Quik! App Security Model
The Quik! App functions via a series of APIs (Application Programming Interface) that Quik! has been developing for several years. In order to view a Quik! form, it must first be launched by the Quik! App. Quik! technology, at its core, is like the engine of a car: it takes in fuel and creates power, or in Quik!’s terms, it takes in data and outputs a form for the user to see. Due to the way we publish forms, the user will always see the latest form version available in the Quik! form database.
Process flow
See the diagram below for an overview of the common workflow users follow when launching forms in the Quik! App.
Description of steps
- USER SELECTS FORMS: All users have access to a certain subset of the Quik! Forms library. Once logged in, the first step is to select which forms they need by adding them to their cart.
- USER ADDS CLIENT INFO & SETTINGS: If users have added a CRM connection to their Quik! account, they will select the connection and assign clients for prefill. This is an optional step.
- USER LAUNCHES FORMS: After configuring any additional settings, users click LAUNCH to generate the forms in their web browser.
- QUIK! FORM ENGINE/CRM DATABASE: The Quik! App then calls the Quik! Form Engine to retrieve the blank form templates from the Quik! database. A call is also made to the connected CRM database to pull any selected client data, and applies any available client data to the form.
- USER FILLS OUT FORM: The forms open, populated with client data, in a new browser tab called the Quik! Form Viewer. Users can then continue to fill out any remaining information.
- PRINT/SAVE/SIGN: When filling out a form, users have 3 options to move the form to the next step:
- PRINT: Users can click the Print button to download a PDF of the forms for printing or saving to their computer
- SAVE: Users can click the Save button to save the form (in its current state) to their Quik! account, then re-launch it at a later time
- SIGN: If a connection has been made to an e-signature service, users can click the SIGN button to send the form to signers for their e-signatures.
Login Security
All Quik! App users log in at the same URL in their web browser: https://quikformsapp.com/login
Every user must enter a unique username and password in order to login. Both usernames and passwords can be reset by users themselves or their account Admins only. Password reset requires that the user has access to the inbox of their associated email address, as they will be sent an email in order to reset their password. Passwords are never displayed to users or to account Admins. In the Quik! database, user passwords are hashed, and thus are not visible to Quik! system administrators either.
Multi-Factor Authentication - See: /wiki/spaces/SUP/pages/1957986313
Quik! App offers users the option of using Multi-Factor Authentication (MFA) for their account, and requires it's use for certain integrations to work (i.e. Fidelity Wealthscape). Quik! supports MFA with Google Authenticator and Microsoft Authenticator apps to provide a code while logging in to validate the user is the expected user.
Integrations Security
The Quik! App integrates with several third party service providers in order to enable users to leverage enhanced functionality. These service providers include CRM (Customer Relationship Management) companies (e.g. Redtail CRM), and e-signature service providers (e.g. DocuSign). For integrations, Quik! aims to NOT store any data that the user maintains on the integrated service provider's platform (exception is storing encrypted credentials for service providers who do not provide other methods). Form data is only temporarily requested and displayed as users prepare a form at runtime and not required to be stored in Quik! unless a user saves their form to continue working on it.
To add a connection to any third party service provider, users must enter their account credentials into the proper configuration page in their Settings menu. In most cases, once a valid connection has been made, Quik! creates an OAuth token with the service provider that is referenced in the future for authentication, and Quik! will not store the user's service provider credentials. In cases where OAuth tokens are not created, Quik! stores a user's service provider's credentials as encrypted values in the Quik! database.
Each third party service provider is responsible for their security protocols and Quik! recommends performing due diligence on each vendor before choosing one. The service providers that Quik! works with are well-established companies with a proven track-record of strong security.
Quik! Form Engine API Security
When launching forms with the Quik! App, the data provided to the Quik! Forms Engine API is sent to the Quik! web server with the following security protocols:
- 256-bit SSL encryption (standard encryption used for internet traffic)
- Data received on the Quik! server is loaded into the Quik! Forms Engine software residing on the Quik! server and used to create a form that is returned directly to the Quik! App.
- The Quik! server:
- Does NOT store, write to disk or archive the form or related data in any way – the generated form that includes any data to prefill onto the form is held in random access memory (RAM) for the duration of the request only and is immediately released after the form is returned to the calling application.
- Does NOT interpret, access or read the data for any logical operations – the data is simply placed into the form as requested.
- Does NOT enable any person, including potential hackers, to view, access or retrieve data on forms in any manner through the Quik! server.
Print/Save/Sign Security
The Quik! Form Viewer is launched in the user's web browser. By virtue of how web browsers work, the entire HTML output from the Quik! Forms Engine is downloaded by the web browser to the end-user’s machine in order to be displayed. This ultimately means that the user’s device has the HTML, inclusive of any prefilled data, locally resident on that device’s drive - the HTML does not exist outside the user's browser. How the user configures their web browser and secures their device determines how secure their data is.
Note: Data on a form is not at the same level of risk as an entire database or organized records. Even if a user’s device is compromised, the form data is not managed or organized in a way that is meaningful or valuable to a hacker, nor is there more than a few records at any given time, based on how many forms the user has in their cached memory.
Finally, a user can choose to PRINT, SAVE, and/or SIGN the form depending on their use cases and account integrations. These three options create different avenues for data.
Printing a form will send the form data to the Quik! server for the sole purpose of creating a PDF that is returned to the user. When the print routine is run, the data is sent securely to Quik! and immediately turned into a PDF that is returned as a response.
The form data sent to the print service is sent with the following security protocols:
- 256-bit SSL encryption (standard encryption used for internet traffic)
- Data received on the Quik! server is converted into a PDF form that is returned directly to the client application.
- The Quik! server:
- Does NOT store, write to disk or archive the PDF or related data in any way – the PDF that includes any form data is held in random access memory (RAM) for the duration of the request only and is immediately released after the PDF is returned to the user’s browser.
- Does NOT interpret, access or read the data for any logical operations – the data is simply placed into the form as requested.
- Does NOT enable any person, including potential hackers, to view, access or retrieve data on forms in any manner through the Quik! server.
SAVE
When a user chooses to save a form, the form and its contents are stored on the Quik! server. This is the only time in which Quik! stores any client data (whether read in from a CRM or manually entered by the user). To secure this data, Quik! individually encrypts every single field on the form. Breaching our system and accessing data would not only require passing through many layers of system architecture (e.g. firewalls, private networks, etc.) but then uniquely breaking the decryption of every single field on a form, simply to view an unfinished form where the state and validity of the data is unknown since Quik! form data is not associated to any actual transaction. Quik! has taken these extra steps to obfuscate and encrypt form data to ensure the safety and security of client data stored in this step of the user workflow.
Additionally, any form data saved to Quik! has a finite lifespan of a maximum of 180 days and then it is purged from our systems.
SIGN
Using E-Sign Vendors
Clicking the SIGN button in the Quik! Form Viewer opens the e-sign pop-up. Here, users enter the names and emails of every individual they wish to sign the form. In this window, users also have the option of requiring an additional authentication method for every signer, including Lexis-Nexis ID Check and SMS two-factor authentication, as provided by the selected e-signature service provider. When users click 'Send' the sign routine is run, form data is sent securely to Quik! and immediately turned into a PDF that is used in the signature process. The form data sent to the sign service is sent with the following security protocols:
- 256-bit SSL encryption (standard encryption used for internet traffic)
- Data received on the Quik! server is converted into a PDF form that is loaded directly into the e-signature provider's system.
- The Quik! server:
- Does NOT store, write to disk or archive the PDF or related data in any way – the PDF that includes any form data is held in random access memory (RAM) for the duration of the request only and is immediately released after the PDF is returned to the user’s browser.
- Does NOT interpret, access or read the data for any logical operations – the data is simply placed into the form as requested.
- Does NOT enable any person, including potential hackers, to view, access or retrieve data on forms in any manner through the Quik! server.
It is then up to the user to log into their e-signature service provider's account to track the e-signing ceremony and download the signed documents. Note that Quik! does NOT allow signers to edit any information on the e-signature service provider's platform–the form must be completely filled out (except for the signature fields) prior to sending to signers to be e-signed.
Using Native E-Sign
If a user chooses to use the included Native E-Sign feature then users should be aware of the following:
- Native E-Sign is an electronic signature only, not a digital signature since the signature itself is not encrypted or secured by any kind of certificate or private-key infrastructure.
- Native E-Signatures are stored in Quik! to ensure the signatures render on forms as signed by the user. Signatures are not stored with data that identifies the signer's identity and is also encrypted.
- Native E-Sign data is only stored for up to 180 days.
Questions or Concerns?
If you have any questions about the security around the Quik! Forms App, please contact our support team (support@quikforms.com) to be put in touch with the best person to answer your questions.
Revision History
6/16/21 - Richard Walker
3/24/22 - Jeff Hunt
Related pages
For help regarding Quik! Forms and the Quik! API
Email: support@quikforms.com | Phone: (877) 456-QUIK