// Trust & Security Report

    Jotform Inc. logo

    Jotform Inc.

    Online form builder and no-code data collection platform with payments, e-signatures, apps, tables, and AI agents/app builder. Consumer/SMB self-serve tiers plus Jotform Enterprise and Jotform Government (GovRAMP track).

    Certifications held

    10

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    PCI DSS Service Provider Level 1
    HELD

    Jotform is PCI DSS Service Provider Level 1 compliant, the highest security attainment you can have as a business that collects payments from and integrates with credit cards.

    Verify on jotform.com
    SOC 2 Type II
    HELD

    Jotform is committed to upholding all five SOC 2 Trust Service Principles: security, confidentiality, availability, privacy, and processing integrity. We offer a SOC 2 compliance solution to our Enterprise customers. (A dedicated Jotform blog post, 'Announcing: SOC 2 Type II compliance for Jotform Enterprise,' confirms the attestation is scoped to Jotform Enterprise.)

    Verify on jotform.com
    GDPR compliance
    HELD

    Jotform is compliant with the European Union's General Data Protection Regulation (GDPR), which governs businesses that collect personally-identifiable information from or on EU citizens.

    Verify on jotform.com
    CCPA compliance
    HELD

    Jotform is compliant with the California Consumer Privacy Act (CCPA), which, among other things, prohibits the selling of personal information of California residents without their consent.

    Verify on jotform.com
    HIPAA (BAA available)
    HELD

    With Jotform's HIPAA features, healthcare providers can collect patient information through forms that make HIPAA compliance easier. A Business Associate Agreement (BAA) is also available for our Enterprise customers.

    Verify on jotform.com
    FERPA compliance
    HELD

    We work with educational organizations to provide transparency about the handling and processing of students' personal information in our forms, apps, and other products, to ensure compliance with FERPA.

    Verify on jotform.com
    GovRAMP / StateRAMP (in progress, not authorized)
    HELD

    Jotform Government has been built and is being managed according to security controls common to both FedRAMP and GovRAMP, as documented in NIST Special Publication 800-53 Revision 5. Jotform is currently in the Progressing Snapshot Program of GovRAMP.

    Verify on jotform.com
    HECVAT (higher-ed self-assessment)
    HELD

    Jotform has used the Higher Education Community Vendor Assessment Toolkit, also known as HECVAT, to assess our Enterprise product and ensure the security and safety of our higher education partners.

    Verify on jotform.com
    UK G-Cloud 14 (Crown Commercial Service supplier)
    HELD

    Jotform Enterprise is now an approved supplier on the Crown Commercial Service's G-Cloud 14 framework.

    Verify on jotform.com
    ISO 27001
    HELD

    No claim of a Jotform-held ISO 27001 certificate appears on Jotform's own trust/security pages. ISO 27001 coverage referenced is at the underlying cloud-infrastructure level (Google Cloud and AWS), not a Jotform corporate certificate.

    Verify on jotform.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    US (Google Cloud Iowa, AWS Virginia) by default; EU option stores data in Frankfurt, Germany (Google Cloud + AWS). Jotform Enterprise offers local data residency in additional regions (Australia, Canada, UK, EU and others). All data is replicated cross-cloud but remains in-region.

    Jotform's AI Policy states 'Your personal data is never used to train or improve our underlying AI systems.' Form-field content you submit MAY be used to train YOUR OWN AI agent (personalization), not Jotform's global models. AI features are powered by third-party providers including OpenAI; Jotform states customer content sent to OpenAI is processed under OpenAI's Zero Data Retention program and not used by OpenAI for training. Caveat: the policy also notes 'some or all of our AI providers like OpenAI do use data to train their AI models,' so model-provider behavior can vary by feature. No explicit per-account AI opt-out toggle is documented; EU data-residency option is available.

    // Security controls

    Encryption in transit

    TLS 1.2 with SHA256/RSA, 256-bit SSL across all plans

    jotform.com

    Form-level encryption at rest

    Optional user-controlled form encryption using 2048-bit RSA keys; submissions encrypted at the user's computer then stored encrypted (file uploads not covered)

    jotform.com

    Penetration testing

    Yes - 'penetration tests are performed periodically' in addition to quarterly internal/external PCI ASV scans

    jotform.com

    Bug bounty program

    Yes - paid program for outside researchers ('We also have a bug bounty program for which we pay outside parties to report vulnerabilities'); specific platform (HackerOne/Bugcrowd) not named on the security page

    jotform.com

    Authentication

    Two-factor authentication (2FA) for all accounts; SAML SSO (Active Directory, Okta, Google, OneLogin) and Multi-SSO for Enterprise

    jotform.com

    Network / DDoS

    Cloudflare routing/DDoS filtering, OSSEC intrusion detection, VPN-only server access via 2048-bit encrypted connections

    jotform.com

    Availability / SLA

    ~99.9% uptime claim; active-active redundancy across Google Cloud (primary) and AWS (secondary) with hourly snapshots retained 30 days

    jotform.com

    // Products & data scope

    Jotform (free / Bronze / Silver / Gold self-serve)Online form builder + payments + apps/tables

    data: Collects form submissions, payments, file uploads. US data region by default; user-enabled EU servers (Frankfurt). PCI Level 1, GDPR, CCPA apply. DPA available to all users.

    HIPAA features and BAA, SOC 2 report, and SSO are reserved for Enterprise; self-serve tiers share core encryption, 2FA, and form-privacy controls.

    Jotform EnterpriseOrg-wide no-code forms/workflows

    data: Local data residency in multiple regions, SSO/SAML + Multi-SSO, role-based access, white-labeling, BAA for HIPAA, SOC 2 Type II solution, HECVAT, G-Cloud 14.

    This is the tier carrying the strongest compliance posture; most enterprise certs/attestations are scoped here.

    Jotform GovernmentPublic-sector forms

    data: Built to FedRAMP/GovRAMP-aligned NIST 800-53 Rev 5 controls; currently in GovRAMP (formerly StateRAMP) Progressing Snapshot program - not yet authorized.

    Treat GovRAMP as in-progress, not a completed authorization.

    Jotform AI (AI Agents, AI App Builder, AI Form Builder)AI-assisted form/app generation and conversational agents

    data: Powered by third-party LLMs incl. OpenAI. Personal data not used to train Jotform's underlying AI; form-field content may train the customer's own agent. OpenAI usage stated under Zero Data Retention.

    Buyers handling sensitive/regulated data via AI Agents should review the AI Policy and confirm third-party model data flows for their specific use case.

    // What to watch

    • SOC 2 Type II is scoped to Jotform Enterprise, not self-serve plans; no public SOC 2 report download on Jotform's own domain (NDA-gated).
    • ISO 27001 is referenced only at the cloud-infrastructure level (Google Cloud/AWS); Jotform does not claim a corporate ISO 27001 certificate.
    • GovRAMP/StateRAMP is in-progress (Snapshot program), not an authorization - do not present as 'certified.'
    • Bug bounty exists but platform (HackerOne/Bugcrowd) is not named publicly.
    • AI data-use has nuance: personal data excluded from training, but form-field content may train the customer's own agent and third-party model-provider behavior varies by feature - regulated-data buyers should diligence the AI Policy.
    • No dedicated machine-readable trust portal (e.g., Vanta/SafeBase) found; compliance evidence is request-based for SOC 2/BAA.

    // At a glance

    Pricing model

    Freemium SaaS with tiered subscriptions (Free, Bronze, Silver, Gold) plus custom-priced Jotform Enterprise and Jotform Government

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Jotform Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    jotform.com

    > Browse all vendor trust reports