Security at FormCrafts

The security of your data is of paramount importance to us at FormCrafts. We never sell your data, and take all the necessary precautions to safeguard it from unwanted access. You can learn more about our security practises on this page.



Data Processor vs Data Controller

A data controller is, "a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of processing of personal data." Since FormCrafts collects and processes the data on behalf of form creators, it acts as a data processor.

Data Processing Addendum (DPA)

We offer data processing addendums (DPAs) for customers that operate in the EU. Our DPA offers the terms and conditions are fulfill GDPR requirements, and reflect our commitment to EU data privacy.

A standard DPA is available to all customers, and can be requested here. We are also able to provide a signed DPA for customers on our Business or Enterprise plans. The same can be requested via your account manager / contact person at FormCrafts.

Right to be Forgotten

FormCrafts' users can delete their account from their dashboard. This deletion results in erasure of all their data, and the subsequent form respondents.

Invoices are not deleted, as required by law. Certain data remains on backup servers, which is erased in 30 days, when backups are over-written.

Right to Data Portability

You can export responses on the Responses page, by clicking on the Export button. Other data (like forms) can be requested via the contact form on your dashboard.

Right to Rectification

You can edit your information with us on the Account page.


FormCrafts does not store payment data. We use a third-party service called Stripe to accept and process payment information.

Stripe has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1. This is the most stringent level of certification available in the payments industry.


The California Consumer Privacy Act (CCPA) protects privacy rights of California consumers by giving them more control over the personal information that businesses collect about them. FormCrafts is compliant with CCPA regulations.

A standard DPA that complies with CCPA is available to all customers, and can be requested here. We are also able to provide a signed DPA for customers on our Business or Enterprise plans. The same can be requested via your account manager / contact person at FormCrafts.

Hosting and network security

FormCrafts' servers are hosted with DigitalOcean, which is AICPA SOC 2 Type II and SOC 3 Type II certified. Our main servers are located in New York.

Our application is hosted on a Virtual Private Cloud with necessary firewalls and access control. Critical parts of our application (like databases) are not public-accessible.

Organization policies

FormCrafts has a business continuity plan, and a broad set of organizational policies governing security and data privacy, including password policy, communication protocols, access control, non-disclosure agreements, etc ... We also conduct regular internal tests and workshops to update our policies.


Your data in FormCrafts' databases is encrypted at rest, and in transit with SSL.

FormCrafts is fully accessible via HTTPS-only URLs, and certain data-sensitive parts of our application (like the dashboard) are only accessible via HTTPS-only pages. We use TLS protocol with a 128-bit key for website encryption. All forms created on our application are accessible on HTTPS or non-HTTPS pages.


Backups are an important part of business continuity planning. We take application backups every week, and database backups every day. Backups are over-written every 30 days.

Example, if you wanted to delete your account with us you would be able to do so right away. However, your account will still remain in our backups for a period of about 30 days when those backups get over-written.


We follow industry-standard best practises for most of our application development. Testing and production environments are isolated. New employees go through rigorous training and education when they are hired, and also on a periodic basis.

Least privilege

Application developers are only given access to our codebase and data on a need-to basis. Access grants are periodically re-evaulated, and access is revoked immediately on termination.


OWASP Top 10 is a standard awareness document for developers and web application security, listing the most critical security risks for web applications. We follow this document during application development. Developers are trained on these principles on hire, and also on a periodic basis.

Penetration testing

We conduct periodic penetration testing internally. This helps us find vulnerabilities and fix them before breaches. Penetration testing is sometimes accompanied by load testing, which allows us to test how well FormCrafts would perform when exposed to abnormally large web traffic.

Last Update: 9th Feb, 2023