Form Encryption: Request to be able to decrypt data to get CSV or XML file

  • cymorg
    Asked on March 21, 2018 at 12:38 PM

    Prepurchase questions: Securing sensitive personal data

    Can JotForm be used in such a way that we can collect highly sensitive personal info. (medical, financial, legal) from our customers safely & securely?

    I see we can opt to store our info. on EU (German) servers.  Fantastic.

    I see some kind of encryption is available but it's not clear how that works.

    The last thing we want is unencrypted info. being sent by email.  In fact we don't want email at all.  We'd rather the data was encrypted & stored within the EU then we download the results on demand.

    Is that feasible? 

    Also, do JotForm sign data processer agreements with clients?  We can't proceed with our planned online forms without such agreements.

  • aubreybourke
    Replied on March 21, 2018 at 2:06 PM

    Can JotForm be used in such a way that we can collect highly sensitive personal info. (medical, financial, legal) from our customers safely & securely?

    Yes we use encryption to transport your data. And you can enable additional encryption for your stored submissions. Please view our security page for more information:

    https://www.joform.com/security

     

    I see we can opt to store our info. on EU (German) servers.  Fantastic.

    Yes we store European data in Europe.

     

    I see some kind of encryption is available but it's not clear how that works.

    Basically you enable it. Then generate your keys. You need to download your private key (and keep it safe. If you loose your private key you cannot decrypt your data).

     

    The last thing we want is unencrypted info. being sent by email.  In fact we don't want email at all.  We'd rather the data was encrypted & stored within the EU then we download the results on demand.

    Once your form is encrypted you wont be able to use reports, emails, or Download your data. The only thing you can do is view you data on the JotForm submissions page.

     

    Is that feasible? 

    Yes, please read this guide for full instructions on encryption:

    Encrypted-Forms-and-How-to-Use-Them

     

    Also, do JotForm sign data processer agreements with clients?  We can't proceed with our planned online forms without such agreements.

    We are currently on track to be GDPR compliant by the deadline (25th May 2018).

    Not sure if we provide a DPA. What plan were you interested in purchasing? I will wait for your reply to escalate the DPA request.

  • cymorg
    Replied on March 21, 2018 at 3:07 PM

    @aubreyburke

    We'd be looking at the Silver plan (up to 10,000 submissions per month).  If encrypted data can only be viewed and not downloaded then the product is of less interest to us.  We need to be satisfied the data is held securely & GDPR compliant and also available to import to our other internal systems via batch import (e.g. decrypted at our end to .csv or .xml).  I understand that would entail a local decryption utility using the same algorithm & salt, which you may not be in a position to share however if you had a compiled app to do the local decryption then we'd be able to use it without JotForm risking their IP or compromising your other client's data (at least in theory).

    If we can only view but not download the encrypted data then we're at an impasse.

  • aubreybourke
    Replied on March 21, 2018 at 3:33 PM

    Unfortunately its not possible to decrypt your downloaded data. We don't have any tool to do it. Downloads are only possible if encryption is turned off. We don't support XML. But you can download unencrypted submissions in Excel/PDF/CSV formats.

    If you like I can submit a feature request for a tool to decrypt downloads?

  • cymorg
    Replied on March 21, 2018 at 7:27 PM

    @aubreybourke

    A feature request for a tool like that would be great.  I understand such requests go into a pipeline for decision, development, testing & finally delivery so I wouldn't expect a swift turnaround, nevertheless please put it in as a development request and we'll see what happens.  My organisation has been, and will be, around for a long time (gov. sector) and our appetite for forms is endless so we'll surely be back to consume the product if it can fully meet our needs.

  • Mike
    Replied on March 21, 2018 at 9:54 PM

    We use RSA 2048-bit keys, so in theory, you can decrypt the data locally. Unfortunately, we do not currently offer an app for this, so we have escalated a feature request ticket to our developers. There is no ETA for when this will be implemented, but we will let you know if we have any updates.

  • cymorg
    Replied on March 22, 2018 at 9:25 AM

    @Mike

    I'm aware I can decrypt the data myself and I'm quite willing to build my method to do that however Aubrey states that the download option is turned off when encryption is turned on.  

    If I can download the encrypted data for later decryption locally then we might be good.  Can you confirm that we can do that?

  • David JotForm Support Manager
    Replied on March 22, 2018 at 10:48 AM

    Unfortunately, it is not possible to download the encrypted data. 

  • aubreybourke
    Replied on March 23, 2018 at 12:26 PM

    Sorry for the confusion. 

    Just to clarify, it is possible to download your submissions in Excel/PDF/CSV formats. However it will be encrypted. So you wont be able to access it.


  • tina JotForm Developer
    Replied on April 13, 2018 at 4:55 AM

    Great news! JotForm is GDPR compliant now. You can find more details here: https://www.jotform.com/gdpr/

    Also, we offer data processing addendums (DPAs) for our customers that operate in the EU. If you would like to sign a DPA, Feel free to send your request: https://www.jotform.com/gdpr/dpa/