Formstack guidelines

Formstack is a shared service supported by The Office of Information Technology and the Office of Marketing and Communication MarCom designed to temporarily capture basic submission information. Formstack is not an appropriate platform for program applications, student records, or long-term storage.

You can find Formstack tutorials on Formstack's YouTube channel and Formstack's How-to articles. Please read through all terms of use before requesting access at the bottom of this page.

Terms of use

User requirements and expectations

We have a fixed number of users for the University, and the account has a limit on number of forms and amount of submission storage.

Users are expected to adhere to the following:

  • Completion of basic web accessibility training annually.
  • Create and maintain accessible forms.
  • Be FERPA compliant. Anyone collecting or viewing student data must have completed FERPA training. Please read the University FERPA Policy as well as the Data Storage Guidelines Page.
  • Form submissions that include student data must be encrypted with a password that is not recoverable by Formstack or Marketing & Communications.
  • Build/assist with forms for others in their division.
  • Do not create custom themes.
  • Do not use inaccessible fields: Credit card, signature, or matrix.
  • Move submissions annually to your unit’s organizational NevadaBox folder.
  • Review and audit your forms annually to ensure they are current and still needed, otherwise delete old forms.

The Office of Information Technology and the Office of Marketing & Communications reserve the right to make changes to any forms and/or submissions to maintain compliance as well as the right to delete submissions more than a year old.

Failure to comply with the terms of use may result is loss of account access.

Usage guidelines

The following guidelines have been created for the use of Formstack at the University. The guidelines describe the types of information that should be collected via web forms.

  1. Do not collect any of the following information on forms:
    • Social Security Number
    • Credit Card Information
    • Protected Health Information (PHI)
  2. Confidential data, such as Personally Identifiable Information (PII) and Family Educational Rights and Privacy Act (FERPA) data, may be collected as long as the following security guidelines are followed.
    • Encryption must be enabled.
    • Authentication via NetID must be enforced.
  3. Examples of FERPA data elements are listed below.
    • Name
    • Participation in officially recognized activities and sports
    • Address
    • Telephone Number
    • Weight and height of members of athletic teams
    • Email address
    • Degrees, honors, and awards received
    • Major field of study
    • College
    • Dates of attendance
    • Date of graduation
    • Undergraduate and graduate status
    • Most recent educational agency or institutions attended
    • Enrollment status (full-time or part-time)
    • GPA (grade point average)
    • Grades/exam scores
    • Standardized test scores
    • Actual number of hours enrolled
  4. Do not collect information you do not need.
  5. Do not use the following Formstack components as they are not ADA accessible.
    • Date/Time - If the date is needed, add the separate boxes to collect the date and time.
    • "Add Other" option for radio and checkboxes. Add a unique short answer box to collect "other" information.
    • Signature box - Create a required checkbox with an agreement and a textbox where the user types their name.

Data storage

  • Sensitive and Confidential data are required to be stored using the Encrypt Saved Data option under Security.
  • Sensitive and Confidential data may be stored according to the Data Storage Guidelines.
  • The form creator and college/division are responsible for all data collected.
  • In the event of a security or data breach, the University Chief Information Security Officer must be notified immediately.
  • Users collecting or with access to Sensitive and Confidential data are required to attend FERPA and/or HIPAA training

Naming and storing conventions

New forms

Proper naming conventions and organization of forms allow for easy maintenance and support of forms. 

  • Left click on a folder on the left panel that corresponds the department you belong in. For example, if you were in Education, click on the EDU-Education folder. 
  • Create a form inside your department's folder. Left click the blue button on the top right of the page that says "Create New Form".
  • Under the form name field, give your form a three or four digit letter abbreviation belonging to that department. For example, if you were in Education, you want to prefix your forms as (EDU). If you were in Student Services, you'd want to prefix your forms as (STSV). For example: (EDU) College Adults Form is a valid name for a form. Note: a complete list of form names can be seen on the left side panel of folders on the Formstack website.
  • Edit the form URL field to be a concise and accurate name.

Existing forms

If you have an existing form and are unsure where to put it, please follow the following steps.

  • Left of the form you are working on is a box. Click on that box. This will give it a green check mark.
  • Click on the "move to" button.
  • Move that form, or list of forms, into the appropriate folder. If the appropriate folder does not exist, please let Marketing and Communications know and we will create one for you.

*NOTE: Marketing & Communications may periodically clean up all Formstack forms including organization into appropriate folders and renaming forms to the appropriate name.

Annual audit requirements

  • Any form that captures FERPA-protected information that is not locked with a password will be deleted without backup. (What information is protected?)
  • Any form that references more than one year prior will be deleted without backup.
  • Any form submissions more than one year prior will be deleted without backup.
  • Any form in the “Uncategorized” folder will be deleted without backup.
  • Any form in the “Archived” folder will be deleted without backup.

Here is the action required on your part:

  1. Each year, prior to July 1, review all forms within your purview. Partner with leadership in your unit to determine what forms/submissions need to be backed up, if any, and how your team will access them.
    1. Is the form currently in use or used annually?
      • If yes, delete any submissions prior to current acedemic year.
        • If you must keep the submissions, it is your responsibility to export the submissions to an SSO-protected platform such as NevadaBox, OneDrive/SharePoint.
      • If no, delete the form.
    2. Is the form set to email submission notifications to the correct person(s)?
  2. Prior to July 1, move any forms that belong to your area out of “Uncategorized” and into your unit’s folder in Formstack.
  3. Prior to July 1, move any forms that belong to your area out of “Archived” and into your unit’s folder in Formstack.

Requesting access

Access is dependent on available seats. Access may be denied if your major unit has existing Formstack users.

Request Formstack access