5 data security best practices — and how to implement them with Jotform

The issue of data security has been discussed in the public and private sector, on an individual and organizational basis, and in the media for at least a decade.

We’ve all been through the (seemingly) endless data security training modules. They teach us to be mindful of behavior that might precede a company-wide data breach or compromise our own data.

Yet data breaches and security issues have reached an all-time high. The pandemic seemed to worsen the issue, with corporate and government breaches increasing along with personal attacks.

As no-code solutions continue to gain popularity among organizations of all sizes, and across borders, they become yet another focal point for data and security vulnerability. Many users may not recognize the power of no-code solutions or the responsibilities that come with managing them.

Johannes Wiklund, Jotform’s head of information security, puts it best: 

“As no-code solutions create a new category of sometimes unintentional systems administrators, it’s more important than ever to guard against threats we can control, through intelligent password management, data encryption, and overall data hygiene. By following a simple set of best practices and partnering with the right provider, companies can collect needed data while complying with regulations and avoiding security mistakes that, unfortunately, many of us still make.” 

Here we’ll share an overview of five data security best practices — and the ways you, your team, and your organization can implement them using Jotform.

Pro Tip

Get access to all of these security features and more with Jotform Enterprise.

1. Securing your account

Despite the simplicity of signing up for a free account with a no-code solution, users need to recognize that they’re creating an administrator-level account for a powerful data-collection solution. 

So best practice no. 1 is securing your account. A surprising number of people reuse existing passwords when signing up for a new online account without recognizing two important facts: 

  • Many passwords have already been compromised through data breaches of other websites where they’ve used those passwords.
  • With the sophisticated tools and computing power today, many passwords that involve combinations of names, birthdays, etc., can be correlated with other available data about someone and deciphered rather easily (i.e., reverse birthdays + pet’s name and an exclamation point). 

You can secure your Jotform account on an organizational level through a single sign-on (SSO) integration. That way employees can access and manage their forms using a single set of login credentials that keeps them from having to manage passwords while ensuring the company’s security. 

SSO is an Enterprise-level security feature within Jotform. Talk to us today about enabling it for your business.  

2. Encrypting your data

Many casual users collect potentially sensitive data without thinking about how it’s stored. Best practice no. 2 is to encrypt your data. Ask your no-code provider how data is stored and if you can encrypt it. If so, are you in control of the encryption keys? 

With Jotform, any account holder can elect to protect form submissions with form encryption. In the Jotform Form Builder, the password protection option is under the Settings header in the Form Settings tab. 

Jotform lets you quickly and easily generate encryption keys or use your own private key. Once encrypted, no unauthorized party, not even the Jotform system administrator, can see your data.

3. Complying with regulations

During the COVID-19 pandemic, many companies rushed to find new ways to do business: food delivery, online music lessons, telemedicine. 

In this last example, many medical practices switched to collecting patient data online instead of via paper forms, since no one was coming to the office. Unfortunately, some providers failed to heed best practice no. 3 — complying with regulations. U.S. healthcare providers must abide by HIPAA regulations to protect the privacy of patient data. 

Federal agencies offered some flexibility with regard to abiding by HIPAA rules during the pandemic. But companies currently using software that isn’t HIPAA compliant need to make plans to migrate to a compliant solution before waivers expire.

The good news is that Jotform makes it easy to create HIPAA-compliant forms and identify which data elements are protected health information (PHI). 

Did you know?

HIPAA compliance for your forms is available starting with Jotform’s Gold plan.  If interested, first subscribe to one of our HIPAA-compliant plans. Next, set up HIPAA compliance with our HIPAA Upgrade Wizard. Finally, you’ll need to sign Jotform’s business associate agreement.

Other important regulations include the payment card industry’s PCI-DSS regulation for payment processing. We enable you to collect payments through our integrations with PayPal and Stripe, which are both compliant, making the process worry-free. 

4. Data localization and data subject rights

A common mistake for companies doing business in multiple countries is failing to consider local and regional laws regarding the data privacy of users. If you’re doing business in other countries, best practice no. 4 is to carefully consider the data protection laws and subjects’ rights in those areas. 

Here again, no-code solutions empower account owners, whether they know it or not, by being the custodians for whatever data they collect. 

If you’re collecting data from a resident of the European Union, you should be aware that your form submitters have a number of rights — among them the right to review all the data you’ve collected on them and the right to be deleted, both of which you should comply with. 

Fortunately, Jotform helps no-code form builders stay compliant in two ways:

  • If you mainly do business in an EU country, you can elect to keep all your data in the EU. This means you don’t have to determine the impact of exporting data. 
  • If you need to process EU data from another country, Jotform helps you with a standard Data Processing Addendum (DPA). In short, the DPA ensures the compliant transfer of personal data outside the EU and helps explain the relationship between you as the data owner and Jotform as the data processor. 

There’s no specific number of users/customers that place a company into GDPR jurisdiction, but under the law you must pay attention to where your data subjects are located. 

5. Ransomware attacks and data breaches

A final common mistake is to discount the likelihood of ransomware attacks and data breaches. Best practice no. 5 is to use a no-code provider that protects customers from such attacks.  

At present, Jotform has over 15 million active users. With that number of users, you can imagine that we store a lot of data. As a result, we ensure that data is safe from ransomware and data breaches through defensive security measures that are proprietary, though we can disclose the following:

  • We back up all data on an hourly basis using snapshots that are isolated from the main system. This means that if disaster strikes, we can always restore your data from a backup that’s no more than an hour old.
  • We monitor all access to our systems so we can detect and quickly respond to anomalous behavior, including but not limited to suspicious login events that could indicate ransomware or data exfiltration.
  • We have a team of security professionals standing by 24-7 to tackle any potential issues head-on. 

All of this means that you, as an administrator or form owner, can rest assured that as long as you follow the best practices described above, together we make it very difficult to breach Jotform data.


Today, we’re facing more security threats than ever before. The proliferation of no-code software means it’s vital that the third-party companies (and their integrations) you depend on for your daily workflows are taking the right steps to ensure data security and compliance with current privacy laws. 

As a market leader in no-code data-collection solutions, Jotform gives the security of our online forms and the data that goes into them our utmost attention. 

In addition to best-in-class data encryption, PCI certification for credit card payments, and GDPR and HIPAA compliance, we also engage in industry leading data backup and geolocalization practices.  

By choosing Jotform, you’ll be able to rest easy knowing that the data security best practices discussed here have been implemented, so you’re free to collect, manage, and use your form data with confidence.
We wish you a successful journey with Jotform, and we hope to see your business grow. Learn how you can ensure an even higher level of security for your organization with Jotform Enterprise.

This article is originally published on Mar 29, 2022, and updated on Feb 27, 2023.
Chris is a Content Marketer and Creator at Jotform who believes in creative writing as a force for positive change. Possessing a diverse professional background and skill set, Chris produces award winning thought leadership. Movies, travel, design and great food/wine with friends are among his loves. You can reach Chris through his contact form.
As Jotform's head of information security, Johannes is responsible for the strategy and implementation of the information security program that safeguards the data entrusted to Jotform. A past speaker at the RSA security conference and BrightTalk forum, Johannes enjoys contributing to the discourse on advancing cyber security. He lives with his family in Virginia.

Send Comment:

Jotform Avatar
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.