Need information about hosted environment

  • Profile Image
    llandrum
    Asked on August 10, 2020 at 03:44 PM

    I'm thinking about using your system.  However our IT department has a number of technical requirements and questions about the hosted environment.  Do you have someone who can answer these questions and any documentation about this?

  • Profile Image
    Jed_C
    Answered on August 10, 2020 at 08:53 PM

    You can post your questions here and we'll forward them to our IT department. You may also check our security page here https://www.jotform.com/security if they are looking for security information about Jotform server.

    If it's an Enterprise concern, you may get it touch with our sales team here https://www.jotform.com/enterprise/contact-sales/ for questions related to self hosted Jotform.

    Looking forward for your response. 

  • Profile Image
    llandrum
    Answered on August 11, 2020 at 12:28 PM
    Here are my questions.
    If we have enterprise license, can we configure the following password settings?
    1. Password change frequency
    2. Lock down reuse of old passwords
    3. Minimum number of characters
    4. Character complexity (uppercase, lowercase, numerical, special character)
    5. Account lock out policy
    6. User self password reset vs admin required (Is password masked?)
    7. Process/time expectation to remove accounts
    Is there role based security in enterprise version?
    Is there the ability to configure session timeout thresholds?
    If we did not have enterprise license, could we guarantee our data stays in the US?
    When are security patches applied?
    Do we find out about new features before they are applied? How?
    Have you suffered any data breaches? If so, please provide date and if customer data was lost.
    What are your support hours of operation?
    What are your defined maintenance periods?
    Where is your support organization located?
    Could I get a copy of a sample Service Level Agreement?
    Do you have a Disaster Recovery (DR) plan? How do you exercise it?
    Define what you constitute as an outage and describe the recovery point and recovery time objectives as defined in the contract.
    That’s it for now. Your security materials are great online.
    Leslie Landrum
    Senior Business Analyst, PMP
    City of Frisco Information Technology
    972-292-5181
    llandrum@friscotexas.gov
    ...
  • Profile Image
    david
    Answered on August 11, 2020 at 02:25 PM

    Hi Leslie,

    I'll run down your questions in order. The answers only apply to Enterprise and any modifications would need to be done on the Jotform end by our dev team:

    1. Password change frequency

    There is no enforced password change for standard servers. If HIPAA compliance is enabled, which is an additional cost and has strict enforcement of compliance, password expiration is 90 days and expiration period can be adjusted.


    2. Lock down reuse of old passwords

    New passwords must be different from the last 2 passwords used. I do not believe this can be altered.


    3. Minimum number of characters

    No complexity requirements for standard servers. 8 Character minimum for HIPAA compliant servers. This can likely be adjusted for standard servers.


    4. Character complexity (uppercase, lowercase, numerical, special character)

    No complexity requirements for standard servers. A mix of upper and lowercase, at least one number and special characters are required for HIPAA compliant. I am not sure if this can be adjusted for standard server but it might be possible.


    5. Account lock out policy

    Accounts are locked after 5 consecutive failed login attempts. Accounts can be manually locked or unlocked by admin accounts on the server.


    6. User self password reset vs admin required (Is password masked?)

    Password are encrypted and the actual password text is not available, even to our staff.


    7. Process/time expectation to remove accounts

    Accounts can be modified, removed or locked at any time by admin accounts on the server.


    Is there role based security in enterprise version?

    There are two different roles that can be assigned to accounts, regular user and admin. Admin users would have access to the admin dashboard:

    https://www.jotform.com/help/604-How-to-Use-Enterprise-Admin-Page

    Regular users by default would only have access to their own forms and data with no ability to use admin features.


    Is there the ability to configure session timeout thresholds?

    Yes, login session expiration timer can be adjusted.


    If we did not have enterprise license, could we guarantee our data stays in the US?

    No, data propagates throughout our distributed system worldwide, there is no US only option.


    When are security patches applied?

    Security patches are applied as needed, there is no defined schedule.


    Do we find out about new features before they are applied? How?

    We do not release new feature details until the feature is ready for release.


    Have you suffered any data breaches? If so, please provide date and if customer data was lost.

    We have not.


    What are your support hours of operation?

    Direct priority support hours are 8:30am-5:00pm EST and usually extend a bit before and after. 24/7 support is always available via our support forum.


    What are your defined maintenance periods?

    We do not have defined maintenance periods. It is very uncommon to have to take a server offline. If we do need to have any down time we would schedule it with the user beforehand.


    Where is your support organization located?

    This would depend on your location, Enterprise support for the US is currently in California.


    Could I get a copy of a sample Service Level Agreement?

    Our sales team would be able to provide this if needed. They usually like to ensure that there is a need for Enterprise and that the cost is not an issue prior to sending this type of document.


    Do you have a Disaster Recovery (DR) plan? How do you exercise it?

    We do. Our sales team would be able to provide this if needed. They usually like to ensure that there is a need for Enterprise and that the cost is not an issue prior to sending this type of document.


    Define what you constitute as an outage and describe the recovery point and recovery time objectives as defined in the contract.

    An outage would be the server being fully unavailable. Simple bugs and things of that nature are not considered outages. We do nightly, weekly and monthly backups that can be used as restore points.

  • Profile Image
    llandrum
    Answered on August 11, 2020 at 04:28 PM
    Thank you – this is good information. One clarification, if we have enterprise license, can we ensure our data stays in the US?
    Leslie Landrum
    972-292-5181
    llandrum@friscotexas.gov
    ...
  • Profile Image
    david
    Answered on August 11, 2020 at 04:33 PM

    Yes, with Enterprise you get to choose the hosting location and we have several options within the US. The data would not be replicated anywhere outside of the US with the exception of backups, which would also be stored in the US.

  • Profile Image
    llandrum
    Answered on August 11, 2020 at 05:28 PM
    Thank you!
    ...