Help Center menu

Data security overview

In this article

Security is foundational to NodumForms — both for you (the form owner) and for your respondents. This article covers what's in place today and how to think about the trust boundary.

Encryption in transit

Every connection between a browser and NodumForms uses HTTPS (TLS). The certificate is issued via standard certificate authorities and renewed automatically. This applies to:

  • The marketing site and dashboard at nodumforms.com.
  • Public form pages at /f/[shortId]/[slug].
  • Custom-domain form pages — we automatically provision a Let's Encrypt certificate when you point a CNAME at us.

Encryption at rest

Data sits on our cloud provider's managed Postgres and object storage. Both services apply disk-level encryption by default at the infrastructure layer. We do not encrypt individual rows or files in our application code; the protection is platform-level.

For most use cases — collecting names, emails, free-text feedback — this is appropriate. If your form collects highly sensitive data (health records, government IDs), consider whether a form-based collection model is the right fit at all, regardless of provider.

Access controls

  • Production systems require multi-factor authentication for any human access.
  • Database credentials are stored in our cloud provider's secret manager and rotated periodically.
  • Customer data is logically isolated by account ID in queries; we don't run per-customer database instances.

IP hashing

When a respondent submits a form, their IP address is hashed with a server-side salt using SHA-256 before being stored. The raw IP address is never persisted. The hash is used only to detect duplicate submissions from the same browser within a short window — it can't be reversed into an IP, and it can't be matched against any external dataset.

What we don't do

To be candid:

  • We don't currently hold third-party security certifications (SOC 2, ISO 27001). They're on the roadmap as we grow.
  • We don't offer end-to-end encryption or BYOK (bring-your-own-key) for stored responses.
  • We don't currently have a public bug-bounty program. Vulnerabilities can be reported privately to security@nodumforms.com — we acknowledge within 48 hours.

Reporting an issue

Suspect something is wrong — a leaked URL, a suspicious endpoint, anything? Email security@nodumforms.com. We acknowledge within 48 hours and triage by severity.

Give feedback

Was this resource helpful?

|

Up next

Data ownership and processing

You own your data. Here's how NodumForms handles it.

Read more

FAQs

Data is stored in enterprise-grade cloud infrastructure in the EU region by default. Enterprise customers can request specific regional deployments — contact support@nodumforms.com.

Never. NodumForms does not train, fine-tune, or share any machine learning models with form response data.

We follow SOC 2 controls today and formal certification is in progress. Enterprise customers can request our current security questionnaire and DPA from support@nodumforms.com.