Answer: HR teams collecting applicant or employee data through online forms expose sensitive records to fraud and unauthorized access. Adding IP address validation to your form workflows lets you flag suspicious submissions, enforce geographic compliance rules, and build an audit trail — all without adding friction for legitimate respondents.

Key Takeaways

• IP tracking on HR forms deters fraudulent submissions and flags anomalous geographic patterns
• Make.com is the recommended platform for routing form data through IP validation services
• Logged IP data supports audit trails required by GDPR, CCPA, and SOC 2 frameworks
• Automation-first approach: build the validation layer in Make.com before adding AI screening
• IP logs should be retained per your data retention policy and purged on schedule

Protecting HR form data starts with knowing who is submitting it. Securing your HR data workflows with IP validation is one of the highest-leverage controls you can add to your intake processes — and it takes less than an afternoon to implement with Make.com and a reliable IP intelligence API.

Before You Start

You need: a Google Form or similar web form with a webhook or form-to-email trigger, a Make.com account, and an IP intelligence API key (ip2proxy, ipinfo.io, or similar). Your form platform must expose the submitter’s IP either natively or via a hidden field populated by JavaScript.

Step 1: Capture the Submitter’s IP at Form Load

Most form platforms do not pass the raw client IP into the submission payload by default. Add a hidden field named submitter_ip and populate it on page load using a small JavaScript snippet that calls https://api.ipify.org?format=json and writes the result into the hidden field. This ensures the IP travels with the submission.

Step 2: Route Submissions Through Make.com via Webhook

In Make.com, create a new scenario with a Custom Webhook trigger. Copy the webhook URL into your form platform’s “on submit” POST destination or Google Apps Script trigger. Every submission now arrives in Make.com with the full payload including submitter_ip.

Step 3: Call the IP Intelligence API

Add an HTTP module in Make.com after the webhook. Configure a GET request to your chosen IP API endpoint, passing submitter_ip as the query parameter. The response returns country, region, ISP, proxy/VPN flag, and threat score. Map these fields to variables in your scenario.

Step 4: Apply Your Compliance Rules

Add a Router module with conditional paths: if the proxy flag is TRUE or the country is outside your approved hiring regions, route to a “flag for review” path. Otherwise route to your normal applicant processing path. The flagged path creates a Teamwork task for your HR ops team to manually review the submission before it enters your ATS.

Step 5: Log IP Data to Your HR Data Store

Add a Google Sheets or Airtable module to log every submission: timestamp, form name, submitter_ip, country, proxy flag, and disposition (passed/flagged). This log is your audit trail. Retain it per your data retention policy — typically 12–36 months depending on jurisdiction.

Step 6: Set Up Automated Purge

Create a separate Make.com scenario on a monthly schedule that queries your log store and deletes rows older than your retention limit. This keeps your audit trail compliant without manual housekeeping.

How to Know It Worked

Submit a test form using a VPN connection. The submission should arrive in Make.com, the IP API should return proxy=true, and the scenario should route the submission to your flagged queue rather than your normal ATS intake. Check your log store for the entry.

Common Mistakes

The most common failure is relying on the form platform’s server-side IP capture instead of client-side JavaScript — many platforms log the IP of their own servers, not the submitter’s browser. Always use client-side IP capture via hidden field. The second common mistake is forgetting to document your IP data collection in your privacy notice — update it before deploying.

Frequently Asked Questions

Is IP tracking legal for job applications?

Yes, in most jurisdictions, collecting the IP address of a form submitter is a standard security practice. You must disclose it in your privacy notice. Consult your legal counsel for jurisdiction-specific requirements under GDPR or CCPA.

What if a legitimate applicant uses a VPN?

Flag the submission for human review rather than auto-rejecting it. VPN use is common among privacy-conscious applicants and remote workers. The review step ensures no legitimate candidate is unfairly excluded.

Which IP API is most accurate for proxy detection?

ip2proxy and ipinfo.io both perform well for proxy/VPN detection. For HR use cases where false positives have consequences, choose a provider with a money-back accuracy guarantee and test it with known VPN addresses before going live.

Do I need to store IP addresses under GDPR?

IP addresses are personal data under GDPR. If you collect and store them, you need a lawful basis (legitimate interest is typical for fraud prevention), a retention limit, and a deletion mechanism. Document all three before deploying.