Trust
Trust center
Formward is a European form backend. We have designed the Service so that your form-submission data — and the personal data of the people who fill in your forms — stays in the EU/EEA. This page summarises how we protect that data and where it lives. For the full detail, see our Security and Privacy pages and the compliance pack.
EU data residency
Your form-submission data is stored on infrastructure operated by Hostup AB in Sweden. The application and PostgreSQL database run on EU infrastructure; we use no US-based or non-EU cloud for personal data. By design, form-submission data — and the personal data of the people who fill in your forms — does not leave the EU/EEA.
GDPR by default
The Service is built to be GDPR-compliant. We act as your processor for submission data, with a Data Processing Agreement available. Data-subject rights — access, export, and erasure — are self-serve from your account settings, and our legal bases are documented in the Privacy Policy.
Encryption in transit
All connections to the Service are encrypted with TLS 1.2 or higher, and data stored by the Service is encrypted at rest. Account passwords are salted and hashed via better-auth and never stored in plain text.
Submitter IP protection
Submitter IP addresses are protected with a keyed hash (HMAC-SHA-256 with a secret server-side salt) immediately on receipt; raw IP values are never written to disk. Keyed hashing means the stored value cannot be linked back to an IP address without our secret salt.
Data retention you control
Submissions are retained according to your plan and the retention window you configure, unless you delete them earlier. The free plan keeps submissions for 30 days; paid plans let you configure the retention window. Pseudonymised IP values share the lifetime of the submission they belong to.
No third-party tracking
We do not run third-party advertising or analytics trackers that profile your visitors. We use a minimal set of cookies — essential ones to keep you logged in and store your consent choices; any optional categories activate only with your consent via our consent manager.
Sub-processors
Every sub-processor that touches form-submission data is located within the EU/EEA. The list below mirrors our Privacy Policy; the full register lives in the Data Processing Agreement.
| Processor | Purpose | Region |
|---|---|---|
| Hostup AB | Cloud hosting infrastructure and PostgreSQL database storing all submission and account data. | Sweden (EU) |
| Mailjet / Sinch | Transactional email delivery: submission notifications sent to form owners. | France / EU |
| Mistral AI | AI enrichment (spam scoring, summarisation, lead scoring) on paid plans only. Free-plan submissions are never sent to Mistral. | France / EU |
| Stripe | Payment processing and subscription billing; merchant of record. Receives billing data only, never form-submission content. | EU contracting entity (Ireland); US parent |
Two US touchpoints exist, both separate from form-submission content: Stripe processes paying customers' billing data partly in the US under Standard Contractual Clauses and the EU–US Data Privacy Framework, and the optional Cloudflare Turnstile anti-bot challenge (off unless a form owner enables it) involves a browser interaction with Cloudflare covered by an appropriate Article 46 safeguard. Forms without Turnstile enabled involve no non-EU/EEA processing.
Backups and recovery
We take regular encrypted backups of the PostgreSQL database and maintain a documented recovery process so the Service can be restored after data loss or infrastructure failure. Backups stay within the EU (Sweden); data may persist in encrypted backups for a limited period after deletion before being overwritten on the normal rotation cycle.
Certifications
We do not currently hold a SOC 2 audit or ISO 27001 certification. A formal SOC 2 Type II programme is on our roadmap, and we will only publish a certification once it has been independently completed. In the meantime, our security and data-protection posture is documented openly across our Security, Privacy, and compliance pages.
Security questions or a vulnerability to report? Email security@formward.eu. For privacy and data-protection matters, contact privacy@formward.eu.