JotForm is a free online form builder which helps you create online forms without writing a single line of code. No sign-up required.
We believe that if one user has a question, there could be more users who may have the same question. This is why many of our support forum threads are public and available to be searched and viewed. If you’d like help immediately, feel free to search for a similar question, or submit your question or concern.
How secure is your system?Asked by ericgfx on December 02, 2015 at 03:33 PM
I've got a client that wants to recieve all types of sensitive data, soc security numbers, address history, birth days, bank account numbers...
I saw your FAQ, here...
Do you support Secure Forms?
Yes, you can now have your forms and form submissions transmitted securely with a 256 bit High-grade encryption. You can also log into JotForm site securely and download your submission reports over a secure connection.
The use of word "CAN Now Have" makes me wonder if that's not true by default, so where would I set up the encryption? Is there a fee?
Let me tell you that, Jotform has a very powerful cloud of servers whose storage is encrypted and provides security protection against malicious attacks like SQL injection and denial of service (DDOS) attacks.
So we provide a high security standard through out our hosting provider's servers for data storage
-All of our SSL certificates support high-grade 256-bit encryption.
-Data transmission from the person who submits the information to our servers can be done in an encrypted manner, by using the forms securely
- Notice that our forms embed codes are 100% using the HTTPS protocol (SSL) by default.
But to add extra security, you must follow these advises:
1. Edit emails on all forms to make sure no specific information is used on them. We send emails in plain text. So, these are not secure. Only use emails to get alerts to know there is a new submission.
Once you receive an email alert, log into the secure JotForm site and then look at the user
2. If you use the Reports feature, only do it with password protection. That will both ask for a password, and it will transfer all data over SSL.
3. Same for uploads. They are not password protected.
4. Logout immediate after you are done with the site.
5. Regularly download submissions and then delete them.
In regard to your other question "where would I set up the encryption? Is there a fee?"
You can have any or all your forms to use encryption. There is no extra fee to use it. For more detail on this you may visit our users guide, What are Encrypted Forms and how to use them as expert.
I also recommend you review out terms, so you do not use field did we do not allow. If our system finds invalid fields, your account will automatically be suspended.
The only fields I see referenced are in the Phishing paragraph. So no social security number? That may be an issues as the customers will be applying for government assisted housing, hence the income verification.
I suppose we could use the forms as a pre-screening tool.
JotForm Support Manager
SSN collection is not illegal. According to this site https://www.privacyrights.org/my-social-security-number-how-secure-it#11 in most States, there is no law that prevents businesses from requesting SSN, and there are few restrictions on what businesses can do with it.
However, some States have imposed restrictions on a business soliciting the SSN.
Online form builders, including JotForm, have been used for identity theft in the past. We go to great lengths to prevent this. That is why our Terms will mention SSNs are considered as a Phishing activity.
Therefore, when you do request SSN, chances are that our automated phishing detector will flag the form(s) and suspend the account. If this happens you'll have to contact support to whitelist the form and reactivate the account, explaining the purposes of the form(s).
These are some examples of businesses that require a Social Security number for legitimate purposes:
• Insurance companies
• Credit card companies, lenders, and any other company receiving a credit application from you
• The three main credit reporting agencies: TransUnion, Equifax, and Experian
• Any company that sells products or services that require notification to the IRS, including:
- Investment advisors
-Real estate purchases
-Financial transactions over $10,000, such as automobile purchases; and other financial transactions
Moreover, you need to know that since we do store the information in your account, anyone with access to it would also have access to social security numbers. So, in the event of a security breach of your account this could be an issue.
Please follow these recommendations in order to help us to whitelist your forms:
1. Embed the form using SSL method (http://www.jotform.com/help/63-How-can-I-receive-SSL-Submissions)
2. Add a sort agreement and/or an e-signature field to the form, so your customers will agree to provide their SSN along with personal info.
Here are some widgets you can add to the form (signature fields):
In conclusion: If your purpose not to collect SSN from the general public, but from your own customers; if your business is among the list above and if you follow the recommendations; then all this will surely make your forms not to be considered as guilty of phishing activities.