Privacy & Security
How we minimize data retention and protect submissions
Privacy & Security
How we minimize data retention and protect submissions.
Privacy by Design
FormFeeder is built with privacy as the default. We minimize data retention and give you complete control over how your form data is handled.
Privacy Mode (Default for Private Forms)
When privacy mode is enabled, FormFeeder acts as a pure relay service:
✅ No form data is stored in our database
✅ Submissions are immediately forwarded to your configured destinations
✅ Uploaded files are temporarily stored only during processing, then automatically deleted
✅ No submission history or analytics are collected
✅ Perfect for GDPR compliance and sensitive data
Regular Mode (Dashboard Forms)
For forms created through the dashboard, you have the option to enable analytics and submission history:
- Form data can be stored for analytics and management
- You control retention periods
- Data can be exported or deleted at any time
- Still maintains strong security practices
Data Handling Principles
Minimal Data Collection
We only collect data necessary for form operation:
- Form submissions: Only when not in privacy mode
- Metadata: IP address, timestamp, user agent (for security)
- Files: Temporarily stored, automatically cleaned up
- Analytics: Only basic form performance metrics (if enabled)
Data Retention
| Data Type | Privacy Mode | Regular Mode |
|---|---|---|
| Form submissions | Not stored | Configurable (30-90 days default) |
| File uploads | Deleted after processing | Configurable retention |
| Metadata logs | 24 hours | 30 days |
| Analytics | Not collected | Aggregated only |
Geographic Data Residency
- Primary servers: Located in secure data centers
- File storage: Geographically distributed for performance
- Compliance: Meets GDPR, CCPA requirements
- Data sovereignty: Data stays within configured regions
Security Measures
Encryption
- In Transit: All data encrypted with TLS 1.3
- At Rest: AES-256 encryption for stored data
- Files: Encrypted storage with secure access URLs
- Backups: Encrypted with separate key management
Access Controls
- Authentication: Multi-factor authentication required
- Authorization: Role-based access control (RBAC)
- API Keys: Scoped permissions and rotation
- Audit Logs: All access and changes logged
Infrastructure Security
- Network: Private VPCs with firewall rules
- Monitoring: 24/7 security monitoring and alerts
- Updates: Automated security patching
- Compliance: SOC 2 Type II, ISO 27001 practices
GDPR Compliance
FormFeeder helps you maintain GDPR compliance with built-in privacy features.
Data Subject Rights
Right to Information
- Clear privacy policy explaining data usage
- Transparent form processing notifications
- Data retention period disclosures
Right of Access
- Dashboard users can view their form data
- Export functionality for data portability
- API access for programmatic data retrieval
Right to Rectification
- Form data can be updated through dashboard
- API endpoints for data correction
- Automatic propagation to connected systems
Right to Erasure ("Right to be Forgotten")
- Privacy mode: Data automatically deleted
- Regular mode: Manual or automated deletion
- Complete removal including backups
Right to Restrict Processing
- Forms can be disabled temporarily
- Data processing can be paused
- Connector execution can be suspended
Legal Basis for Processing
FormFeeder supports various legal bases:
- Consent: Form submissions with user consent
- Contract: Processing for service delivery
- Legitimate Interest: Security monitoring, spam prevention
- Legal Obligation: Compliance with applicable laws
Data Processing Agreements (DPAs)
Enterprise customers receive comprehensive DPAs covering:
- Data processing purposes and methods
- Security measures and commitments
- Data subject rights procedures
- Breach notification processes
- Sub-processor disclosures
Security Best Practices for Users
Form Configuration
- Domain Restrictions: Always configure allowed domains
- Rate Limiting: Enable appropriate rate limits
- File Types: Restrict allowed file types and sizes
- Validation: Use client and server-side validation
Sensitive Data Handling
- Privacy Mode: Enable for sensitive forms
- Field Encryption: Consider client-side encryption for highly sensitive data
- Minimization: Only collect necessary data fields
- Retention: Set appropriate data retention periods
Access Management
- Strong Passwords: Use complex, unique passwords
- Two-Factor Auth: Enable 2FA on all accounts
- Regular Audits: Review team access regularly
- API Security: Rotate API keys periodically
Incident Response
Security Incident Process
- Detection: Automated monitoring and alerting
- Assessment: Rapid impact analysis and classification
- Containment: Immediate threat isolation
- Investigation: Forensic analysis and root cause determination
- Recovery: System restoration and security hardening
- Communication: Transparent customer notification
Breach Notification
- Timeline: Within 72 hours to authorities (GDPR requirement)
- Customer Notice: Within 24 hours of confirmed breach
- Documentation: Detailed incident reports provided
- Remediation: Action plans and preventive measures
Compliance Certifications
Current Certifications
- SOC 2 Type II: Annual compliance auditing
- ISO 27001: Information security management
- GDPR: European data protection compliance
- CCPA: California consumer privacy compliance
Audit Reports
Available to enterprise customers:
- Security audit reports
- Penetration testing results
- Compliance assessment documents
- Third-party security evaluations
Data Subject Requests
Request Process
- Submit Request: Through dashboard or support email
- Identity Verification: Required for data protection
- Processing: Within 30 days (GDPR requirement)
- Response: Detailed response with requested action
Supported Request Types
- Data access and portability
- Data correction and updates
- Data deletion and erasure
- Processing restriction
- Objection to processing
Contact for Privacy Requests
Email: [email protected]
Response Time: Within 24 hours
Processing Time: Within 30 days (legal maximum)
Transparency Reports
We publish regular transparency reports covering:
- Data processing volumes and types
- Government data requests (if any)
- Security incident summaries
- Compliance audit results
Reports available at: formfeeder.io/transparency
Questions and Support
For privacy and security questions:
- Technical Support: [email protected]
- Privacy Officer: [email protected]
- Security Team: [email protected]
- Legal Inquiries: [email protected]
We're committed to transparency and are happy to discuss our privacy and security practices in detail.