The SecureForms integration lets your bot collect sensitive customer data — Social Security Numbers, dates of birth, payment details, and HIPAA-protected information — through a HIPAA-compliant secure form without the customer typing sensitive data into the chat window.

What the SecureForms Integration Does

Instead of asking a customer to type sensitive information directly into chat (where it appears in message history and logs), Velaro sends a SecureForm link. The customer opens a secure, encrypted form in a protected iframe. They fill out the form, submit it, and Velaro receives the data via a webhook callback. The bot can then continue the conversation using the collected data — for example, confirming an account match or proceeding to the next step in a workflow. The sensitive data is never stored in the chat transcript.

How It Works

1. The bot (or an agent) triggers a SecureForm during a conversation.

2. The customer receives a link in the chat: "Please complete this secure form to continue."

3. The customer clicks the link and fills out the form in a secure iframe hosted on Velaro's encrypted endpoint.

4. When the customer submits, Velaro sends the form data to the webhook URL you configured.

5. Your workflow receives a callback and resumes automatically.

How to Set Up

1. Go to Settings → Integrations → SecureForms.

2. Click Create Form.

3. Add the fields you need (e.g., Social Security Number, Date of Birth, Policy Number).

4. Set the field type for each field: text, date, masked number, or dropdown.

5. Enter the Webhook URL where Velaro should POST the form data when submitted.

6. Click Save. Velaro generates a form ID you can use in your workflows.

To trigger the form in a workflow, add a Send SecureForm step and select the form by name.

Field Types

Webhook Callback

When a customer submits the form, Velaro sends an HTTP POST to your configured webhook URL with a JSON body:

• conversationId — the Velaro conversation the form belongs to
• formId — the ID of the form definition
• submittedAt — ISO 8601 timestamp
• fields — an object with each field name and its submitted value

Your webhook endpoint should respond with HTTP 200 to acknowledge receipt. If your endpoint is unavailable, Velaro retries delivery for up to 1 hour.

Common Use Cases

Healthcare intake forms

Collect patient name, date of birth, insurance policy number, and reason for visit before transferring to a nurse or scheduling team. The data never appears in the chat window or transcript.

Mortgage and loan applications

Collect SSN, employment status, income, and property address through the secure form. Your backend receives the data and runs a pre-qualification check, then the bot continues the conversation with the result.

Insurance claims

Collect claim number, policy holder name, and loss date through the secure form. Route the completed submission to the appropriate claims adjuster.

Identity verification

Ask for date of birth and last four digits of SSN to verify a caller's identity before giving account information. The bot receives the callback, checks the values against your records, and confirms or denies the match without a human agent seeing the raw data.

Security and Compliance

• All form data is transmitted over TLS 1.2 or higher.
• Submitted form values are passed directly to your webhook and are not stored in Velaro's database.
• The secure form iframe is served from Velaro's encrypted endpoint, isolated from the chat window context.
• Velaro's SecureForms infrastructure is designed to support HIPAA use cases. Contact support for a Business Associate Agreement (BAA) if required by your organization.

Troubleshooting

Customer clicks the link but the form does not load

Confirm the customer is using a modern browser (Chrome, Firefox, Edge, Safari). The secure form iframe requires JavaScript to be enabled. If the customer is on a corporate network, their firewall may be blocking the iframe source domain — ask your IT team to allow app-cdn.velaro.com.

Webhook is not receiving submissions

Click Test Webhook in the form settings to send a sample payload to your endpoint. Confirm your server responds with HTTP 200. Check that the webhook URL is reachable from the public internet (not a localhost or internal IP address).

Bot workflow does not continue after form submission

The workflow resumes when your webhook responds HTTP 200. If the workflow appears stuck, check your webhook server logs to see whether the callback was received and whether it returned a success status. A non-200 response prevents the workflow from resuming.

Form fields are not appearing correctly

If a field you configured is not visible in the form, check that it is marked as Active in the form editor. Draft fields are hidden from the customer-facing form.