinations and how they are configured. The following are secure by default:

  • Google Drive
  • DropBox
  • Box
  • S3

The following can be configured securely (but you should consult with us to ensure the configuration is correct):

  • Email with custom SMTP over TLS
  • HTTP Connector

The following are not considered secure:

  • Text message
  • Email
Can I bypass devicemagic.com entirely for my form data submission? Yes, you can configure forms to be deliverd in "bypass mode". This is done on a per-form basis by your account admin and is available on our Advanced and Enterprise plans.
Is Device Magic HIPAA-compliant? We can be configured to be HIPAA-compliant. By default every new form created will have its data stored on devicemagic.com and emailed to you in clear text, which is not HIPAA-compliant. Please contact our sales and support team for guidance on deploying Device Magic in a medical environment.

Ready to Test Device Magic Mobile Forms in the Field?

Start a Free Trial