Jotform Guide

Jotform Security Full Analysis of Data Protection Features

M

Written by Muzi

Full Stack Web Developer and Digital Entrepreneur with a focused expertise in creating high-utility digital platforms that make complex technology straightforward for everyday users.

Updated May 2026 · 8 min read

💡 Quick Answer

Jotform is secure for general-purpose form data collection. It uses SSL/TLS encryption in transit, AES-256 encryption at rest, is SOC 2 Type II certified, and is PCI DSS compliant for payment forms. HIPAA compliance (for health data) requires the Gold or Enterprise plan with HIPAA mode enabled. GDPR and CCPA compliance tools are available on all plans.

Jotform Encryption Standards

Jotform security uses two layers of encryption to protect form data:

  • In-transit encryption: All data moving between users' browsers and Jotform servers is encrypted using TLS 1.2/1.3 (SSL). The Jotform form URL displays HTTPS, and the SSL certificate is maintained for all Jotform-hosted forms.
  • At-rest encryption: Data stored on Jotform servers is encrypted using AES-256, the same standard used by banks and government agencies. This applies to form submissions, file uploads, and account data.

For healthcare-specific encryption controls, HIPAA mode (Gold/Enterprise) adds additional access restrictions and encrypted email handling. See Is Jotform HIPAA Compliant.

Jotform Security Certifications

Certification / StandardJotform StatusApplicable Plans
SOC 2 Type II✓ CertifiedAll plans (report on request for Enterprise)
PCI DSS✓ CompliantAll plans (payment forms)
HIPAA✓ AvailableGold and Enterprise only
GDPR✓ Tools availableAll plans
CCPA✓ Tools availableAll plans
ISO 27001Not publicly confirmedN/A

Where Jotform Stores Your Data

Jotform's secure infrastructure runs on Amazon Web Services (AWS). By default, data is stored in AWS US East (N. Virginia). Key infrastructure facts:

  • AWS data centers have SOC 1, SOC 2, and ISO 27001 certifications
  • Redundant backups prevent data loss from hardware failures
  • 99.9% uptime maintained historically on standard plans
  • Enterprise customers can request EU or other regional data residency

Jotform Access Controls

Jotform secure form access is controlled through several mechanisms:

  • Form passwords — require a password to access and submit a form
  • IP restriction — limit form access to specific IP addresses (Enterprise)
  • One-submission limit — prevent the same user from submitting more than once
  • SSL-only forms — enforce HTTPS for all form interactions
  • Encrypted submissions — end-to-end encryption for form data (available on some plans)
  • Two-factor authentication (2FA) — for Jotform account login
  • CAPTCHA — prevent spam and bot submissions

Jotform GDPR and CCPA Compliance

Jotform provides tools to help organizations comply with GDPR (EU) and CCPA (California) requirements:

  • Cookie consent banner settings
  • Data processing agreement (DPA) for EU users
  • Right-to-erasure: delete specific user submissions on request
  • Privacy notice field for forms (consent checkbox)
  • Data export: download all collected data

Known Jotform Security Limitations

  • Jotform staff data access: On standard plans (Free–Silver), Jotform staff retain technical access to your data for support purposes. HIPAA mode (Gold/Enterprise) restricts this.
  • No end-to-end encryption by default: Standard submissions are readable by Jotform in normal operations. True end-to-end encryption (where only you can read submissions) requires additional configuration.
  • Third-party integrations: When you connect Jotform to Google Sheets, Salesforce, or other services, data security also depends on those services' policies.

Frequently Asked Questions

Is Jotform secure for collecting sensitive data?
Yes, with conditions. Jotform uses SSL/TLS encryption for all data in transit and AES-256 encryption at rest. For sensitive data like personal information, it is secure on all plans. For healthcare data (PHI), you must use the Gold or Enterprise plan with HIPAA mode enabled.
Is Jotform SOC 2 certified?
Yes. Jotform holds a SOC 2 Type II certification, which means an independent auditor has verified that Jotform's security controls meet the Trust Services Criteria for security, availability, and confidentiality. The SOC 2 report is available to Enterprise customers under NDA.
Where is Jotform data stored?
Jotform stores data in Amazon Web Services (AWS) data centers in the United States by default. Enterprise customers can request data residency in other regions including the EU. All data centers maintain physical security controls and redundant backups.
Can Jotform employees see my form submissions?
In standard plans, Jotform staff technically have the ability to access data for support and maintenance purposes. With HIPAA mode enabled (Gold/Enterprise), Jotform restricts its own staff's access to your data as part of the BAA terms. For maximum privacy, Enterprise with enhanced access controls is recommended.
Is Jotform GDPR compliant?
Yes. Jotform provides GDPR compliance tools including cookie consent settings, data processing agreement (DPA) for EU users, right-to-erasure tools, and privacy notice fields for forms. EU users should review the Jotform privacy settings and sign the DPA available in account settings.