- Rick McElroyAsked on May 05, 2015 at 11:50 AM
2) Since the form asks for very private info....SSN, EIN, DOB, Bank Info etc..... What is the best way to secure the form?
I tried Formstack....and they sent this while I was testing it?
Your form "New import" has been flagged for being in violation for Formstack's Terms and Conditions for collecting sensitive User data without the proper form security. When collecting sensitive User data, you must enable the SSL and Data Encryption security features. To ensure the form is not deactivated, please enable both security features through the Form Settings tab.
If you have any questions regarding the this Form or the Security features, please contact us and we'll be happy to assist!
So is Jotform just as secure?
- KadeJMAnswered on May 05, 2015 at 12:05 PM
You are asking about using a form to collect what we often refer to as "sensitive information". In short Yes, We are and we do take the collection of this type of information very seriously.
Unfortunately, for privacy reasons to protect user-information we do not allow the collection of any sort of sensitive information per our Terms of Usage such as Logins, Usernames and Passwords, Credit Cards, Bank Information, and SSN even though we do support the use of Encrypted SSL Data since it would otherwise be considered as phishing which in turn could be used elsewhere for the wrong reasons.
- rivertech1Answered on May 05, 2015 at 02:17 PM
Is Jotform...saying they will NOT allow ANYONE to create forms requiring SENSITIVE INFORMATION at all?
Even if SSL is enabled?
Because it is in violation of the Terms of Service?
When Formstack will?
If this is the case....then Jotform is saying that I need to find another form tool other than Jotform?
Please tell me there is another way to accomplish this....or that Jotform may be able to update/change their terms of service.
- JotForm SupportdavidAnswered on May 05, 2015 at 03:24 PM
We do allow for the collection of such data in certain circumstances. However, creating a forms with such fields will most likely result in your account being temporarily suspended for manual review. At which time you will be asked the purpose of your forms. For the most part, we do discourage the collection of such data. It is only allowed for very few purposes. Even then, we do not allow for the collection of social security numbers and other highly sensitive data. Occasionally we do allow credit card authorization forms.
- Rick McElroyAnswered on May 06, 2015 at 10:00 AM
Thanks for your response. The reason I resubmitted my question is because after careful reading of your terms of service and your above response.....I am questioning:
"...since it would otherwise be considered as phishing which in turn could be used elsewhere for the wrong reasons."
Is it still considered Phishing.....if the business requires this information AS PART OF THEIR BUSINESS? OR IF THE BUSINESS IS IN THE FINANCIAL SERVICES INDUSTRY?
Real Estate Broker
Or any company who requires a background checkETC
I understand.....if a BAKER, PLUMBER or a Technology CONSULTANT is asking for this information....then it would be considered phishing.
Or can you provide some best practices on how maybe some of your clients in the Financial Services create forms WITHOUT this type of sensitive information....How do they actually obtain this information?
Or is that JotForm will not allow this at all...and turns away these types of clients so not to risk being hacked.
Again I ask...because I think your App....is fantastic.....
FormStack does allow this.....and will alert the client....that the appropriate level of security has not been implemented.
Is it possible to run this issue up the chain of command for review?
- JotForm Supportashwin_dAnswered on May 06, 2015 at 11:11 AM
I hear your concern completely but as explained by my colleagues, we do not advice your to add form fields in your form asking for users username/password, email/password, credit card numbers, bank account information etc.
We have automated anti-phishing system which scans all forms and mark them with probability of being used for phishing activities.
- JotForm Support ManagerJeanetteAnswered on May 06, 2015 at 12:42 PM
I am very sorry for the incomplete information given to you by the support staff.
Our Phishing detection system is automated and as such, it works with keywords that includes "SSN" "Security Key" "Credit Card Number" "Expiration Date" and others, on its algorithms.
We had to implement this system after Jotform was suspended by the US government around 3 1/2 years ago, due to real phishers who were using our forms to collect this sensitive information to steal money. This action affected thousands of JotForm users and business, so we took this extremely serious and did the necessary steps to prevent this from happening again.
Here is a more detailed explanation/suggestion on your particular case:
-Regarding to bank information: We allow this only through payment integrations.
However, card number, expiration date, security codes and card holder name are considered critical information. The only services allowed to collect such data are those that are DSS/PCI certified.
So, it is a must to integrate your form with any of our Payment integrations. If you chose Paypal or Authorize.net , then you can enable the Authorization Only feature
- On regards to collecting SSN, EIN and Ban Account numbers:
MORTGAGE BROKER, INSURANCE BROKER BANK Real Estate Broker LENDING INSTITUTIONS and the like, are allowed to collect SSN and it's not illegal, I know. However, many phishers will still use our form builder to steal this very sensitive information.
In the case of legal businesses, we advise to build the form to gather this info , but a signature field must be added so your clients will be signing to be in agreement with providing such information.
This way, the automated system will mark it still high, but our Form Reviewers Team (who check manually forms on paid accounts) would set the form as exception.
I hope this helps you to decide whether Jotform is suitable for you or not.
- JotForm Support ManagerJeanetteAnswered on May 06, 2015 at 01:20 PM
Your form is perfect! I don't think such form will be marked as highly suspicious by our system.
However, I strongly recommend you to purchase a paid subscription because paid accounts are not banned automatically , so it will prevent a potential automatic block of the account/form.
This is because besides our automated system, we have a team of form reviewers who manually check forms that were bypassed by the system and free accounts are the first ones to be marked as risky with a high % of probability.
- JotForm Support ManagerJeanetteAnswered on May 06, 2015 at 01:27 PM
Here is how the form looks to our Phishing detection system:
- JotForm Support ManagerJeanetteAnswered on May 06, 2015 at 01:35 PM
The form is perfect because it shows a terms of agreement part at the bottom as well as the signature for the user to sign and agree. Therefore everything is so far so good !
- JotForm Support ManagerJeanetteAnswered on May 06, 2015 at 01:48 PM
I've answered to you on that thread. Interesting page at http://www.billmo.com btw.
- JotForm Supportashwin_dAnswered on May 06, 2015 at 01:49 PM
Welcome to JotForm :)
Please be noted that we cannot answer multiple questions in one thread. It seems you are replying from your email and that is the reason I am not able to move your latest question to new thread. For now, I will go ahead and answer your question here but you should create a new thread for every new question.
Save and continue:
Yes we will surely help you. Please be noted that this feature requires two forms and the main form should have page breaks. The data is saved in session only on click of the next button. Please go ahead and create both the forms and get back to us if you have any question. We are happy to help.
To display a progress bar in form, you just need to add a "Progress Bar" widget in form.
- mlittaurAnswered on December 08, 2015 at 04:28 AM
So if I add a signature and agreement field it's ok to collect bank and sensitive information in a normal form? We supply online organisers so accountant can help their client to get the information more efficient.
Answered by david
If you need to collect banking information, you could do so in a follow up email or over the phone. Bank account numbers, social security/passport ID numbers, anything of that nature we do not allow to be collected through our forms.
- CarinaAnswered on December 08, 2015 at 05:14 AM
I've moved your question to a new thread, as we aim at having one question/user per thread. You can find it here:
Let us know if we can assist you further.
- mlittaurAnswered on December 08, 2015 at 06:45 AMWhy this was exactly the thread that defines when and you're allowed to collect personal information???
Sent from my iPhone
- CarinaAnswered on December 08, 2015 at 06:55 AM
As mentioned above we thrive at having only one user and one question per thread. I know that this thread as more than one user, but these are the guidelines.
The aim is to provide a good user experience, so that when a user needs to find a solution for his situation he can find it by searching the forum and find short threads like question: answer.
Let us know if we can assist you further.