Trust

We are aware of the recently reported vulnerabilities in React and Next.js (CVE-2025-55182), also known as React2Shell.

After reviewing our production environments and dependency inventory, we can confirm that none of our applications or infrastructure use the affected versions of React, Next.js, or related packages. We have not found any signs of vulnerability, exploitation, or exposure tied to this issue.

We will continue to monitor security advisories and follow current best practices to keep our systems safe.

If you have any questions or concerns, feel free to contact our security team at security@formassembly.com.

FormAssembly is aware of the recent supply chain attacks involving multiple NPM packages. After conducting a thorough internal review, we can confirm that FormAssembly is not affected by any of the compromised NPM packages identified in these reports. We will continue to monitor for new developments and take all necessary steps to ensure the security and integrity of our systems.

We are aware of the recent security breach involving Salesloft’s Drift OAuth integration flow with Salesforce, which impacted several companies through compromised authentication tokens.

FormAssembly is not impacted by this incident.

We do not use Salesloft Drift or integrate with any Drift-based services. Our systems remain secure, and no customer data has been exposed as a result of this breach.

We continue to monitor the situation and will notify our customers if anything changes. If you have questions, our team is here to help.

We are aware of the recently disclosed vulnerabilities affecting Microsoft SharePoint (CVE-2025-53770 and CVE-2025-53771). We want to assure our customers and partners that FormAssembly is not affected by these issues.

These vulnerabilities apply only to on-premises versions of Microsoft SharePoint. At FormAssembly, we exclusively use Microsoft 365 SharePoint Online for our Connectors, which is not impacted by these CVEs.

We remain committed to closely monitoring all security advisories and ensuring our platform and connectors continue to meet industry best practices.

If you have further questions or concerns, please don't hesitate to reach out to our security team via security@formassembly.com.

FormAssembly's controls are assessed by A-LIGN, who specialize in compliance across multiple industries, on an annual basis.

FormAssembly annually performs a SOC-2 Type-2 assessment. Our most recently available report covers from December 1, 2023 - May 31, 2024. An updated review period is scheduled with our auditors, and we expect an updated report to be available in mid-2023.

The SOC 2 report includes management’s description of FormAssembly’s trust services and controls as well as A-LIGN’s opinion of FormAssembly’s system design. You can find it under the Reports section of this Security Portal.

We maintain a SOC 2 Type 2 certification as a result of this regular audit activity and can share the most recent SOC 2 report with our customers upon request and under a non-disclosure agreement. The SOC 2 is a report based on the Auditing Standards Board of the American Institute of Certified Public Accountants' (AICPA) existing Trust Services Criteria (TSC). The purpose of this report is to evaluate an organization’s information systems relevant to security.

The scope of this report covers controls supporting the FormAssembly App and Enterprise/Compliance plans.