Security & Compliance

Enterprise-grade protection for every form

Built-in security, encrypted storage, and strict isolation ensure your data stays safe.

Learn about securityGet started

Platform security

Security is built into every layer of Form Platform. All data is encrypted at rest using AWS KMS, and data in transit is protected with TLS/SSL. API keys are scoped to environments and can be rotated or revoked at any time. Webhooks are signed with HMAC to ensure authenticity, and rate limiting prevents abuse.

KMS-encrypted storage for all submission data

Separate publishable and secret keys

IP and origin validation for API access

HMAC-signed webhooks for secure integrations

Secrets never exposed in client-side code

Environment isolation for data separation

Rate limiting to prevent abuse

Automatic spam detection and filtering

Compliance

GDPR-ready

Data isolation

Access control

Secure attachment access

Reliability

Serverless scale

Zero single points of failure

Delivery guarantees

See our security model

Enterprise-grade protection for every form with built-in security, encrypted storage, and strict isolation.

FAQ

All submission data is encrypted at rest using AWS KMS (Key Management Service). Data in transit is protected with TLS/SSL. PII fields can be configured with additional encryption, hashing, masking, or dropped entirely based on your compliance needs.

Form Platform is designed to support GDPR, HIPAA, and SOX compliance requirements. Features include PII handling options, data retention policies, audit logs, environment isolation, and encryption. However, compliance depends on your specific use case and configuration.

Public endpoints are rate limited by IP address to prevent abuse, while authenticated endpoints are rate limited per user. Monthly submission quotas are enforced per workspace environment. Rate limit headers (Retry-After) indicate when you can retry requests.

Form Platform includes built-in spam protection with honeypot fields, reCAPTCHA validation (if configured), and custom spam rules. You can configure actions like reject, flag, or quarantine. All submissions are automatically checked before storage or delivery.

API keys are stored encrypted in DynamoDB with KMS. Publishable keys (pk_...) are safe for client-side use, while secret keys (sk_...) should only be used server-side. Keys are scoped to workspace environments and can be rotated or revoked at any time.