Getting Started
Configuring Your Account
Understand Billing
Publishing
Analytics & Reporting
Engagement
AI and Automation
Social Listening
Sprout Integrations
Tagging
Customer Care
Salesforce Service Cloud
Instagram
Facebook
X
Tiktok
Threads
WhatsApp
LinkedIn
YouTube
Pinterest
Bluesky
Getting Started
Configuring Your Account
Understand Billing
Publishing
Analytics & Reporting
Engagement
AI and Automation
Social Listening
Sprout Integrations
Tagging
Customer Care
Salesforce Service Cloud
Instagram
Facebook
X
Tiktok
Threads
WhatsApp
LinkedIn
YouTube
Pinterest
Bluesky

How do I create and use Secure Forms?

Table of Contents

Sprout’s Secure Forms are a PCI-compliant way to safely collect sensitive customer data without leaving the social conversation. This enables support teams to complete care interactions end-to-end on social, reducing friction and keeping the entire experience secure and seamless.

This feature is only available for Guardian customers. 

To access the Secure Forms feature, you need the Manage Secure Forms permission.

To send forms or reveal data, you must have the Access Secure Forms permission.

Creating a Secure Form

  1. Navigate to Account & Settings > Settings > Guardian > Secure Forms.
  2. Click Create Form.
  3. Add fields to the form and customize the text, language, completion message, colors, logos, etc. The form title and description will be displayed in your Secure Forms list and in the Form itself (unless hidden).
  4. Navigate between Form and Field Customization Settings by using the dropdown on the navigation panel. If you need any help understanding the impact of a specific setting, use the ? icon Question mark icon to get more information about a field..
  1. Click the Save icon when finished formatting .

Preview the form

You can preview your form at any time.

  1. Click the Preview tab from the top menu.
  1. Click the display icon to preview the form on other device screens.

Changing the theme

  1. Click the Themes tab from the top menu bar.
  1. Use the dropdowns to change the header, background, and general appearance of the form.

Enable your form

Once you finalize your form and save it, enable the form for use by toggling Enabled to ON

Using Secure Forms as an Agent

 

Attaching and viewing a Secure Form requires Access Secure Forms permissions.

  1. Navigate to any private message.
  2. Click on the secure form icon to attach a secure form.
  1. Select the form you want to attach to your message.
  2. (Optional) Input any text you want in your reply.
  3. Click Send.
  4. Once the form recipient submits their responses, you’ll get a notification the secure form response was submitted.

Secure Forms Best Practices & Tips for Admins

  • Data Retention
    • It is not permitted to collect PHI data in non-PHI specified fields. 
    • Always consult your internal policies and compliance guidelines before choosing a data retention period.
    • Credit Card, CVV, and Debit PIN fields all expire within 60 minutes. This cannot be changed.

    • For non-PCI fields, you can set a custom expiration period for temporary data retention on all non-PCI fields 

      • Minutes: 15-60 (Defaults to 60 minutes)

      • Hours: 1-24 (Defaults to 1 hour)

      • Days: 1-180 (Defaults to 1 day)

  • All other fields can be customized to be permanent data retention.
  • You are not permitted to collect PCI data in non-PCI specified fields.
    • Credit Card, CVV and Debit PIN
  • Thank You Page
    • Consider putting your brand specific SLAs or a reminder to navigate back to the social message as a best practice.
  • Brand logo
    • Adding a brand logo provides legitimacy to the form and is recommended.
    • Note: Uploading a logo or background image can only be done via a file URL, as Sprout  doesn’t support media file uploads.
  • General Form
    • You may want to consider adding a statement  to a field or the form itself that notifies end users that their information will be used in accordance with your company’s privacy policy
    • You can decide to hide the title and description from end users by unchecking “Make the title and description visible”.

Secure Forms FAQs

How do I set up a form to collect Protected Health Information (PHI)?

When setting up the form, you must:

  1. Choose the field type "Protected Health Information."
  2. Select the specific type of information you are collecting.
  3. Choose a data retention time period that complies with your company’s compliance guidelines.

Am I able to customize the data retention time for collected information?

Yes, data retention time can be customized, but the options vary by data type:

Data Type Retention Option Notes
PCI Data (Credit Card Info) Temporary (Required) Must be set to 60 minutes.
Non-PCI or Non-PHI Data Permanent or Temporary Allows for flexible options. Temporary fields can be stored indefinitely or set from 15 minutes up to 180 days.
PHI Data  Temporary Can be set from 15 minutes up to 14 days.

Can you force certain values in the (secure form) fields? Like CVV has to be numbers?

For pre-defined fields we are forcing this validation. For custom fields there’s a ton of customization options to fit your needs.

Will those who make any changes to secure forms be in the audit trail?

Yes. There are export logs for all of the settings in this feature.

Am I able to customize the data retention time?

For non-PCI data, you are able to select between Permanent or Temporary retention. Temporary retention will expire the data within 60 minutes. PCI data is required to have temporary retention.

When does the data start expiring? 

The expiration timer starts the moment the end-user submits the form.

How will I know when a secure form has been submitted? 

Users with Access Secure Forms permissions are notified when a new secure form response is received. You can modify those notifications in your notification settings. 

Additionally, for any message associated with a Case, you can set up an automated rule to reopen a case when a new message is received.

Are secure forms available in Bots or as macros? 

Not at this time. 

What kind of data can be collected through Secure Forms?

You may collect various categories of PII (Personally Identifiable Information) and sensitive information through the Secure Forms feature, but please review our Guardian Terms to understand what you are responsible for before collecting this data. 

Specifically, Secure Forms supports the collection of:

  • Credit Card and Cardholder Information (as the feature is PCI compliant)
  • Protected Health Information (PHI) (as the forms are designed to be a secure way to collect this data)
  • Sensitive data to your business

Is there a place where a collection of the forms can be downloaded? Can they bulk download their form responses? 

No, there currently is not an option to export responses as we want to ensure your customer's data is stored and accessed securely. 

Do the form links ever expire? 

If the form is not submitted within 24 hours, the form URL will no longer function. This is because some networks (e.g. Whatsapp) don’t allow the agent to respond to a message after 24 hours and so the agent wouldn’t be able to respond to the customer who filled out the form without them reaching back out. If the form has been submitted, it is not accessible to be submitted again.  If the form has been submitted, the URL will never expire but will show as already completed. 

What happens if I disable a form in the settings? 

Agents will no longer be able to select that form to be sent to your customers.  All forms that were already sent will still be active until either they expire in 24 hours or a response is submitted.

Was this article helpful?

0 out of 0 found this helpful

Table of Contents