What this page covers
- How uploads are stored and accessed
- How to restrict who can view or download uploaded files
- When to use encrypted fields and HIPAA for file uploads
- Frequently asked questions
How uploads are stored and accessed
Understanding how files move through Zoho Forms, where they end up, and how to manage access to stored files are all part of the foundation of upload security.
How Zoho Forms encrypts files in transit
Every file submitted through a Zoho Form is encrypted in transit using Transport Layer Security (TLS). Zoho Forms uses the latest TLS protocol (TLS 1.3) to ensure secure communication. This applies to all forms regardless of how they are shared, whether through a public link, an embedded form, or a privately shared URL.
Data is securely transmitted between the respondent’s device and Zoho’s servers, protecting it from interception or tampering during transfer. Encryption in transit also applies when data is sent from Zoho Forms to third-party services through integrations. Unlike raw HTML file-collection setups where TLS must be configured separately, secure transmission is enabled by default for every form in Zoho Forms.
Encryption at rest, stored on certified infrastructure
Once submitted, files are securely stored on Zoho’s cloud infrastructure. Zoho Forms adheres to ISO/IEC 27001 for information security management, ISO/IEC 27017 for cloud security, and ISO/IEC 27018 for protection of personal data in the cloud. Storage is encrypted at rest using AES-256. These measures ensure that your files are secured according to internationally recognized best practices. Files are not publicly indexed and access is restricted to authorized users.
Your data center is automatically assigned based on the country you select during signup, so uploaded files stay within your designated regional boundary. Zoho Forms is also GDPR compliant, supporting secure collection, processing, and storage of personal data from EU citizens.
Store uploads in external cloud services
If you prefer to store attachments in external cloud services, the Manage Form Attachments option lets you save uploaded files to Zoho WorkDrive, Google Drive, Dropbox, or OneDrive instead of storing them in Zoho Forms. Zoho Forms records the submission and adds a reference link to each entry, while the file itself is stored in the connected service. You can also choose to store form submissions as PDFs and merged documents in the selected drive, allowing all submission-related files to be organized in one place.
Files are securely transferred from Zoho Forms to the external storage service over an encrypted connection. Once stored, the file’s encryption, access permissions, and security controls are governed by the selected cloud provider, while Zoho Forms continues to control access to the form entry and its reference link. Zoho Forms maintains audit logs for form and record activity, including file references, whereas file-level access and activity logs within the external service are handled by the respective storage provider.
Restrict accepted file types and sizes
Restricting uploads at the point of entry is one of the most effective security measures. Zoho Forms lets you specify the exact file formats your upload field will accept, such as PDFs, images, audio, video, or specific document types. Files outside your allowed list are rejected before they reach storage. You can also set a maximum file size per upload to keep submissions within expected boundaries and make unusual file submissions easier to spot. You can also limit the number of files that can be uploaded to a single upload field.
Here is how this compares to an unmanaged file collection setup:
Feature | Without a managed solution | With Zoho Forms |
File transit | Unencrypted unless manually configured | TLS enforced by default on every form |
Storage security | No guaranteed encryption at rest | ISO/IEC certified infrastructure; AES-256 at rest |
File type control | All formats accepted; no restrictions | Configurable allow list—unsupported types are rejected at submission |
Access control | Anyone with the link can typically view and download | Role-based permissions; only authorized users can access entries |
Audit trail | Usually none | Record audit logs track who made changes and when, ensuring accountability and transparency |
How to restrict who can view or download uploaded files
Uploaded files are tied to form entries. Access to those entries and the files within them is governed by Zoho Forms' role-based sharing controls.
Role-based access permissions for form entries
When sharing a form with team members, you assign one of three permission levels:
- Submit Form: Users can access and submit the form. They cannot view or download submitted files.
- Modify Form: Users can access, submit, and edit the form. They can view and download files only from their own entries but cannot modify them. They also cannot access entries submitted by others.
- Modify Form, Entries, and Reports: Users have full access. In addition to accessing, submitting, and editing the form, they can create and modify reports. They can view and download files from all entries and manage records submitted by all users.
This separation ensures that users do not have access to uploaded files unless permission has been explicitly granted.
Track every change with record audit logs
Record audit logs capture every edit or delete action on form entries, including who performed the action and when. This supports compliance requirements and helps track any unexpected changes.
Disable form URLs to stop collection instantly
When a form is no longer active or a security concern arises, you can disable the form's public URL with a single toggle. All shared links, embedded instances, and social posts are deactivated at once. No new files can be submitted, and existing data remains secure. This removes the need to track down every place the form was shared.
When to use encrypted fields and HIPAA for file uploads
When your forms collect sensitive files such as patient health records, government-issued ID cards, financial documents that contain sensitive information, you may need additional protection beyond encryption at transit and access controls. Zoho Forms allows you to apply field-level encryption and enable HIPAA compliance to handle such data securely.
Secure uploaded files with field-level encryption
When your forms collect sensitive files such as ID proofs, passport copies, or other confidential documents, there is a risk of misuse if not properly protected. Zoho Forms allows you to encrypt upload fields so that submitted files are securely stored and accessible only to authorized users.
Field-level encryption encodes stored data using the AES-256 standard, ensuring it can be accessed only by authorized users. Upload fields such as File Upload, Image Upload, and Audio/Video Upload can be encrypted. This adds an additional layer of protection on top of encryption in transit, securing sensitive files even after they are stored.
When encrypted fields are used, actions such as configuring email notifications, downloading reports, generating PDFs, or configuring integrations and document merge require additional confirmation to prevent unintended exposure. Encrypted data is masked where applicable in reports and downloads, helping protect sensitive file content during data access and sharing.
Enable HIPAA compliance for healthcare records
If your form collects healthcare-related files such as medical records, lab reports, or prescription documents, HIPAA compliance should be enabled to ensure secure handling of protected health information (PHI). An organization admin must first enable HIPAA at the organization level, which allows form admins to enable it for individual forms and mark relevant upload fields as ePHI.
Fields marked as ePHI are encrypted by default and handled with strict safeguards. Access is restricted, and actions such as notifications, report exports, and integrations are either limited or require additional confirmation to prevent unintended exposure of sensitive health data.
HIPAA support is available on Zoho Forms’ Premium and Enterprise plans. Before enabling it, ensure your organization is on a HIPAA-compliant Zoho plan and has signed a Business Associate Agreement (BAA) with Zoho. The BAA establishes the obligations both parties hold with respect to PHI and is a required step under HIPAA before any protected health data can be processed.
Frequently asked questions
Are uploaded files encrypted?
Yes. The uploaded files are encrypted in transit using TLS 1.3. Once received, they are stored on secure infrastructure that adheres to ISO/IEC cloud security standards, with AES-256 encryption at rest. Zoho Forms adheres to ISO/IEC 27001 for information security management, ISO/IEC 27017 for cloud security, and ISO/IEC 27018 for protection of personal data in the cloud. Access is authenticated, and uploaded files are not publicly indexed or accessible without the appropriate permissions.
Can I control which file types respondents can upload?
Yes. In the upload field settings, you specify which formats are accepted. Files outside that list are rejected at the point of submission. You can also set a maximum file size per upload.
How do I restrict who can download submitted files?
Access to entries, including attached files, is controlled by role-based permissions. Only users with the Modify Form, Entries, and Reports permission can view and download uploads from all entries. Users with Submit Form permission cannot view any submitted files, while users with Modify Form permission can view files only from their own entries.
Is Zoho Forms suitable for collecting medical records or patient documents?
Yes, when HIPAA is activated at the organization level and enabled for the form. Zoho Forms supports HIPAA-compliant collection of protected health information, including file attachments. You can mark upload fields as ePHI, which encrypts them by default and applies stricter controls on notifications, report exports, PDFs, and integrations.
Encryption, access controls, and audit logging help meet HIPAA’s technical safeguard requirements, making Zoho Forms suitable for healthcare data collection workflows.
Can I store uploaded files outside Zoho Forms?
Yes, you can integrate Zoho Forms with cloud storage services such as Zoho WorkDrive, Google Drive, Dropbox, or OneDrive using the Manage Form Attachments option. Uploaded files are stored in the connected service, and a reference link is added to each form entry to access the file.
Files are transferred securely, and once stored, file security and access control are governed by the selected cloud provider’s policies.
What happens to uploaded files if I delete a form?
If you delete a form, all associated entries and uploaded files stored in Zoho Forms are permanently deleted and cannot be recovered. Zoho Forms does not retain deleted data. Hence, we recommend exporting or backing up any files before deleting the form.
If you have configured external storage using Manage Form Attachments, only the reference links are removed when the associated entries are removed. The files remain in the connected cloud service and can be accessed there.
Does Zoho Forms support GDPR-compliant file collection?
Yes. Zoho Forms is GDPR compliant, supporting secure collection, processing, and storage of personal data from EU citizens. It provides features such as double opt-in to capture explicit user consent, the ability to mark fields as personal or encrypted, and tools to help you handle sensitive data responsibly.
Zoho Forms also supports key GDPR rights, including the ability for respondents to access, update, export, or request deletion of their data. These features help you maintain transparency, ensure data control for users, and meet GDPR requirements when collecting files and personal information.
Start collecting files securely with Zoho Forms
Zoho Forms gives you the controls to collect files securely and the visibility to know they are being handled correctly at every step.