I’m new to nextcloud and volunteer at a solidarity farming organization in Germany. We are currently exploring our options to reduce paperwork and are planning to use nextcloud forms to collect members personal data. We were just wondering if the data that is put into the forms is encrypted in a way, so no third party can listen for stuff like IBAN and other important data?
If there are any additional safety measures we should take for this, some pointers would be heplful
Yes, data submitted through Nextcloud Forms is encrypted in transit (via HTTPS), so third parties can’t intercept it. However, the data is not end-to-end encrypted, meaning admins with server access can view it.
For sensitive info like IBANs, make sure your server is well-secured (strong passwords, up-to-date software, firewall, etc.), and consider limiting admin access. Also, enabling server-side encryption and using 2FA for accounts can add extra protection.
I believe that the Nextcloud Forms application does not support E2E encryption. I therefore advise against using it if you do not want to use it for files.
Theoretically, you could also encrypt the Nextcloud Forms application with E2E using JavaScript encryption libraries. But someone must programm it new. You could take a look at the Nextcloud Secrets app. It does something different, but it still does E2E also if Nextcloud E2E is not enabled because of client side JavaScript encryption.
I think it’s okay to use Nextcloud Forms unencrypted in European Union. But only if your provider and you complies with GDPR.
Yes basically if you use your Nextcloud for personal information then you must already fulfill GDPR on the data stored. So you should already have an process in place so that administrators work under compliance of the GDPR with the data.
