Can I capture sensitive and/or private information on forms?

At Paperform, we take privacy security seriously. We work hard to help respondents make good decisions about which data they share. Unfortunately, there are some shady characters out there in the world who use forms to take advantage of others. As such, we have strict policies on the data you are able to collect from forms. Further, we have systems that may flag forms are "suspicious" so that we may safeguard respondents while we review the account and its forms.

Permitted (after approval) items

  • Non-military ID or driver license information or uploads
  • Social Security Numbers (SSN) or equivalent
  • Other sensitive information, as deemed acceptable by Paperform

Prohibited items

  • Credit or debit card information outside of a supported payment gateway
  • Military ID information or uploads

Prohibited items are prohibited at all times with no exception.

For example, you may not collect card information on the form directly (i.e. using questions you create) as this would be outside of a supported payment gateway, regardless of use case or other circumstance.

Refer to our documentation on collecting payments on forms in a supported manner.

Account review

If you request sensitive or potentially sensitive information, our system will automatically notify us. We understand that you may trigger this warning when creating legitimate forms and a review process will be triggered automatically as well. The review process will be complete within 48 hours of the warning appearing on your forms.

If necessary, we will contact you via your account or notification email address to request changes to your forms or provide requirements that must be met to continue the collection of certain information.

You will have 48 hours to make the changes or meet the requirements. Otherwise, any infringing forms will be deleted.

Additionally, we may, at our discretion, determine that the collection of less-sensitive information that is combined with other requested information may introduce a higher level of sensitivity than it would in isolation and it may be treated in the same manner as sensitive information.

If the account is reviewed and found to be malicious, the account will be blocked as soon as a determination of malice is complete. We reserve the right to remove, delete, or take down at any time and without justification to you any forms of Member Content that you create through the Website and Services that actually or apparently breach our Terms or the intellectual property of any third party.

It's a shame we have to have these preventative measures, but we've got to do right by everyone who uses Paperform.

If you need any more information, contact us at support@paperform.co.

Ongoing security is your responsibility

While Paperform systems are secure, the data you capture is only as safe as you make it. Customers are responsible for the ongoing security and compliance of any data that is captured by their forms through Paperform services.

This may include opting to not use certain functionality like email summaries, or configuring additional security settings like bringing your own S3 bucket to enable private file uploads.

File uploads

Files uploaded to Paperform on forms are by default available via a unique URL. This URL gives access to the uploaded file to anyone who has it - so treat the security of this URL as you would the security of the file itself.

Customers who are capturing sensitive information can opt to bring their own S3 bucket to store files in, which can be configured to store files privately. This may impact the expected behavior of other features like accessing files via email, submission exports or integrations with third parties. To configure private uploads see more here.

Compliance with Regulations

Paperform is SOC2 Type II and GDPR compliant. We are not however HIPAA compliant, and as such do not support capturing PHI in the US. For any other required compliance or regions outside of the US you are responsible for the compliant use of our forms.