Sensitive Data 


In this Article
Related Articles

About Sensitive Data

If you are collecting sensitive data in your form, you can use FormAssembly's Sensitive Data Feature to indicate which specific fields contain that data. This is useful for compliance with the GDPR, HIPAA, or forms collecting payment information. Learn more about FormAssembly's security.

When you mark a field as sensitive, you can choose what type of data you are collecting:

  • Credit Card Information (Credit Card Number and CVV Code)
  • Personally Identifiable Information (PII)
  • General Sensitive Data
  • Protected Health Information (PHI) (Only available on Compliance Cloud)

Banking data, account numbers, passport numbers, and social security numbers are not required to be marked sensitive. This data will show in your responses.

FormAssembly only stores sensitive data that is not credit card information. Cardholder data is not stored on our servers, and you must use a payment connector when collecting payment information, so that cardholder data is processed securely through an approved payment gateway. Only the last 4 digits of a Credit Card Number will be stored and viewable in the response data within FormAssembly, e.g., xxxxxxxx1234. CVV code data is never stored.


Mark fields as Sensitive

You can add Sensitive Data settings in the Form Builder:

  1. Select the question that will be used to collect sensitive data.
  2. Clicking on the Options button in the editing toolbar.
  3. In the Field Properties sidebar, click the Sensitive Data section.
  4. In the Sensitive Data Type drop-down menu, choose the option for your field.

You will see a flag on the Form Builder canvas labeled "Sensitive" next to any field marked as Sensitive:

Any cardholder data that is marked as Sensitive will be masked by default in your responses and in any connectors you may be using. All other types of sensitive data will not be masked.


Personally Identifiable Information

You can mark certain fields as collecting Personally Identifiable Information (PII).

PII is any information that can be used to identify an individual, such as a name, email address, social security numbers, or driver's license number.

Unlike credit card data fields, fields that are marked as containing PII will be saved in your responses as submitted. They will not be masked in the response data. 

NOTE: This option is available in Form Builder 5.0. Please upgrade your form to utilize this feature.


General Sensitive Data

There may be certain fields you wish to mark as containing sensitive data, even if they are not PII, PHI, or credit card information.

For any information you would like to mark as sensitive that does not fall into another category, you can use the "General Sensitive Data" category.

Unlike credit card data fields, fields that are marked as containing General Sensitive Data will be saved in your responses as submitted. They will not be masked in the response data. 

NOTE: This option is available in Form Builder 5.0. Please upgrade your form to utilize this feature.


Respondent Data Relationship Classification

For every field marked as sensitive, you have the option to define the respondent data relationship classification.

In accordance with the GDPR, it's helpful to label the respondent data relationship. This will allow you to define if the person filling out the form is completing the form for themselves, if they are completing it for a third party person, or if it is unknown. These three possibilities are explained below:

  • Unspecified: It is unknown which party this field is collecting data about. For compliance purposes, you may classify this field as either First Party or Third Party.
  • First Party: This field will be collecting data about the person filling out this form.
  • Third Party: This field will be collecting data about someone other than the person filling out this form.


Using the Save and Resume Feature

It is not advised that you use the Save and Resume Feature in tandem with sensitive data fields collecting payment information.

If a user saves and resumes a form, the fields that have been marked as "Credit Card Number" or "CVV Code" will be cleared. The previous information that the user entered into the field will no longer be available.

PII, PHI, and General Sensitive Data can be resumed with the stored values displaying, like other fields.


Form Moderation

All new FormAssembly forms on Professional and Premier plans go through a moderation process to ensure they are collecting appropriate information that will be used in an ethical and legal manner.

By marking fields that collect credit card information or banking information as Sensitive Data, your form will help allow for a faster moderation experience, which will help get your form up and running as quickly as possible.

Terms of Service · Privacy Policy