// Trust & Security Report
Jotform Inc.
Online form builder and no-code data collection platform with payments, e-signatures, apps, tables, and AI agents/app builder. Consumer/SMB self-serve tiers plus Jotform Enterprise and Jotform Government (GovRAMP track).
Certifications held
10
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on jotform.com“Jotform is PCI DSS Service Provider Level 1 compliant, the highest security attainment you can have as a business that collects payments from and integrates with credit cards.”
Verify on jotform.com“Jotform is committed to upholding all five SOC 2 Trust Service Principles: security, confidentiality, availability, privacy, and processing integrity. We offer a SOC 2 compliance solution to our Enterprise customers. (A dedicated Jotform blog post, 'Announcing: SOC 2 Type II compliance for Jotform Enterprise,' confirms the attestation is scoped to Jotform Enterprise.)”
Verify on jotform.com“Jotform is compliant with the European Union's General Data Protection Regulation (GDPR), which governs businesses that collect personally-identifiable information from or on EU citizens.”
Verify on jotform.com“Jotform is compliant with the California Consumer Privacy Act (CCPA), which, among other things, prohibits the selling of personal information of California residents without their consent.”
Verify on jotform.com“With Jotform's HIPAA features, healthcare providers can collect patient information through forms that make HIPAA compliance easier. A Business Associate Agreement (BAA) is also available for our Enterprise customers.”
Verify on jotform.com“We work with educational organizations to provide transparency about the handling and processing of students' personal information in our forms, apps, and other products, to ensure compliance with FERPA.”
Verify on jotform.com“Jotform Government has been built and is being managed according to security controls common to both FedRAMP and GovRAMP, as documented in NIST Special Publication 800-53 Revision 5. Jotform is currently in the Progressing Snapshot Program of GovRAMP.”
Verify on jotform.com“Jotform has used the Higher Education Community Vendor Assessment Toolkit, also known as HECVAT, to assess our Enterprise product and ensure the security and safety of our higher education partners.”
Verify on jotform.com“Jotform Enterprise is now an approved supplier on the Crown Commercial Service's G-Cloud 14 framework.”
Verify on jotform.com“No claim of a Jotform-held ISO 27001 certificate appears on Jotform's own trust/security pages. ISO 27001 coverage referenced is at the underlying cloud-infrastructure level (Google Cloud and AWS), not a Jotform corporate certificate.”
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
US (Google Cloud Iowa, AWS Virginia) by default; EU option stores data in Frankfurt, Germany (Google Cloud + AWS). Jotform Enterprise offers local data residency in additional regions (Australia, Canada, UK, EU and others). All data is replicated cross-cloud but remains in-region.
Jotform's AI Policy states 'Your personal data is never used to train or improve our underlying AI systems.' Form-field content you submit MAY be used to train YOUR OWN AI agent (personalization), not Jotform's global models. AI features are powered by third-party providers including OpenAI; Jotform states customer content sent to OpenAI is processed under OpenAI's Zero Data Retention program and not used by OpenAI for training. Caveat: the policy also notes 'some or all of our AI providers like OpenAI do use data to train their AI models,' so model-provider behavior can vary by feature. No explicit per-account AI opt-out toggle is documented; EU data-residency option is available.
// Security controls
Form-level encryption at rest
Optional user-controlled form encryption using 2048-bit RSA keys; submissions encrypted at the user's computer then stored encrypted (file uploads not covered)
jotform.comPenetration testing
Yes - 'penetration tests are performed periodically' in addition to quarterly internal/external PCI ASV scans
jotform.comBug bounty program
Yes - paid program for outside researchers ('We also have a bug bounty program for which we pay outside parties to report vulnerabilities'); specific platform (HackerOne/Bugcrowd) not named on the security page
jotform.comAuthentication
Two-factor authentication (2FA) for all accounts; SAML SSO (Active Directory, Okta, Google, OneLogin) and Multi-SSO for Enterprise
jotform.comNetwork / DDoS
Cloudflare routing/DDoS filtering, OSSEC intrusion detection, VPN-only server access via 2048-bit encrypted connections
jotform.comAvailability / SLA
~99.9% uptime claim; active-active redundancy across Google Cloud (primary) and AWS (secondary) with hourly snapshots retained 30 days
jotform.com// Products & data scope
data: Collects form submissions, payments, file uploads. US data region by default; user-enabled EU servers (Frankfurt). PCI Level 1, GDPR, CCPA apply. DPA available to all users.
HIPAA features and BAA, SOC 2 report, and SSO are reserved for Enterprise; self-serve tiers share core encryption, 2FA, and form-privacy controls.
data: Local data residency in multiple regions, SSO/SAML + Multi-SSO, role-based access, white-labeling, BAA for HIPAA, SOC 2 Type II solution, HECVAT, G-Cloud 14.
This is the tier carrying the strongest compliance posture; most enterprise certs/attestations are scoped here.
data: Built to FedRAMP/GovRAMP-aligned NIST 800-53 Rev 5 controls; currently in GovRAMP (formerly StateRAMP) Progressing Snapshot program - not yet authorized.
Treat GovRAMP as in-progress, not a completed authorization.
data: Powered by third-party LLMs incl. OpenAI. Personal data not used to train Jotform's underlying AI; form-field content may train the customer's own agent. OpenAI usage stated under Zero Data Retention.
Buyers handling sensitive/regulated data via AI Agents should review the AI Policy and confirm third-party model data flows for their specific use case.
// What to watch
- SOC 2 Type II is scoped to Jotform Enterprise, not self-serve plans; no public SOC 2 report download on Jotform's own domain (NDA-gated).
- ISO 27001 is referenced only at the cloud-infrastructure level (Google Cloud/AWS); Jotform does not claim a corporate ISO 27001 certificate.
- GovRAMP/StateRAMP is in-progress (Snapshot program), not an authorization - do not present as 'certified.'
- Bug bounty exists but platform (HackerOne/Bugcrowd) is not named publicly.
- AI data-use has nuance: personal data excluded from training, but form-field content may train the customer's own agent and third-party model-provider behavior varies by feature - regulated-data buyers should diligence the AI Policy.
- No dedicated machine-readable trust portal (e.g., Vanta/SafeBase) found; compliance evidence is request-based for SOC 2/BAA.
// At a glance
Pricing model
Freemium SaaS with tiered subscriptions (Free, Bronze, Silver, Gold) plus custom-priced Jotform Enterprise and Jotform Government
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Jotform Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
jotform.com