Hi, would like to understand the current CMS functionality regarding secure data.
For background, we want to create a login page which is unique to each user. Within the login page, the user would add contract details to a form and upload supporting files (.pdf) to the CMS. This information would then be delivered via webflow’s native API to DropboxSign.
The information and supporting files would be sensitive information.
Is webflow’s default CMS able to keep this information private? There have been other threads in the past that make it unclear:
Is it correct to say that any document that a visitor submits through a Webflow contact us page (resume, business proposal, etc.) is immediately indexed and can be found via google?
Back to the original example: Do you know if it would be possible to achieve this using a completely locked-down site, with a homepage only containing login fields, then all forms and submissions contained in the member’s page? I guess I’m a little confused how fields like user’s contact info can be kept confidential while other user information would be somehow public.
IMHO, you really should be looking to handle this off Webflow. One way to still have the site on Webflow and handle secure/sensitive document processing is to use a third-party for that part. I have used JotForm for similar use cases and they have a DocuSign widget to simplify the process. Fact is they also provide HIPAA compliant form processing as well.
It depends on how you’re collecting that document. Webflow file upload? Passing it off to Zapier / Make and then to a 3rd party? Going from Zapier into the Webflow CMS? Just using a 3rd party form uploader?
I know it feels like you’re asking a simple question and I (or someone) should have a simple answer, but it’s really complicated. It’s all dependent upon “how” you’re doing that file upload and where that file lives.
Sorry that’s not more helpful
I always try my best to make my answers actionable and that one was not.
You have to think about it like this…
If you have a password protected page (and I’m referring to this, and not Webflow Memberships - though everything I’m saying applies equally).
Webflow protects the page and the content that is on the page.
Essentially just the text on the screen.
When you include images or files, those aren’t actually on the page.
Instead, they’re linked from that page to some external url.
When the web browser see’s that, it downloads that asset (via the url given) and displays it on the page for you.
But that asset (image, document, etc…) lives somewhere else, and that somewhere else is not password protected in Webflow. There are exceptions, I mention down below, but generally speaking this is how it works.
The Asset Manager
Upload any file to it and it goes straight to the public CDN. You may have an image element on a password protected page, or even your entire site, but that element links to an image on a public CDN that anyone can access.
I could password protect that page, but that image is still public.
Same goes for documents.
The one exception with Webflow is their file upload feature. Those assets are password protected, but they are only accessible by collaborators invited into your account accessible only once they are logged into Webflow.
Being logged into Webflow is how they protect those assets.
How about uploading a file to the CMS File field?
When you add a file to that specific field in the CMS, it’s uploaded to the public CDN.
The CMS Image field?
Same thing, it’s immediately uploaded to the public CDN.
How do I know all of this?
It’s super easy to test.
Open up the CMS, create a new Collection, and add a File field to it.
@Eskril ; I know you want to build it your own, but you might consider something like http://www.microspace.co. I know this is not the place to start promoting products, but it looks like it matches your needs and we already help large organisations onboarding employees using our platform.