First-class security – out of the box
Protecting your data is a top priority at Formcentric. We address each and every aspect of information security, data protection and availability, so you are free to concentrate fully on your company business.
Protecting your data is a top priority at Formcentric. We address each and every aspect of information security, data protection and availability, so you are free to concentrate fully on your company business.
At Formcentric, rock-solid protection for sensitive data has always been part of our DNA. We have developed Formcentric in line with the toughest security and data protection standards, so as to offer a secure environment for your digital processes. Your data is processed and stored exclusively in certified data centres within Germany, and with hosting partners who provide the highest levels of availability together with 24/7 system monitoring.
Formcentric has also been designed to be GDPR-compliant from the outset and processes all personal data in line with European data protection legislation. Multiple security mechanisms and a sophisticated information security management system ensure that your data is protected at all times. Failover protection is guaranteed, as is our immediate response to a security incident.
The General Data Protection Regulation (GDPR) is a key piece of EU legislation for protecting personal data. The GDPR defines clear rules for the processing, storage and transfer of personal data, with the aim of protecting the privacy and the rights of data subjects. With the adoption of the GDPR, the EU has established a legal framework that requires businesses to comply with stringent standards for security and transparency.
Formcentric comes with the GDPR already ‘built in’. This means that all data is exclusively processed and stored within the EU, and commissioned data processing (CDP) contracts have already been agreed. We also help your business comply with data protection legislation – when users ask for information about their stored data, for example, or submit data rectification or erasure requests.
As you are working with a solution that has been designed from the ground up with data protection in mind, you will have no difficulty meeting the strict requirements set by European regulators. This not only gives you legal peace of mind but also builds trust with your users.
Formcentric is committed to meeting the strict data protection and security standards established by the GDPR. To ensure that we can continue to do so, our processes are subjected to regular audits by several external organisations. Working closely with our external Data Protection Officer, we conduct monthly checks of all relevant aspects, so as to keep our data protection strategy in line with the latest requirements.
Our information security measures have also been comprehensively assessed by independent auditors as part of our ISO 27001 certification and German BSI C5 attestation. This multi-pronged approach guarantees that our data protection and information security systems not only meet legal requirements but are consistently maintained at the very highest level.
ISO 27001 is the internationally recognised standard for an Information Security Management System (ISMS). The standard defines requirements for the systems that organisations use to protect their information and a structured approach to minimising security risks.
By achieving certification to ISO 27001, a company demonstrates that it has deployed an effective information security management system and operates well-established processes to protect sensitive data. Compliance with this standard means that security-relevant workflows are organised in accordance with clearly defined procedures. Vulnerabilities are also identified and handled systematically, and data is appropriately protected from unauthorised access and downtime.
As a customer, our ISO 27001 certification gives you confidence in our security processes. You can be sure that your data is being processed within an infrastructure that is regularly inspected and validated by an independent body – in our case, the certification services provider TÜV Nord.
Our systematic approach to minimising security and compliance risks ensures that you can meet the requirements of regulators, business partners and clients alike at all times. At the same time, you benefit from clearly defined and auditable processes, which not only offer legal certainty but also create transparency throughout all security-relevant workflows.
ISO 27001 also requires companies to conduct internal controls, operate a continuous improvement process and commit to active participation from company management. This ensures that information security is part of overall strategy and is oriented towards dealing with current risks.
Since 2022, Formcentric has been audited annually by TÜV Nord. The most recent audit was completed in May 2025, as part of our transition to the latest ISO 27001:2022 standard.
In a world of increasing digital uncertainty, we focus on maximum transparency and control. With Formcentric, you retain full sovereignty over your sensitive company data - from collection to storage.
C5 (Cloud Computing Compliance Criteria Catalogue) is a standard developed by the German Federal Office for Information Security (BSI) that addresses information security for cloud services. The standard defines strict requirements for cloud service providers in relation to security, transparency and compliance, and helps businesses achieve state-of-the-art security when securing their data and processes in the cloud. A particular feature of C5 compliance is that it permits the processing of data requiring extra protection, such as health data, as cloud services must demonstrably fulfil the security precautions needed by this kind of data.
The C5 standard offers you a decisive range of benefits, not only creating confidence with comprehensively audited security measures but also reducing risks in the handling of sensitive data, and simplifying compliance with demanding legal requirements and codes of practice.
You enjoy a greater level of transparency plus legal certainty for cloud usage, and a solid foundation for your audit and compliance paperwork. The standard also guarantees legally compliant processing and storage for information that requires extra protection – such as personal health data – in the cloud.
Since 2025, Formcentric has been audited annually by the Signos auditing services company. The first audit was conducted in July 2025 as part of a Type 1 adequacy audit. An in-depth Type 2 effectiveness audit is planned for the first quarter of 2026.
Aimed at strengthening digital resilience in the finance sector, the Digital Operational Resilience Act (DORA) is a piece of EU legislation that sets out uniform requirements for IT security, risk management and the handling of third-party ICT service providers. This gives financial companies better protection against cyberattacks, system outages and disruptions to business. For affected organisations, DORA requires comprehensive safeguards for digital processes that ensure operations can be maintained even under adverse conditions as well as compliance with regulatory reporting duties.
Formcentric provides you with support to ensure the efficient implementation of DORA’s key requirements. Our platform is based on established security and risk management processes, which we document in full for your organisation. Simply contact us for a structured set of records and information that you can use to meet specific requirements in your DORA audits, internal assessments and regulatory reports.
In this way, we give you a solid foundation for strengthening your digital resilience while meeting the EU’s legal requirements in full.
The Formcentric team closely monitors recognised public vulnerability databases to ensure that our cloud services are able to maintain the highest levels of security at all times. These include the US National Vulnerability Database (NVD), the GitHub Advisory Database (Advisory DB) and advisories from the German Federal Office for Information Security (BSI).
We cross-check the vulnerabilities reported by these resources to identify relevant items for our own systems as well as components that our customers operate in their own infrastructure. We use a systematic approach to evaluation based on the Common Vulnerability Scoring System (CVSS), which accurately estimates the severity and urgency of a particular vulnerability.
This gives us an excellent starting-point for deciding which security measures – such as patches or updates – are needed, and whether these should be implemented by Formcentric itself or by our customers.
BSI
US National Vulnerability Database (NVD)
GitHub Advisory Database (Advisory DB)
Discover how Formcentric meets the requirements of ISO 27001 and the C5 standard – and what this means for the security and protection of your business data. Download our customer factsheet today for a quick guide to all the relevant details.
