Security

Last updated: [YYYY-MM-DD]

Security and data protection are core to Formward. We are a European form backend: all form-submission data is stored in the EU, and we have designed the Service so that your form-submission data never leaves the EU/EEA. The only US touchpoints are optional Cloudflare Turnstile and Stripe, which processes paying customers' billing data (not submission data) to run subscription payments. This page summarises the technical and organisational measures we apply.

Cloud and infrastructure security

The Service is hosted on infrastructure provided by Hostup AB, a Swedish provider, in EU data centres. Our application servers and PostgreSQL database run on isolated infrastructure with restricted network access. We do not use any US-based or non-EU cloud infrastructure for personal data.

Encryption

• In transit: all connections to the Service are encrypted with TLS 1.2 or higher.
• At rest: data stored by the Service is encrypted at rest.
• Passwords: account passwords are salted and hashed via better-auth, never stored in plain text.
• IP addresses: submitter IP addresses are hashed (SHA-256) immediately on receipt and never written to disk in raw form.

Access control

We follow the principle of least privilege. Access to production systems and customer data is limited to authorised personnel who need it to operate the Service, and is granted only to the extent necessary.

Spam and abuse protection

Submissions pass through layered defences:

• Honeypot fields to trap automated bot submissions;
• Rate limiting to bound abusive submission volumes;
• Origin allowlists so forms only accept submissions from the domains you authorise;
• Optional Cloudflare Turnstile as a privacy-friendly challenge you can enable per form;
• AI spam scoring on paid plans, processed within the EU by Mistral AI.

Backups and recovery

We take regular encrypted backups of the PostgreSQL database and maintain a documented recovery process so the Service can be restored in the event of data loss or infrastructure failure.

Incident response

We maintain a defined process for handling security events, including triage, containment, and notification. Where a personal-data breach is likely to result in a risk to individuals, we will notify the relevant supervisory authority and affected parties as required by the GDPR.

Data residency

All form-submission data (submissions, account data, and backups) stays within the EU (Sweden). We do not transfer form-submission data outside the EU/EEA. The exceptions are the paying customer's billing data, which Stripe processes partly in the US under SCCs and the EU–US Data Privacy Framework, and the optional Cloudflare Turnstile challenge — both separate from form-submission content. We treat EU residency for submission data as both a compliance property and a security property: a smaller, EU-only data-flow surface is easier to reason about and protect.

Compliance

The Service is built to be GDPR-compliant; our data practices, legal bases, sub-processors, and data-subject rights are detailed in our Privacy Policy. A Data Processing Agreement (DPA) is available, and can also be requested from privacy@formward.eu.

We do not currently hold a SOC 2 audit; a formal SOC 2 Type II programme is on our roadmap. We will only publish certifications once they have been independently completed.

Responsible disclosure

If you believe you have found a security vulnerability, please report it responsibly to security@formward.eu. We ask that you give us a reasonable opportunity to investigate and remediate before any public disclosure, and that you avoid accessing or modifying other users' data during your research. We appreciate the work of the security community and will acknowledge valid reports.