discount

Up to 65% off on all yearly plans! 🎁 Start fresh with a yearly plan. Now 65% off! ❄️ 🏷️

Upgrade Now

Security and Data Protection

Create secure forms online

forms.app always values data privacy and security. That's why securing your data is the #1 priority to us. See the technical measures we take and learn how we keep your data safe and secure.

Is forms.app secure?

forms.app always values data privacy and security. That's why securing your data is the #1 priority to us. See the technical measures we take and learn how we keep your data safe and secure.

GDPR Compliance

The European Parliament adopted the GDPR in 2016. It carries a legal framework that sets guidelines for the collection, processing and protection of the personal data and privacy of EU citizens for transactions that occur within EU member states. The GDPR also regulates the exportation of personal data outside the EU. forms.app processes all of customers’ personal data complying with the GDPR. Read more

As forms.app has located its servers in European Union, we comply with the GDPR and use all necessary means for data protection.

What is the GDPR?

The GDPR or EU General Data Protection Regulation is a privacy law that helps protect people's personal information and gives EU citizens the right to decide what happens to their personal data. This law applies to any company that has servers in the European Union. For more information, you can visit the data protection page published by the European Commission.

Is forms.app GDPR compliant?

Yes, forms.app’s servers are located in Belgium (EU) and we fully comply with the GDPR framework. This means that your data is safe with forms.app. We will never share your data with anyone without your explicit permission and take all necessary measures to protect your data.

How do we protect your data?

All form data is encrypted and stored in our EU servers. You can always access the data you collect and manage it on the responses page. If you want to sign a Data Processing Agreement with forms.app, you can easily send us an email or fill out the contact form. For more information, please read our privacy policy.

Additional resources:

Certifications and Compliances

1. ISO/IEC 27001

ISO/IEC 27001 is an international standard for information security. forms.app implements the standard to demonstrate to customers that they meet a strong level of security. We maintain confidentiality, integrity and availability of information according to ISO/IEC 27001.

2. ISO/IEC 27701

forms.app follows ISO/IEC 27701 standards for privacy information management to ensure personal information’s confidentiality, integrity, and availability. This showcases our commitment to maintaining high privacy protection for our customers and upholding their trust.

3. PCI DSS

forms.app does not store customers’ payment data and uses third party applications for payment and one of them is Stripe. Using Stripe ensures compliance with the Payment Card Industry’s Data Security Standards (PCI DSS 3.2) and the Revised Directive on Payment Services (PSD2) for processing our customers’ financial information securely in accordance with these standards.

4. OWASP

The Open Web Application Security Project(OWASP) works to improve the security of software and forms.app follows the rules of that and tests of applications according to OWASP.

5. CCPA Compliance

The California Consumer Privacy Act(CCPA) gives California consumers more control over the personal data that businesses collect about them and the CCPA regulations provide guidance on how to implement the law. forms.app is compliant with the CCPA which outlaws the processing of personal data of California consumers without their consent.

CALIFORNIA PRIVACY RIGHTS

California consumers have a right to knowledge, access, and deletion of their personal information under the California Consumer Privacy Act(CCPA). California consumers also have a right to opt out of the sale of their personal information by a business and a right not to be discriminated against for exercising their California privacy rights. forms.app does not sell the personal information of California consumers and does not discriminate in response to privacy rights requests. 

forms.app provides notice of our privacy practices in our Privacy Policy. The Privacy Policy includes what personal information is collected, the source of the personal information, and the purposes of use, as well as whether forms.app discloses that personal information and if so, the categories of third parties to whom it is disclosed. Unless otherwise expressly stated, all terms in these CCPA Notice have the same meaning as defined in our Privacy Policy or as otherwise defined in the CCPA.

I- If you are a California consumer, you may have the following rights:

a. Access. You may have the right to access:

  • the categories of personal information we have collected about you,
  • the sources from which that information was collected,
  • the business or commercial purpose for collecting your personal information,
  • the categories of third parties with whom we share your personal information,
  • the specific pieces of personal information we have collected about you,
  • the categories of personal information we sold about you,
  • the categories of third parties to whom we sold personal information about you(if any), 
  • the categories of personal information we disclosed for a business purpose.

b. Deletion. You may have the right, under certain circumstances, to request that we delete the personal information you have provided to us. 

c. Non-discrimination. You have the right to be free from discrimination related to your exercise of any of your California privacy rights.

d. Verification. In order to protect your personal information from unauthorized access or deletion, we may require you to verify your credentials before you can submit a rights request. If you do not have an account with us, or if we suspect that your account has suffered fraudulent or malicious activity, we may ask you to provide additional personal information for verification. For forms.app members, we may require that you confirm certain pieces of personal information that we have on file and/or log into your forms.app account. If we are subsequently unable to confirm your identity, we may refuse your rights request.

e. Right to Know. You have the right to know the categories of personal information, categories of sources, and/or categories of third parties related to the processing of your personal information. 

f. What you can do to manage your privacy. You have choices when it comes to managing the privacy of your personal information.

g. Update your privacy settings. You may update your privacy settings by visiting your account settings.

II- How to Exercise Your California Privacy Rights

California consumers can exercise their rights directly or through an authorized agent by filling out this form. If you do not have a forms.app  account, forms.app will ask you for information that we consider necessary to verify your identity for security and to prevent fraud. This information may include name, contact information, and information related to your transaction or relationship with forms.app, but the specific information requested may differ depending on the circumstances of your request for your security and to protect privacy rights. 

If you want to delete your forms.app account please fill in this form. Please note that if you choose to cancel your data and you are a customer, your account will be deleted after 7 days you request all data in your account will be permanently deleted from our systems. If we delete your personal information, we will both render certain personal information about you permanently unrecoverable and also deidentify certain personal information.

As noted above, we do not “sell” personal information as most people would typically understand that term. However, we do allow certain third-party partners and providers to collect information about consumers directly through our services for purposes of analyzing and optimizing our services and ads, providing content and ads that are more relevant, measuring statistics and the success of ad campaigns, and detecting and reporting fraud. To the extent this practice is interpreted to constitute a “sale” under the CCPA, please see our Cookie Policy for more information including how you may be able to exercise your rights to opt-out of cookies, analytics and personalized advertising.

III- Contact Us

If you have any questions about Policy, you may contact us using this form.

(Last updated on July 2022)

6. Spam Protection

You can use in your forms CAPTCHA, as provided by Google, to protect your forms from spammers while still responding to your forms by responders. forms.app offers additional spam protection ways such as multiple coding checks and limit submissions to your form. If you need further protection and spam does get through our team will be ready to help identify the cause and credit your account.

7. Backup

We back up in real time your data between multiple servers hosted by our service provider Google Cloud. If you need to back up your data with a single click and download it as an Excel or Google Sheet document.

8. Network Security

Our network security measures protect your network and data from breaches, intrusions and other threats. We use basic filtering provided by CloudFlare to protect your data and network from any potential DDoS(denial of service) attacks. Our servers are designed to allow only the minimum level of access needed to maintain them. It involves creating a secure infrastructure for devices, applications, users, and applications to work in a secure manner. Our employees can access the servers only through a Virtual Private Network using a 2048-bit encrypted connection with private keys. In addition to 3rd-party security services, our team continuously monitors any suspicious behavior on the entire system.

9. Privacy of Your Forms

We cares about your forms’ privacy and you can choose a level of privacy that limits access to your data. Cloning of your forms or requiring a login to access a submission is disabled and this is by default protected via unique URLs. You are able to make your data public and access to the people in your team or you can access your data by using integrations with your permission.

Security Measures

forms.app maintains an Information Security Policy designed to (i) help secure personal data against accidental or unlawful loss, access or disclosure; (ii) identify reasonably foreseeable and internal risks to security and unauthorized access; and (iii) minimize security risks, including through risk assessment and regular testing.You may have the following rights if you are a resident of Australia, the UK, and EEA Citizens.

For Australian citizens

I- If you are an Australia resident, you may have the following rights:

a. Access. You may have the right to access:

  • The categories of personal information we have collected about you,
  • The sources from which that information was collected,
  • The business or commercial purpose for collecting your personal information,
  • The categories of third parties with whom we share your personal information,
  • The specific pieces of personal information we have collected about you,
  • The categories of personal information we sold about you,
  • The categories of third parties to whom we sold personal information about you(if any), 
  • The categories of personal information we disclosed for a business purpose.

b. Objection and Restriction. You may object to our processing of your personal information, including for marketing purposes, or ask us to restrict processing of your personal information. If you request that we stop processing some or all of your personal information or you withdraw (where applicable) your consent for our use or disclosure of your personal information for purposes set out in this Privacy Policy, we might not be able to provide you all of the Services and customer support offered to our users and authorized under this Policy.

c. Deletion. To make a request for deletion of your personal information, contact us through the form provided in the “How to Exercise Your Rights” section for Australia, below.

II- How to Exercise Your Rights

Australia citizens can exercise their rights directly by filling out this form. If you do not have a forms.app  account, forms.app will ask you for information that we consider necessary to verify your identity for security and to prevent fraud. This information may include name, contact information, and information related to your transaction or relationship with forms.app, but the specific information requested may differ depending on the circumstances of your request for your security and to protect privacy rights. 

If you want to delete your forms.app account please fill in this form. Please note that if you choose to cancel your data and you are a customer, your account will be deleted after 30 days you request all data in your account will be permanently deleted from our systems. If we delete your personal information, we will both render certain personal information about you permanently unrecoverable and also deidentify certain personal information.

In addition, you may update your privacy settings by visiting your account settings and You can edit and correct your personal information at any time by changing it directly in our products and services. To object to data processing or request a restriction, contact us through the link provided in the “Contact Us” section, below.

We do allow certain third-party partners and providers to collect information about consumers directly through our services for purposes of analyzing and optimizing our services and ads, providing content and ads that are more relevant, measuring statistics and the success of ad campaigns, and detecting and reporting fraud. Please see our Cookie Policy for more information including how you may be able to exercise your rights to opt-out of cookies, analytics and personalized advertising.

III- Contact Us

If you have any questions about Policy, you may contact us using this form.

(Last updated on July 2022)

* * *

For UK or EEA citizens

I- If you are resident of the UK or EEA(Europe Economic Area), you may have the following rights:

a. Access. You may have the right to access:

  • The categories of personal information we have collected about you,
  • The sources from which that information was collected,
  • The business or commercial purpose for collecting your personal information,
  • The categories of third parties with whom we share your personal information,
  • The specific pieces of personal information we have collected about you,
  • The categories of personal information we sold about you,
  • The categories of third parties to whom we sold personal information about you(if any), 
  • The categories of personal information we disclosed for a business purpose.

b. Objection and Restriction. You may object to our processing of your personal information, including for marketing purposes, or ask us to restrict processing of your personal information. If you request that we stop processing some or all of your personal information or you withdraw (where applicable) your consent for our use or disclosure of your personal information for purposes set out in this Privacy Policy, we might not be able to provide you all of the Services and customer support offered to our users and authorized under this Policy.

c. Correction and Deletion. To make a request for deletion of your personal information, contact us through the form provided in the “How to Exercise Your Rights” section for Australia, below.

d. Portability. You may request portability of your personal information.

e. Withdraw Consent. If we process your personal information with your consent, you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent.

II- How to Exercise Your Rights

UK or EEA citizens can exercise their rights directly by filling out this form. If you do not have a forms.app  account, forms.app will ask you for information that we consider necessary to verify your identity for security and to prevent fraud. This information may include name, contact information, and information related to your transaction or relationship with forms.app, but the specific information requested may differ depending on the circumstances of your request for your security and to protect privacy rights. 

If you want to delete your forms.app account please fill in this form. Please note that if you choose to cancel your data and you are a customer, your account will be deleted after 30 days you request all data in your account will be permanently deleted from our systems. If we delete your personal information, we will both render certain personal information about you permanently unrecoverable and also deidentify certain personal information.

In addition, you may update your privacy settings by visiting your account settings and You can edit and correct your personal information at any time by changing it directly in our products and services. To object to data processing or request a restriction, contact us through the link provided in the “Contact Us” section, below.

III- Contact Us

If you have any questions about Policy, you may contact us using this form

(Last updated on July 2022)

Our Information Security Policy includes the following measures:

1. Confidentiality

The measures to ensure confidentiality include;

1.1. Physical Access Control;

Measures suitable for preventing unauthorized persons from gaining access to data processing systems with which personal data are processed or used.
a. Technical Measures
  • Automatic access control system
  • Biometric access barriers
  • Smart cards
  • Manual locking system
  • Doorbell system with camera
  • Video surveillance of entrances
b. Organizational Measures
  • Reception / Receptionist / Gatekeeper
  • Employee / visitor badges
  • Visitors accompanied by employees
  • Care in selection of cleaning services
  • Information Security Policy
  • Work instructions for operational safety
  • Work instruction access control

1.2. Logical Access Control;

Measures suitable for preventing data processing systems from being used by unauthorized persons.
a. Technical Measures
  • Login with username+strong password
  • Firewall
  • Intrusion Detection Systems
  • Use of VPN for remote access
  • Automatic desktop lock
  • Encryption of notebooks / tablet
  • Two-factor authentication in data center operation and for critical systems
Organizational Measures
  • User permission management
  • Creating user profiles
  • Central password assignment
  • Information Security Policy
  • Work instruction IT user regulations
  • Work instruction operational security
  • Work instruction access control
  • Mobile Device Policy

1.3. Authorization Control;

Measures to ensure that those authorized to use a data processing system can only access the data subject to their access authorization and that personal data cannot be read, copied, modified or removed without authorization during processing, use and after storage.
a. Technical Measures
  • Logging of accesses to applications, specifically when entering, changing, and deleting data
  • SSH encrypted access
  • Certified SSL encryption
b. Organizational Measures
  • Use of authorization concepts
  • Minimum number of administrators
  • Management of user rights by administrators
  • Information Security Policy
  • Work instruction communication security
  • Work instruction Handling of information and values

1.4. Separation Control;

Measures that ensure that data collected for different purposes can be processed separately. This can be ensured, for example, by logical and physical separation of the data.
a. Technical Measures
  • Separation of productive and test environment
  • Physical separation (systems / databases / data carriers)
  • Multi-tenancy of relevant applications
  • VLAN segmentation
  • Staging of development, test and production environment
b. Organizational Measures
  • Control via authorization concept
  • Determination of database rights
  • Information Security Policy
  • Data Protection Policy
  • Work instruction operational security
  • Work instruction security in software development

1.5. Pseudonymization;

The processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to appropriate technical and organizational measures.
a. Technical Measures
  • log files are pseudonymized at the request of the client
b. Organizational Measures
  • Internal instruction to anonymize/pseudonymize personal data as far as possible in the event of
  • disclosure or even after the statutory deletion period has expired
  • Information Security Policy
  • Data Protection Policy
  • Specific internal regulations on cryptography

2. Integrity

The measures to ensure integrity include;

2.1. Transfer Control;

Measures to ensure that personal data cannot be read, copied, altered or removed by unauthorized persons during electronic transmission or while being transported or stored on data media, and that it is possible to verify and establish to which entities personal data are intended to be transmitted by data transmission equipment.
a. Technical Measures
  • Use of VPN
  • Logging of accesses and retrievals
  • Provision via encrypted connections such as sftp, https and secure cloudstores
  • Use of signature procedures (case dependent)
b. Organizational Measures
  • Survey of regular retrieval and transmission processes
  • Transmission in anonymized or pseudonymized form
  • Careful selection of transport personnel and vehicles
  • Personal handover with protocol
  • Information Security Policy
  • Data Protection Policy

2.2. Input Control;

Measures that ensure that it is possible to check and establish retrospectively whether and by whom personal data has been entered into, modified or removed from data processing systems. Input control is achieved through logging, which can take place at various levels (e.g., operating system, network, firewall, database, application).
a. Technical Measures
  • Technical logging of the entry, modification and deletion of data
  • Manual or automated control of the logs(according to strict internal specifications)
b. Organizational Measures
  • Survey of which programs can be used to enter, change or delete which data
  • Traceability of data entry, modification and deletion through individual user names (not user groups)
  • Assignment of rights to enter, change and delete data on the basis of an authorization concept
  • Retention of forms from which data has been transferred to automated processes
  • Clear responsibilities for deletions
  • Information Security Policy
  • Work instruction IT user regulations

3. Availability and Resilience

The measures to ensure availability and resilience include;

3.1. Recoverability Control;

Measures capable of rapidly restoring the availability of and access to personal data in the event of a physical or technical incident.
Technical Measures
  • Backup monitoring and reporting
  • Restorability from automation tools
  • Backup concept according to criticality and customer specifications
Organizational Measures
  • Recovery concept
  • Control of the backup process
  • Regular testing of data recovery and logging of results
  • Storage of backup media in a safe place outside the server room
  • Existence of an emergency plan
  • Information Security Policy
  • Work instruction operational security

4. Procedures for regular Review, Assessment and Evaluation

4.1. Data Protection Management

a. Technical Measures
  • Central documentation of all data protection regulations with access for employees
  • Security certification according to ISO 27001
  • Data protection checkpoints consistently implemented in tool-supported risk assessment
b. Organizational Measures
  • Staff trained and obliged to confidentiality/data secrecy
  • Regular awareness trainings at least annually
  • Internal Information Security Officer appointed:
  • Processes regarding information obligations according to Art 13 and 14 GDPR established
  • Formalized process for requests for information from data subjects is in place
  • Data protection aspects established as part of corporate risk management
  • ISO 27001 certification of key parts of the company including data center operations and annual monitoring audits

4.2. Incident Response Management

a. Technical Measures
  • Use of firewall and regular updating
  • Use of spam filter and regular updating
  • Use of virus scanner and regular updating
  • Intrusion Detection System (IDS) for customer systems on order
  • Intrusion Prevention System (IPS) for customer systems on order
b. Organizational Measures
  • Documented process for detecting and reporting security incidents / data breaches (also with regard to reporting obligation to supervisory authority)
  • Formalized procedure for handling security incidents
  • Involvement of ISO in security incidents and data breaches
  • Documentation of security incidents and data breaches via ticket system
  • A formal process for following up on security incidents and data breaches
  • Information Security Policy
  • Data Protection Policy
  • Work instruction operational security
  • Work instruction IT user regulations

4.3. Data Protection by Design and by Default

a. Technical Measures
  • No more personal data is collected than is necessary for the respective purpose
  • Use of data protection-friendly default settings in standard and individual software
b. Organizational Measures
  • Data Protection Policy (includes principles "privacy by design / by default")
  • OWASP Secure Mobile Development Security Checks are performed
  • Perimeter analysis for web applications

4.4. Order Control (outsourcing, subcontractors and order processing)

a. Technical Measures
  • Monitoring of remote access by external parties, e.g. in the context of remote support
  • Monitoring of subcontractors according to the principles and with the technologies according to the preceding chapters 1, 2
b. Organizational Measures
  • Work instruction supplier management and supplier evaluation
  • Prior review of the security measures taken by the contractor and their documentation
  • Selection of the contractor under due diligence aspects (especially with regard to data protection and data security)
  • Conclusion of the necessary data processing agreement on commissioned processing or EU standard contractual clauses
  • Framework agreement on contractual data processing within the group of companies
  • Written instructions to the contractor
  • Obligation of the contractor's employees to maintain data secrecy
  • Agreement on effective control rights over the contractor
  • Regulation on the use of further subcontractors
  • Ensuring the destruction of data after termination of the contract
  • In the case of longer collaboration: ongoing review of the contractor and its level of protection

4.5. Data Processing Agreement(DPA)

forms.app has a standard Data Processing Agreement(DPA) for its users with respect to the Processing of Personal Data by us on behalf of you in connection with the forms.app Services under the Terms of Use between you and us.

Our Data Processing Agreement offers GDPR requirements, Standard Contractual Clauses and our security measures. To ensure no inconsistent or additional terms are imposed on us beyond that reflected in our standard DPA and model clauses, we cannot agree to sign customers’ DPAs. 

We will not be able to redraft or add any clause to the DPA and can not sign customers’ DPAs. If you wish to sign a DPA please fill out this form.

Once we received your reply the DPA will be emailed to you and will be signed electronically by both parties.

5. Employee Security

forms.app has signed confidentiality agreements with the employees and contractors. Also, all employees and contractors have a common way to report incidents approved by the organization and they will undergo at least an annual security awareness training.

Last updated on July 2022