Product Security Assessment: Request for Support and Evaluation Assistance

  • S
    Sameer Patil
    Asked on June 4, 2026 at 2:34 PM

    Our design team is procuring Jotform. I need to get in touch with someone who can help us with a product security assessment and evaluation.

  • Profile Image
    Podo: Support Specialist
    Replied on June 4, 2026 at 2:35 PM

    Hi Sameer,

    Thanks for reaching out to Jotform Support. I'm an AI assistant here to assist you.

    For a product security assessment and evaluation, you can rely on Jotform’s existing security and compliance documentation and infrastructure details, which are designed to address typical security questionnaires and due‑diligence reviews.

    Here are key points you can share with your security and procurement teams:

    Data centers and certifications

    • Hosting providers: Jotform uses Google Cloud as the primary platform and Amazon Web Services (AWS) as the secondary platform; Jotform does not maintain in‑house servers.
    • Compliance of hosting platforms:
      • Google Cloud complies with SSAE16 / ISAE 3402 Type II, SOC 1, SOC 2, SOC 3, ISO 27001, ISO 27017 (Cloud Security), ISO 27018 (Cloud Privacy), and PCI DSS v3.2, and it enables HIPAA compliance. More details are available on the Google Cloud compliance page at cloud.google.com/security/compliance.
      • AWS complies with SOC 1, SOC 2, SOC 3, ISO 27001, ISO 27017 (Cloud Security), ISO 27018 (Cloud Privacy), and PCI DSS Level 1, and it also enables HIPAA compliance. More details are available on the AWS compliance page at aws.amazon.com/compliance.
    • You can find an overview of Jotform’s own security posture, including data center locations, under the Data Centers and Security Audits sections on the Jotform security page at jotform.com/security.

    Application and infrastructure security

    • Encryption: All data is encrypted in transit, end to end, and at rest. Log data is also encrypted to mitigate the risk of sensitive data being stored in log files.
    • Intrusion detection: Jotform uses a Host Intrusion Detection System (HIDS) on application servers and a Network Intrusion Detection System (NIDS) on development offices. Additionally, PCI intrusion detection policies are applied as defined by PCI requirements.
    • Vulnerability management: All customer and internal networks are regularly scanned for vulnerabilities, and systems are regularly tested against external and internal threats.
    • Access control: Access controls follow a minimum necessary access principle and default to no access unless manually granted. All access requests, changes, and approvals are tracked and retained.
    • Network and system access: Secure, encrypted access is the only form of public access enabled to servers. To gain full access to Jotform systems, users must log in via 2‑factor authentication through VPN, authenticate as a regular user, and then temporarily elevate privileges as needed.

    Data protection, backups, and continuity

    • Segmentation: All customer data is segmented, and platform customers have a dedicated overlay network (subnet) for additional network segmentation.
    • Monitoring and auditing: All network requests (successful and unsuccessful) and system logs are recorded. API requests involving PHI (GET, POST, PUT, DELETE) log the requester, location, and data changed or viewed. Log data is encrypted and unified to enable secure access to full historical activity records.
    • Backups: All customer data is backed up every 24 hours, and seven days of rolling backups are retained.
    • Disaster recovery: Jotform maintains an audited and regularly tested disaster recovery plan, which also applies to customers.

    Compliance and HIPAA

    • Jotform provides a HIPAA-friendly environment. The architecture includes:
      • End‑to‑end encryption in transit and at rest
      • Minimum necessary access and strict access tracking
      • Intrusion detection and file integrity monitoring (e.g., via OSSEC)
      • Regular risk assessments and mitigation before infrastructure changes are pushed to production
      • Regular review of security and compliance documentation
      • Regular HIPAA and security training for workforce members, even though they do not access customers’ ePHI
    • You can review an overview of HIPAA-related controls and architecture on the Jotform HIPAA page at jotform.com/hipaa and the detailed help article at jotform.com/help/506-jotform-hipaa-compliance.

    Organizational security

    • Employee screening: All Jotform employees must pass a rigorous screening process at the time of hiring.
    • Confidentiality: All employees must sign and are bound by a non‑disclosure agreement (NDA).

    If your security or procurement team has a formal questionnaire, they can typically map their questions to the information available on the Jotform Security and Jotform HIPAA pages, plus the compliance documentation of Google Cloud and AWS linked above.

    After we hear back from you, we’ll have a better idea of what’s going on and how to help.

    Let us know if you have any other questions.

Your Reply