EDIT: Cognito Forms now supports full encryption of all entry data and uploaded files at rest. Furthermore, you can mark sensitive fields as protected to ensure they are not inadvertently transmitted insecurely, such as through email notifications or insecure redirects/webhooks.
Learn more about Cognito Forms security at: https://www.cognitoforms.com/support/74/entries/data-security
Excellent question! I am a developer for Cognito Forms and am glad to answer this.
First, we need to document this as a separate page in our help documentation to make this very clear, but we do discuss our security a bit at the bottom of the How to Setup Payment page. To expand upon this, here is what we do to protect the security of our customer's data:
Cognito Forms is always accessed over HTTPS 100% of the time for all users.
Cognito Forms is hosted securely on the Microsoft Azure cloud platform, which is PCI (DSS) Level 1 AND HIPAA compliant, and we have a HIPAA BAA with Microsoft.
Access to our production environment is limited to two individuals, requiring two-factor authentication to deploy updates or access a secure system for limited troubleshooting.
We do not look at entry data for our customers unless requested to through an official support request. The details of our concern over data privacy are detailed in the Cognito Privacy Policy.
Customer data is carefully segregated at the lowest architectural level in Cognito Forms to ensure that data for one organization cannot be accessed by another.
We partner with Stripe for credit card processing so that secure payment information is never transmitted or stored by Cognito Forms. We also take measures to prevent malicious scripts on sites we are embedded in from stealing this information.
The Cognito Forms architecture is unique and highly specialized for massive scale while maintaining data isolation. It does not use transitional databases and is not vulnerable to SQL injection attacks.
Production access credentials for storage and encryption tokens used to encrypt sensitive organization data are stored in an Azure credential store and are not stored within our own development environments.
Finally, all text data stored by Cognito Forms is sanitized to prevent JavaScript injection attacks, which someone might attempt to leverage by submitting JavaScript as entry data to maliciously access other entry data by compromising our customers browsers when managing entries.
What we have not done yet, but plan to, is to allow our customers to indicate that a form, or portions of a form, contain sensitive data that must be treated as carefully as possible, such as HIPAA, PCI, or PII data. We could easily support encrypting the data, but this feature must and will go further to ensure this sensitive data is never emailed or otherwise transmitted in an insecure way (ie, we will help our customers ensure the data is protected). Since this is not yet in place, we discourage the storing of sensitive information that should be encrypted at rest, such as Social Security and driver's license numbers, medical patient data (HIPAA), etc.
As you can see, we have definitely thought a lot about the security of Cognito Forms. At the same time, we know that there are constant threats and we need to continue to refine our processes to ensure the safety of our customer's data in Cognito Forms.
Great question!
You can find most of the answers in our help topic on data security, but I will specifically address each of your questions:
If you delete a form and/or entries for a form, this information is permanently deleted. We are researching ways to provide recovery options for accidental deletes, but this will be an "opt-in" option as our goal is to ensure it is easy to permanently delete data.
Cognito Forms stores data in a no-sql database (a document store) and this information is stored essentially forever unless you delete it or abandon it. We state in our terms that we may delete individual accounts that are abandoned. However, this largely applies to the people that try out our service and decide to do something else, as we have hundreds sign up each day and not everyone will become long term users.
You can download the full entry details at any time by exporting your entries to Excel, which provides a complete "strongly-typed" "structurally accurate" view of your data. Furthermore, you can use either our JSON endpoints or Zapier integration options to stream your entries into another system to maintain your own backups for this data. We are also working on options to not store data in Cognito Forms for those customers that just want to use our forms but do not want us to store their data.
Cognito Forms is hosted in the same datacenters that run services like Xbox.com and Office 365, and we rely on Microsoft's Azure platform for intrusion detection, physical security etc. We do not even know where the servers for Cognito Forms are physically located--just somewhere in Virginia with redundancy in the Mid-West. We carefully guard our own limited access to this production environment as stated in our security help topic. Also, we worked with Microsoft to ensure we are hosted in their high-security area reserved for applications dealing with sensitive data, and have a HIPAA BAA from Microsoft.
Finally, we will be releasing support for encrypted forms in the next couple of weeks. This will add an additional layer of security and protection by encrypting 100% of all entry data and uploaded files "at rest" and allowing form builders to mark certain fields as "protected" to prevent them from inadvertently being transmitted insecurely in email notifications, url redirects, etc. We will also prevent things like posting data to non-secure endpoints to ensure that our customers do not accidentally compromise the data they are trying to protect.
Best Answer
When enforcing plan limits in Cognito Forms our goal was to ensure that submissions would always keep flowing in no matter what. For this reason, when entry storage exceeds plan limits, new entries with attachments are definitely allowed.
When your organization exceeds these limits, you will no longer be allowed to download uploaded files. However, you can simply upgrade to a better plan or delete entries to reduce your storage use.