top of page


Cognito forms

Data security

At Cognito Forms, we’re concerned about your privacy and the security of your form data. Below are the measures we take to ensure that your data is safe:

  1. Cognito Forms uses TLS 1.2/SSL encryption and is always accessed over HTTPS 100% of the time for all users.

  2. Cognito Forms is hosted securely on the Microsoft Azure cloud platform, which is PCI (DSS) Level 1 and HIPAA compliant. We also have a HIPAA BAA with Microsoft.

  3. Cognito Forms is HIPAA compliant, and offers a business associate agreement for organizations seeking to securely communicate with patients via registration forms, appointment scheduling, refill requests, etc.

  4. Access to our production environment is limited to select operations security staff, requiring two-factor authentication to deploy updates or access a secure system for limited troubleshooting.

  5. We do not look at entry data for our customers unless requested to through an official support request. The details of our concern over data privacy are detailed in our Privacy Policy.

  6. Customer data is carefully segregated at the lowest architectural level in Cognito Forms to ensure that data for one organization cannot be accessed by another.

  7. We partner with PayPal, Stripe, and Square for credit card processing so that secure payment information is never transmitted or stored by Cognito Forms. We also take measures to prevent malicious scripts on sites we are embedded in from stealing this information.

  8. The Cognito Forms architecture is unique and highly specialized for massive scale while maintaining data isolation. It does not use transactional databases and is not vulnerable to SQL injection attacks.

  9. Production access credentials for storage and encryption tokens used to encrypt sensitive organization data are stored in an Azure credential store and are not stored within our own development environments.

  10. All text data stored by Cognito Forms is sanitized to prevent JavaScript injection attacks, which someone might attempt to leverage by submitting JavaScript as entry data to maliciously access other entry data by compromising our customers browsers when managing entries.

  11. Sensitive data, such as Social Security numbers and other personally identifiable information, is required to be encrypted at rest using 256-bit AES encryption. It must also be protected so that it is never emailed or otherwise transmitted in an insecure way. Any field type can be encrypted and/or protected, including uploaded files and sections.

  12. Cognito Forms uses opportunistic TLS encryption when sending email to always encrypt messages when supported by downstream servers. For HIPAA organizations, we recommend that PHI be marked as protected so it is not sent via email for any reason and remind organizations that explicit patient consent is required for sending PHI via email.

  13. Cognito Forms customers can enable two-factor authentication (2FA) to add a second login step to their account. Additionally, organizations on the Enterprise plan level can require two-factor authentication for all users.

We know that there are evolving threats to data security, and we will continue to refine our processes to ensure the safety of our customers’ data in Cognito Forms.

Privacy Notice: Accessibility Policy


Our Policy

Information you need to know: 

This privacy notice explains how we use your personal information and your rights regarding that information. We will always use your data as set out in the principles of the General Data Protection Regulation (GDPR) and all current Data Protection Legislation.  We are committed to being transparent about how we collect and use your data and to meeting our data protection obligations. 

What information are we collecting? 

When volunteering and signing up for the games, we will collect your name, email address, age group, contact number, Twitter/ Instagram username, university, and cohort year.  

Why are we collecting your data and what is the legal basis for this? 

The Paramedic Games will collect personal data from you to send any event-related information before the event you wish to attend, and will at all times do so in compliance with the principles of the GDPR, and for one of the legal basis set out in Article 6 of the Regulation.  

If you wish to withdraw your consent for The Paramedic Games to hold your information, you can do so at any time by contacting us through our contact page.  

Who has access to this data? 

Your personal data will be used only by The Paramedic Games development staff where the data is necessary for them to undertake their designated role. We do not share your details with any external parties.  

How does The Paramedic Games protect your data? 

Any data you provide will be held on a secure Wix server that only Paramedic Games developers can access. 

For how long does The Paramedic Games keep your data? 

Your data will be held from the time of your signing up, until the day after the event.  

If signing up as a volunteer, we will hold your information indefinitely unless your consent is withdrawn. 

Your rights 

As a data subject, you have a number of rights. You can: 

Access and obtain a copy of your data on request, this could be in a portable electronic format; 

Require the university to change incorrect or incomplete data if you think that it is inaccurate or out of date 

Require the university to delete or stop processing your data, for example where the data is no longer necessary or legally required for the purposes of processing 

If your personal data has been provided by consent, you have a right to withdraw that consent at any time.  

If you would like to exercise any of these rights, please contact The Paramedic Games on our contact page.  

What if you do not provide data? 

You will be unable to utilise The Paramedic Games without, at minimum, providing your name, email address, and university information due to the nature of the events.  

Transfers of data outside the UK 

Generally, we do not send your personal data outside the UK.  However, in some specific cases we may  transfer the personal data we collect  to countries outside the UK in order to perform our contract with you/or a contract with another organisation that requires your personal data i.e. a collaboration agreement with a university based outside of the UK. Where we do this, we will ensure that your personal information is protected by way of an ‘adequacy regulation’ with the UK or by putting alternative appropriate measures in place to ensure that your personal information is treated by those third parties in a way that is consistent with and which respects the UK laws on data protection, for example model contractual clauses, data sharing/data processing agreement and binding corporate rules (where applicable).  

Automated decision making 

We will not make any decisions about you automatically using a computer, based on your personal data. All decisions affecting you will be taken by a human.  

How to complain to the Information Commissioner’s Office? 

You have the right to complain to The Information Commissioner if you believe that our processing of your personal data does not meet our data protection obligations.  The Information Commissioner can be contacted: 

By post: Information Commissioners Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK95AF. 

By phone:  0303 123 1113. 

By email: contact can be made by accessing 

Privacy Notice: Accessibility Policy
bottom of page