Protect the data you collect: Creating secure online forms

As we continue to perform more and more tasks online, privacy and data security are growing concerns. Hacks and data leaks have led people to have a heightened awareness of the data that they’re entering anywhere online. It’s necessary for businesses to be hyper-vigilant about protecting customer information that’s provided to them online by using secure online forms and to let users know that they’re keeping data safe.

A key consideration when creating and using online forms is ensuring that data is properly protected. By creating forms with SurveyMonkey, you can rest assured that your data is secure. You can collect responses from your contact page, register attendees for events, sell merchandise and process payments, and more, safely with our secure online forms solution.

At SurveyMonkey, we take data security and compliance seriously. It’s essential that online data is secured at all stages when using online forms: when creating your form, when respondents are using it, during the time you’re analysing results and for as long as you’re storing it. We follow established standards for storing and protecting sensitive data, including HIPAA, ISO 27001, PCI DSS 3.2 and GDPR. 

Take a look at some of the ways in which we safeguard your online data at SurveyMonkey:

As the creator of online web forms, it's likely that you will have access to sensitive, personal information. With that in mind, it’s critical that your access to this information is adequately protected. At SurveyMonkey, our login is protected with single sign-on via SAML 2.0, which protects access to your account and, therefore, access to your form responses.

SAML is an acronym for Security Assertion Markup Language and is widely used as the gold standard for protecting login information. 

Depending on your specific data security needs, user access can be customised for password strength, reuse or expiry. Login can also require additional account verification if preferred.

Of course, we don’t stop at simply protecting access to your account. Your form respondents may be entering personal information, so it’s equally important that the information is stored safely. With SurveyMonkey, respondent information is stored securely in SOC 2-accredited data centres that adhere to security and technical best practices.

SOC 2 stands for System and Organization Controls 2, a security framework that manages and stores respondent data based on five Trust Services Criteria: security, availability, processing integrity, confidentiality and privacy.

All data is transmitted securely over an HTTPS connection and encrypted using industry-standard encryption algorithms.

HTTPS is Hypertext Transfer Protocol Secure, the primary security protocol for sending data between a web browser and a website. A website with a URL that starts with HTTPS has an SSL (Secure Sockets Layer) certificate indicating that the site is secure.

Learn more about how we protect your data and three things you can do to help keep your data secure.

Collection of information using SurveyMonkey online forms is subject to all applicable compliance requirements, including:

ISO 27001

This is a globally recognised security standard as identified by the International Organization for Standardization. Its focus is on continuous security and compliance. This certification requires control audits throughout the year and annual inspections, which we are happy to comply with to keep our users’ data safe.

PCI DSS 3.2

This certification is the Payment Card Industry Data Security Standard. It protects payment cardholder data for online forms that have integrated payments. PCI DSS 3.2 uses encryption, truncation, masking and hashing to stop hackers if they somehow circumvent other security checks. This protection applies to our customers who accept online credit card payments.

GDPR Compliance

The General Data Protection Regulation is the strictest privacy security law in the world. It regulates data privacy for EU citizens or residents using your online forms. The GDPR requires secure handling of data through the implementation of appropriate technical and organisational measures. The data from our SurveyMonkey users all around the world is protected.

HIPAA

The Health Insurance Portability and Accountability Act is a US federal law that ensures the protection of sensitive patient health information, preventing it from being disclosed without the patient’s consent. This applies to any online form from a medical practice or a medical study requesting health information. This requires a HIPAA-enabled account and a business associate agreement. HIPAA ensures that any medical information collected by our US users is completely safe and compliant with the specified standards.

SurveyMonkey also employs continuous network and security monitoring, periodic third-party security reviews and penetration testing, and a select group of trusted security partners. Our priority is the safety of your data.

The most common types of online forms invariably require you to request personally identifiable information (PII) from respondents. PII includes any information that can be used to identify an individual. For example, email addresses, phone numbers, employee ID numbers, driving licence, credit card numbers or other government-issued identification numbers, etc. 

For example, registration, application and online payment forms all require personal information in order to serve their purpose effectively. 

It’s important to note that demographic information is not considered to be personally identifiable information. Although gender, race, employment status, ethnicity and geographic information (not a specific address but a region or city), are all pieces of information that may be used for customer segmentation, they cannot be used to lead a hacker to one particular individual.

Our data security practices help protect the data when it's being submitted and stored, but there are steps you can take to be even safer and put respondents’ minds at ease.

This is true for any type of online form. If you don’t need a phone number because you only contact respondents via email, then don’t ask for it. Only request details that are truly necessary for your use case. By doing this, less personally identifiable information is collected and stored and it will feel less intrusive, and safer, for those completing your online form.

Be very clear about how you will use the data that you're collecting. Nobody wants to be put on a list and receive emails that they didn’t knowingly sign up for. Reassure respondents with an explicit statement explaining how their personal information will be used. In addition to it being important information to share, this message also signals that data security and privacy are priorities for you.

Your disclosure can easily be shared in the introduction of your form, before the personal information question section or in the thank you message. In fact, you can include it in more than one place. Just make sure it's easy to see and stands out so respondents read it. 

What measures are you taking to ensure that your respondents’ data is secure? Provide a link to your privacy policy and security practices that will protect any data you collect. For example, see how SurveyMonkey handles security and then determine what you need to do in terms of data protection. Once you’ve established your security measures, either outline your statements like we did here at SurveyMonkey or find your own way to explain how you're implementing data protection.

One of the aspects that respondents will be most sensitive to is sharing credit card information in an online payment form. Although there are many ways to accept online payments, SurveyMonkey has built-in payment integration that is easy to place directly into your form and extremely secure. Our integration with Stripe is convenient for respondents and simple for you to set up and use to accept payments directly from your online form. This is incredibly valuable for registration forms, order forms or other online payment forms.

Note that the integration works in such a way that payments are made directly to Stripe. No credit card information is stored by SurveyMonkey. This is one more layer of security for your respondents’ credit card information.

Whether you’re using a registration form for an event or an order form for the purchase of items from your online store, make sure your respondents’ and customers’ personal information is safe with a secure online form made with SurveyMonkey. Build your custom form, accept payments and embed the form on your website with our custom forms solution.

To get started, sign up with SurveyMonkey. Go ahead now and choose the plan that’s right for you, your team or your company.