Forms & data security
Before you create a form in SiteBuilder, consider:
- the sort of data you're collecting
- the context in which you're collecting the data
All forms use HTTPS, which encrypts the form submission data sent from the user's computer to the SiteBuilder database. You should ensure that the permissions to view submission data for your form are appropriate.
Email notifications and email receipts
Email is not a secure medium for sending personal or sensitive data because it is not encrypted. By default, email notifications to administrators do not include submission data – the emails contain a link to view the submission data in SiteBuilder. However, you can override this option in the form properties.
You should also avoid offering, or automatically sending, email receipts to users of forms which collect sensitive or personal data because receipts contain the submission data. The default setting for this, which you can change in the form properties, is to offer users an email receipt.
For payment forms, it is not possible to include submission data or attached files in the submission notifications. Although sending email receipts to users are optional via the form, users who have made a successful payment will still receive an email receipt from Online Payments which would include the transaction ID and payment amount.
Personal details
If you want to collect information such as name, address or telephone number, it's your responsibility as the form owner to consider the context in which you're collecting that data. For example, collecting contact details as part of a survey on harassment is probably inappropriate. Collecting contact details for a conference registration may be acceptable.