The security of your data is of paramount importance to us at Formcrafts. We never sell your data, and take all the necessary precautions to safeguard it from unwanted access. You can learn more about our security practices on this page.



As a data processor, Formcrafts diligently adheres to GDPR, implementing strict policies to manage personal data responsibly and transparently. Our roles and responsibilities are clearly defined to ensure compliance with European data protection laws.

Data Processor vs Data Controller

A data controller is, "a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of processing of personal data." Since Formcrafts collects and processes the data on behalf of form creators, it acts as a data processor.

Data Processing Addendum (DPA)

We offer data processing addendum (DPAs) for customers that operate in the EU. Our DPA offers the terms and conditions to fulfill GDPR requirements, and reflect our commitment to EU data privacy.

Right to be Forgotten

Formcrafts' users can delete their account from their dashboard. This deletion results in erasure of all their data, and the form respondents.

Right to Data Portability

Users can easily export form responses, facilitating data control and mobility. If you would like to bulk export your responses please contact us.

Right to Rectification

We provide the means for users to update their personal information, ensuring data accuracy. You can edit your information with us on the Account page.


Formcrafts does not store payment data. We use a third-party service called Stripe to accept and process payment information.


The California Consumer Privacy Act (CCPA) protects privacy rights of California consumers. Formcrafts is compliant with CCPA regulations.

Hosting and Network Security

Formcrafts uses a variety of cloud providers to host its infrastructure. Our servers are hosted with:

  2. Amazon Web Services

Our database is hosted with Amazon Web Services, and located in the European Union. Please note that even though our database is located in the EU, your data may be processed in other locations.

Organization Policies

Formcrafts has a business continuity plan, and a broad set of organizational policies governing security and data privacy, including password policy, communication protocols, access control, non-disclosure agreements, etc ... We also conduct regular internal tests and workshops to update our policies.


Your data in Formcrafts' databases is encrypted at rest with AES-256, and in transit via TLS.


We conduct regular database and application backups to prevent data loss and ensure quick recovery in the event of an incident.


We follow industry-standard best practices for most of our application development. Testing and production environments are isolated. New employees go through rigorous training and education when they are hired, and also on a periodic basis.

Least Privilege

Application developers are only given access to our codebase and data on a need-to basis. Access grants are periodically re-evaluated, and access is revoked immediately on termination.


OWASP Top 10 is a standard awareness document for developers and web application security, listing the most critical security risks for web applications. We follow this document during application development. Developers are trained on these principles on hire, and also on a periodic basis.

Penetration Testing

To identify and mitigate vulnerabilities, we conduct regular internal penetration tests, enhancing our defense mechanisms.

Incident Response Plan

Formcrafts has a robust incident response plan to promptly address any security breaches or data leaks. Our dedicated team is trained to manage incidents effectively, minimizing impact and restoring security.