Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Jotform is a foundational web service that powers critical website functions and digital experiences. It provides reliable infrastructure, seamless integration capabilities, and consistent performance across all devices and browsers. Jotform supports modern development practices and scales with growing business needs. With a focus on stability and compatibility, Jotform ensures your website delivers a smooth, uninterrupted experience to every visitor and search engine crawler.
Jotform, founded in 2006 by Aytekin Tank in San Francisco, is one of the largest SaaS form builders with more than 25 million users. Forms are created and hosted on jotform.com and embedded into customer websites via iframe or a lightweight JavaScript widget. Submissions are processed and stored by Jotform on behalf of the website operator.
Jotform offers a drag and drop builder, more than ten thousand templates, conditional logic, payments (Stripe, PayPal, Square, Authorize.Net), e signature, file uploads, approval workflows, PDF generation and a REST API. Forms can be embedded as iframe, JavaScript widget, full page or distributed as link, QR code or kiosk. The service also includes HIPAA, GDPR, PCI DSS Level 1 and SOC 2 Type II compliance options.
The embedded widget loads JavaScript from cdn.jotfor.ms and posts to api.jotform.com. Cookies set on the jotform.com third party context include JOTFORM_SESSION, JFcid, _ga (when Jotform analytics is enabled), and __cf_bm (Cloudflare bot management). These cookies require prior consent in the EEA under Art. 5(3) ePrivacy. Submissions, the visitor IP, the user agent and the referring URL are stored on Jotform servers.
Jotform acts as a processor under Art. 28 GDPR. The website operator must sign the Jotform Data Processing Addendum, list Jotform as a sub processor in records of processing, and configure the European data residency option if the website serves EU users with sensitive data. Without EU residency, transfers rely on the EU US DPF (Jotform is certified) or on Standard Contractual Clauses.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Default Jotform plans store data in the US. The Jotform Enterprise EU data residency option stores submissions in Frankfurt (AWS eu central 1) and serves the form widgets from a European CDN. HIPAA accounts are isolated in a US healthcare environment. Document which residency you use, the corresponding transfer mechanism, and the encryption at rest and in transit.
Block the Jotform widget behind the marketing or statistics consent category until the visitor accepts. Sign the Jotform DPA. Enable EU data residency when relevant. Set encryption on form fields with personal data. Configure a submission retention policy in Jotform. Document Jotform as a sub processor and the relevant US transfer mechanism in your records of processing and your privacy notice.
Websites using Jotform must obtain user consent under GDPR regulations.
Third-party domains contacted
jotform.comjotfor.mscdn.jotfor.msapi.jotform.comsubmit.jotform.comeu.jotform.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| JOTFORM_SESSION | third_party | Session | Session identifier used by the Jotform widget to keep track of the current form instance. |
| JFcid | third_party | 1 year | Unique visitor identifier used by Jotform for analytics and conversion attribution. |
| __cf_bm | third_party | 30 minutes | Cloudflare bot management cookie used to distinguish humans from automated traffic on jotform.com. |
| _ga | third_party | 2 years | Google Analytics identifier set on jotform.com when Jotform Analytics is enabled on the account. |
Jotform places tracking cookies for advertising — comply with GDPR using FlowConsent.
In the third party context jotform.com the widget sets JOTFORM_SESSION (session), JFcid (visitor identifier, one year), _ga and _gid (if Jotform Analytics is on) and __cf_bm (Cloudflare bot management, 30 minutes). All require prior consent in the EEA except __cf_bm which is sometimes claimed as strictly necessary.
Yes. The Jotform widget loads third party JavaScript and sets third party cookies, so prior consent is required under Art. 5(3) ePrivacy. Submission data itself is processed under Art. 6(1)(b) GDPR (pre contractual) plus consent for marketing fields.
For the form submission, Art. 6(1)(b) GDPR (pre contractual). For the third party cookies and the embedded widget, Art. 6(1)(a) consent. Sensitive data (Art. 9) requires explicit consent and an additional contractual safeguard (e.g., HIPAA BAA for healthcare).
By default, yes: Jotform stores forms and submissions in the US. Enable EU Data Residency on Jotform Enterprise to store data in Frankfurt. Without EU residency, transfers rely on the EU US DPF (Jotform is certified) or on SCCs plus Transfer Impact Assessment.
A DPIA is recommended when Jotform is used to collect special categories of data (health, biometrics, financial), in recruitment with automated screening, or at large scale. The DPIA covers the residency choice, the transfer mechanism, the embedded cookies and the retention policy.
Block the widget until consent. Sign the Jotform DPA. Activate EU residency if relevant. Encrypt sensitive fields. Set a submission retention rule. Add an opt in checkbox to marketing fields. Use Jotform anti spam and reCAPTCHA alternatives such as Cloudflare Turnstile. Document Jotform as a sub processor.
EU first SaaS: Tally (Belgium), Typeform (Spain), Formbricks (open source, EU hosting). US SaaS: SurveyMonkey, Wufoo, Google Forms, Microsoft Forms. Self hosted WordPress: Gravity Forms, WPForms, Ninja Forms, Fluent Forms, Contact Form 7.
Track the Jotform sub processor list and certification status (EU US DPF). When Jotform updates its DPA, residency offering or sub processors, update your cookie table, privacy notice and records of processing, and bump the consent banner version.