Authenticate Emails with SPF, DKIM, and DMARC Auto forward your emails to Vtiger Managing User Profiles Automate Outgoing Emails in Email Settings Automation - Assignment Rules Set up Multi-path Workflows Creating a Scheduled Workflow Automation - Workflow Scheduler Workflows in Vtiger CRM Vtiger Webforms Set up a Workflow Action to Create Event Set up a Workflow Action to Create Records Set up a Workflow Action to Create Task Set up a Workflow Action to Invoke Custom Function Set up a Workflow Action to Create an SMS Task Setting Up a Workflow Action to Send Emails Workflow Action to Update Fields Automation - Webhook Workflow Automation - Expressions Workflow Configuring Business Hours Configuration - Company Details Configuration - Consents Configuring the Customer Portal Maps in Vtiger CRM Configuration - Usage Details Configure Picklist Dependencies Considerations for Deactivating Vtiger Users Configuring Field and Record Displays Create Reminders for Records and Inbox Creating a Grid Field Type Dealing with Currencies and Taxes Enable Desktop Notifications on Chrome Web Browsers Vtiger CRM Add-ons IMAP Configuration - 2-way sync between Vtiger and IMAP providers Setting up Autopay & Payment Gateways Inventory - Tax Management Inventory - Terms and Conditions Login to Vtiger on SSO SAML using ADFS Mailroom Functionality for Different Scenarios Manage Multiple Currencies Marketing and Sales - Deal to Project Mapping Lead Conversion Data Mapping Marketing and Sales - Profile Scoring Using the Module Label Editor Configuring Module Numbering Configure My Preferences Feature My Preferences - Calendar Settings Tags in Vtiger My Preferences - Notification Preferences SAML Support in Vtiger CRM Vtiger Mailroom Configuring a Relationship Between Modules Settings - Left Menu Configuring Global Picklists in Vtiger Settings - Set up your Support Team Settings - Start Up Page Configuring Picklist Values Configuring Modules Using Module Builder SLA Policies in Vtiger Troubleshooting Login Issues Add-Edit Unsubscribe Links in your Email Template User Management - Authentication User Management - Encrypted Field Access Logs User Management - Groups User Management - Login History User Management - Profiles User Management - Roles User Management - Settings Log User Management - Sharing Rules User Management - Users User Management - Vtiger Support Access Vtiger Buzz - Chrome Extension for Notifications Vtiger Implementation wizard Vtiger Language Support Setting Up Websense Trackers Vtiger Websense Widgets Creating Custom Modules in Vtiger CRM Configuring Dependent Fields and Blocks for Modules Formula Fields Configuring App Passwords for Gmail Outgoing Server and Yahoo Mail Customizing Module Layouts Configuring Module Layouts & Fields Auto forward Emails from Microsoft Office 365 Automation - SMS Reply Actions Duplicate Record Prevention in Vtiger CRM Generate and Manage Third-party App Passwords in Yahoo Configuration - Storage Guard Customizing your Self-Service Portal Theme Using CSS Styles Adding Hidden Fields to a Webform Login Page Customization Creating Custom Filters Adding a local DNS Entry

Feature Availability

Vtiger Editions: One Pilot | One Growth | One Professional | One Enterprise | One AI

Introduction

​​​​​​When storing sensitive data, such as a contact’s national ID number or credit card number, you can give the contact control over that field by requesting permission on their Consents page.

When you store a person's sensitive data, specific laws may require you to handle it in particular ways. Such laws include the GDPR and sometimes require special handling, such as encrypting data at rest or restricting access to only those who need to see or use the data for its intended purposes.

Vtiger’s Encrypted Data or sensitive data field enables you to comply with those laws while helping protect you from the risk that your employees or malicious actors misuse data stored in your possession.

On the other hand, masking is a technique used to obscure certain parts of data for privacy or security purposes, often applied in user interfaces. Masking can be applied to sensitive fields as part of a broader data protection strategy. To know more about Masking in Vtiger, click here.

What are Encrypted Fields

An encrypted field is used to store sensitive information about a contact or lead, such as credit card numbers, CVV, and bank account details. You need to get consent from the contact or lead to store such information. 
Note: You can create only up to five encrypted fields in a module.
To learn more about Consent, click here.
Note: You need to install the GDPR Add-on from the Add-ons page. The following are the details for the encrypted fields:

• Modules: Leads and Contacts
• Limit: 5 fields per module
• Data limit in GDPR compliance Add-on:
  • Personal fields - No limits
  • Encryption fields - 5 fields per module
  • Data consents - 10 fields per module
  • Custom consents - 10 fields per module

Key Features

The key features of the Encrypted Fields are:

• Encryption of Data at Rest
  • Sensitive information is encrypted in the database to prevent unauthorized access.
• Selective Data Masking (Obfuscation)
  • Displays masked values (e.g., ****) with configurable visible characters (like last 4 digits).
• Profile-Based Access Control
  • Only users with the View Encrypted Field permission can reveal full field values.
• Consent Management Integration
  • Allows obtaining and tracking consent before storing sensitive personal data.
• Audit Logging for Sensitive Fields
  • Tracks all views and edits of encrypted fields for compliance and security audits.

Benefits

The benefits of the encrypted fields are:

• Supports GDPR Compliance
  • Helps meet the requirements of the General Data Protection Regulation.
• Improves Data Security
  • Protects sensitive customer information from misuse and breaches.
• Reduces Internal Data Exposure
  • Restricts full visibility to authorized users only.
• Enhances Customer Trust
  • Secure handling of personal data builds credibility and transparency.
• Ensures Audit Readiness
  • Access logs provide traceability for compliance checks and investigations.

In this article, you will learn about the:

• Encrypted Fields
• Configuring encrypted fields

Getting Started with the Encrypted Data Fields

Before you get started, please read the points below carefully.

Points to remember

• Encrypted fields are available only if the Vtiger Privacy Guard is installed.
• Remember that encrypted fields will be disabled if you uninstall the Vtiger Privacy Guard Add-on.
  • Note: These fields will not be shown in Module Fields and Layout > View Hidden after they are disabled.
• If you re-install the Vtiger Privacy Guard, all the disabled encrypted fields will be activated.
• You cannot downgrade from Vtiger One Enterprise edition to Professional or Starter edition if you have active encrypted fields.
• Vtiger does not restrict you when downgrading from the Professional edition to the Starter edition, even if Vtiger Privacy Guard is installed with active, encrypted fields.

Sensitive data fields can be created in Vtiger’s Leads and Contacts modules and achieve all of the following:

Encryption of data at rest

Encryption of data at rest stores data as an encrypted value in Vtiger’s database, protecting it from unauthorized access by your employees, our employees, and any potential malicious intruders.

Selective obfuscation of data

By default, sensitive data in the user view of Vtiger will display as ****. You can choose to change that default view to reveal any number of characters at the beginning or at the end of the stored value. This will help the users verify the value without permitting them to unobfuscate the full value.
A common use of this is to store a national ID number or credit card number and display only the last four digits (for example, 529-49-5787 shows as 52****787).

Restriction of unobfuscation to only specific users

Although all users can see the obfuscated value of a restricted field, administrators can restrict which of your users are allowed to reveal the unobfuscated field value. This is achieved by giving user profiles access to view sensitive data fields and applying those profiles to users.

Configuring Sensitive Data Fields

Enabling Sensitive Data Fields

Plain text fields are the only fields that can be marked as sensitive by Vtiger. To enable a sensitive data field:

1. Log in to the CRM.
2. Go to the main Menu.
3. Go to Settings.
4. Go to the Module Fields and Layout Editor. 
5. Choose either the Leads or Contacts modules.
6. Create a new text field or edit the desired text field.

   

7. Enable the Encrypt field property.
8. Read, understand, and agree to the following conditions to enable the sensitive property.
9. Choose the number of first and last characters to show all users accessing the field.
10. Save the field.

Note: The text fields whose character limit is equal to or less than 100 can only be marked as the encrypted field.

Granting Profile Access to View Sensitive Data Fields

Follow these steps to grant profile access to view sensitive data fields:

1. Log in to the CRM.
2. Go to the main Menu.
3. Click Settings.
4. In the Settings page, expand User Management.
5. Click Profiles.
6. Select a profile to edit, then expand the Contacts or Leads module. The Tools window opens.
7. Enable the View encrypted field value checkbox.​​​​

 

8. Save the settings.

Users with a profile that can view sensitive field values will see a View button to the right of fields marked as sensitive in the Leads and Contacts modules. Clicking the button reveals the sensitive data field and logs the view.

Tracking Encrypted Fields for Access and Edits

Vtiger tracks all views and edits to fields marked as sensitive for future audits.
Field access logs for sensitive data changes can be viewed from the User Menu > Settings > User Management > Sensitive Field Access Logs. This allows you to search by field name, record name, module name, username, Date range, or action performed.

Considerations when enabling sensitive data fields

Please be aware that all of the following apply to sensitive data fields:

• Encrypted field values are obfuscated by default for all users
• Only users with the View Encrypted Field permission can decrypt values in detail views
• List views, reports, and exported data can only show encrypted values
• Global search only searches exposed characters
• Once enabled, encryption cannot be disabled, and the number of un-obfuscated characters cannot be edited
• If a user marks an address field (Billing address, Location, etc.) as Encrypted, then the map functionality will not work as the data will be encrypted.