What is JotForm?
JotForm is a free online form builder which helps you create online forms without writing a single line of code. No sign-up required.

At JotForm, we want to make sure that you’re getting the online form builder help that you need. Our friendly customer support team is available 24/7.

We believe that if one user has a question, there could be more users who may have the same question. This is why many of our support forum threads are public and available to be searched and viewed. If you’d like help immediately, feel free to search for a similar question, or submit your question or concern.


  • Profile Image

    How secure is JotForm data

    Asked by ksupport on May 12, 2016 at 04:59 PM

    From what I understand and have read, my "secure" data is stored on jotform server unencrypted.  Is this still the case?

    What is jotform using my data for that it needs to be unencrypted?  This defeats my data being secure!  Why not store the encrypted data using my public key? If a hacker gets into jotform, I don't care!

    If I am connecting to the site via SSL why not let me see the unencrypted data you storing? I'm connecting to your server via SSL so "technically" safe. Makes no sense to encrypt at the browser just for me to upload my private key  and allow the browser to decrypt.  This might be ok for archive type purposes but is useless with reports and csv downloads. 

    Speaking of CSV... I want a CSV which your system can't handle for some reason. Just spit out a fully encrypted file that I can use openssl and my private key to decrypt!   Better yet, send me a email with the encrypted data.  I can then parse the data using my private key. 

    Why do you send my data over the internet in the clear but can't handle CSV and reports. Sending me an email that isn't encrypted is NOT SECURE!

    Why not encrypt my email using my public key using s/mime or similar technology?

    Since my private key doesn't get uploaded to the sever I assume this is using javascript to read and decrypt. Seems like you can make a button to paste data into clipboard as well.

    Finally...  

    After uploading my private key and viewing the submission the matrix widget doesn't decrypt. Why?

     

     

    Thanks

     

    Reports JotForm CSV Unencrypted
  • Profile Image
    JotForm Support

    Answered by jonathan on May 12, 2016 at 05:24 PM

    From what I understand and have read, my "secure" data is stored on jotform server unencrypted.  Is this still the case?

    Yes, this still is the case. The stored data on JotForm server is not encrypted. This was the reason we do not allow critical data being captured or used on our form (i.e. credit card info, login/password, security ids.. etc)

    What is jotform using my data for that it needs to be unencrypted?  This defeats my data being secure!  

    No we do not do that. If we will use your data, we will be violating our own Privacy Policy and Terms of Use

    If a hacker gets into jotform, I don't care!

    I am not sure what you meant here, but we do care. Our users are important to us. We will not just roll on and let hacker get into the user's data.

    Let us know if you have further question about secure data.

    ---

    I believe your succeeding questions was about Form Encryption. So I created a separate thread for it here https://www.jotform.com/answers/838105

    We will attend to it shortly

     

  • Profile Image

    Answered by ksupport on May 12, 2016 at 06:12 PM

    Jotform would be more secure if they encrypted the data at rest on your servers using public keys which  would make the data is useless to a hacker (that is why I wouldn't care because it is encrypted). As of now you are a prime target for theft. 

    If JF isn't using the data for mining then no zero reason for JF not to encrypt at rest.

    I just need a form to submit a CSV or use API to get the data, but you make it impossible to easily do this.

    Make a pay tier to have data encrypted at rest for people that want/need to collect personal info.

    send me a fully encrypted encrypted email and don't store on your server will be fine also.

    publish which technology you are using to encrypt/decrypt in browser, I can probably reverse engineer your webpage but that is a lot of work.

     

    Thanks for quick response and for a great site.

     

     

  • Profile Image
    JotForm Support

    Answered by david on May 12, 2016 at 06:25 PM

    Thank you for you feedback, unfortunately, tailoring the way we use encryption to your specific needs would take a fair bit of resources and it is not likely to change.  We offer simply encryption of the form data itself and remove all other access to the data via any other method.  Data is also likely to remain in plain text format while at rest in JotForm accounts.  I understand your need for things to be done differently, however, it is not likely to be changed in the foreseeable future.