Protect the data you collect: Creating secure online forms

As we continue to perform more and more tasks online, privacy and data security are growing concerns. Hacks and data leaks have led people to have a heightened awareness of the data they’re entering anywhere online. It’s necessary for businesses to be hyper-vigilant about protecting customer information that’s provided to them online by using secure online forms—and to let users know that they’re keeping data safe.

A key consideration in creating and using online forms is ensuring that data is properly protected. By creating forms with SurveyMonkey, you can rest assured that your data is secure. You can collect responses from your contact page, register attendees for events, sell merchandise and process payments, and more, safely with our secure online forms solution.

At SurveyMonkey, we take data security and compliance seriously. It’s essential that online data is secured at all stages when using online forms—when creating your form, when respondents are using it, during the time you’re analyzing results, and for as long as you’re storing it. We follow established standards for storing and protecting sensitive data, including HIPAA, ISO 27001, PCI DSS 3.2, and GDPR. 

Take a look at some of the ways we safeguard your online data at SurveyMonkey:

As the creator of online web forms, you will likely have access to sensitive, personal information. With that in mind, it’s critical that your access to this information is adequately protected. At SurveyMonkey, our login is protected with single sign-on via SAML 2.0, which protects access to your account and, therefore, access to your form responses.

SAML is an acronym for Security Assertion Markup Language and is widely used as the gold standard for protecting login information. 

Depending on your specific data security needs, user access can be customized for password strength, reuse, or expiration. Login can also require additional account verification if preferred.

Of course, we don’t stop at simply protecting access to your account. Your form respondents may be entering personal information, so it’s equally important that the information is stored safely. With SurveyMonkey, respondent information is stored securely in SOC 2 accredited data centers that adhere to security and technical best practices.

SOC 2 stands for Systems and Organization Controls 2, a security framework that manages and stores respondent data based on five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy.

All data is transmitted securely over an HTTPS connection and encrypted using industry-standard encryption algorithms.

HTTPS is Hypertext Transfer Protocol Secure, the primary security protocol for sending data between a web browser and a website. A website with a URL that starts with HTTPS has an SSL (Secure Sockets Layer) certificate indicating that the site is secure.

Learn more about how we protect your data and three things you can do to help keep your data secure.

Collection of information using SurveyMonkey online forms is subject to all applicable compliance requirements, including:

ISO 27001

This is a globally recognized security standard as identified by the International Organization for Standardization. Its focus is on continuous security and compliance. This certification requires control audits throughout the year and annual inspections, which we are happy to comply with to keep our users’ data safe.

PCI DSS 3.2

This certification is the Payment Card Industry Data Security Standard. It protects payment cardholder data for online forms that have integrated payments. PCI DSS 3.2 uses encryption, truncation, masking, and hashing to stop hackers if they somehow circumvent other security checks. This protection applies to our customers who accept online credit card payments.

GDPR Compliance

The General Data Protection Regulation is the strictest privacy security law in the world. It regulates data privacy for EU citizens or residents using your online forms. The GDPR requires data to be handled securely by implementing appropriate technical and organizational measures. The data from our SurveyMonkey users from around the world is protected.

HIPAA

The Health Insurance Portability and Accountability Act is a US federal law that ensures the protection of sensitive patient health information from being disclosed without the patient’s consent. This applies to any online form from a medical office or a medical study requesting health information. This requires a HIPAA-enabled account and a business associate agreement. HIPAA ensures that any medical information collected by our US users is completely safe and compliant with the standards set forth.

SurveyMonkey also employs continuous network and security monitoring, periodic third-party security reviews and penetration testing, and a select group of trusted security partners. Our priority is the safety of your data.

The most common types of online forms invariably require you to request personally identifiable information (PII) from respondents. PII includes any information that can be used to identify an individual. For example, email addresses, phone numbers, employee ID numbers, driver’s license, credit card numbers, or other government-issued identification numbers, etc. 

For example, registration, application, and online payment forms all require personal information to be effective in their purposes. 

It’s important to note that demographic information is not personally identifiable information. Gender, race, employment status, ethnicity, and geographic information (not a specific address, but region or city), are all pieces of information that may be used for customer segmentation, but cannot be used to lead a hacker to one particular person.

Our data security practices help protect the data when it is being submitted and stored, but there are steps you can take to be even safer—and put respondents’ minds at ease.

This is true for any type of online form. If you don’t need a phone number because you only contact respondents via email, then don’t ask for it. Only request details that are truly necessary for your use case. By doing this, less personally-identifiable information is collected and stored, and it will feel less intrusive—and safer—to those completing your online form.

Be very clear about how you will use the data you are collecting. Nobody wants to be put on a list and receive emails they didn’t knowingly sign up for. Reassure respondents with an explicit statement of how their personal information will be used. In addition to it being important information to share, this message also signals that data security and privacy are priorities for you.

Your disclosure can easily be shared in the introduction of your form, before the personal information question section, or in the thank you message. In fact, you can include it in more than one place. Just make sure it is easy to see and stands out so respondents read it. 

What measures are you taking to ensure your respondents’ data is secure? Provide a link to your privacy policy and security practices that will protect any data you collect. For example, see how SurveyMonkey handles security and then determine what you need to do in terms of data protection. Once you’ve established your security measures, outline your statements like we did here at SurveyMonkey, or find your own way to explain how you are implementing data protection.

One of the areas respondents will be most sensitive to is sharing credit card information in an online payment form. While there are many ways to accept online payments, SurveyMonkey has a built-in payment integration that is easy to place directly into your form and is extremely secure. Our integration with Stripe is convenient for respondents and simple for you to set up and use to accept payments directly from your online form. This is incredibly valuable for registration forms, order forms, or other online payment forms.

Note that the integration works in such a way that payments are made directly to Stripe. No credit card information is stored by SurveyMonkey. This is one more layer of security for your respondents’ credit card information.

Whether you’re using a registration form for an event or order form for the purchase of items from your online store, make sure your respondents’ and customers’ personal information is safe with a secure online form made with SurveyMonkey. Build your custom form, accept payments, and embed the form on your website with our custom forms solution.

To get started, sign up with SurveyMonkey! Choose the plan that’s right for you, your team, or your company now.