Skip to main content

Security Features

Password Protection

Protect your forms with passwords so only authorized users can access them. How it Works:
  1. Enable password protection in Form Settings
  2. Set custom password
  3. Users must enter password before viewing form
  4. Wrong password = access denied
Use Cases:
  • Internal surveys
  • Employee feedback forms
  • Confidential applications
  • Private event registrations
  • Client-specific forms
Setup: 
Form Builder → Settings → Security → Password Protection
→ Toggle ON
→ Enter password
→ Save
Password Requirements:
  • Minimum 6 characters
  • No maximum length
  • Case-sensitive
  • Can include special characters
Best Practices:
  • Use strong passwords (mix of letters, numbers, symbols)
  • Don’t share password publicly
  • Change password periodically
  • Use different passwords for different forms
  • Share password securely (not in email subject)

reCAPTCHA v2 Protection

Block spam and bot submissions with Google reCAPTCHA. How it Works:
  1. Enable reCAPTCHA in Form Settings
  2. Users see “I’m not a robot” checkbox
  3. Suspicious users get image challenge
  4. Bots blocked automatically
Setup: 
Form Builder → Settings → Security → reCAPTCHA
→ Toggle ON
→ Save
Configuration: Site admin configures reCAPTCHA keys in system settings. When to Use:
  • ✅ Public forms (high spam risk)
  • ✅ Contact forms
  • ✅ Registration forms
  • ✅ Newsletter signups
  • ❌ Internal/password-protected forms (not needed)
  • ❌ Very short forms (may reduce conversions)
Impact on Conversions:
  • May slightly reduce completion rate (1-3%)
  • Protects from spam (worth the tradeoff)
  • Legitimate users pass easily

Form Closing

Automatically close forms after a deadline or submission limit. Close by Date: 
Form Builder → Settings → Closing → Set Closing Date
→ Select date and time
→ Choose timezone
→ Save
What Happens:
  • Form accessible until closing date
  • After deadline: Shows “Form Closed” message
  • New submissions blocked
  • Existing submissions preserved
Use Cases:
  • Event registration deadlines
  • Application periods
  • Limited-time surveys
  • Seasonal campaigns
Close by Submission Limit: Note: Currently not available, planned feature

Spam Protection

Advanced spam detection and rate limiting. Fingerprinting:
  • Tracks device fingerprints
  • Blocks repeated spam submissions
  • Rate limits per device
Rate Limiting:
  • Default: 5 submissions per hour per device
  • Configurable per form
  • Prevents submission flooding
  • Protects database from abuse
Blocked Submissions: Users see: “Too many submissions. Please try again later.” Configuration: 
Form Settings → Advanced → Spam Protection
→ Max submissions per hour: 5
→ Time window: 60 minutes
What’s Tracked:
  • Device fingerprint (browser + system info)
  • IP address (not stored long-term)
  • Submission frequency
  • Suspicious patterns
Privacy:
  • No personal data in fingerprint
  • Hashed for privacy
  • Used only for spam detection
  • Not shared with third parties

Data Privacy

Data Encryption

In Transit:
  • All data encrypted with SSL/TLS
  • HTTPS enforced on all pages
  • API requests encrypted
  • Webhook payloads encrypted
At Rest:
  • Database encrypted at rest
  • Backups encrypted
  • File uploads encrypted
  • API keys hashed

Data Storage

Submission Data:
  • Stored in secure database
  • Encrypted at rest
  • Regular backups
  • Geo-redundant storage
File Uploads:
  • Stored in encrypted cloud storage
  • Virus scanning
  • Size limits enforced
  • Temporary files cleaned up
Retention:
  • Submissions: Kept until you delete
  • Logs: 30-90 days depending on plan
  • Deleted data: Permanently removed within 30 days
  • Backups: 90 days

GDPR Compliance

TopFormBuilder is GDPR compliant. User Rights:
  • Right to Access - Export your data anytime
  • Right to Deletion - Delete data on request
  • Right to Rectification - Update incorrect data
  • Right to Portability - Download data in standard format
  • Right to Object - Stop processing on request
How to Exercise Rights:
  1. Go to Account Settings → Privacy
  2. Select action (export, delete, etc.)
  3. Confirm request
  4. Process completed within 30 days
Data Processing:
  • Only necessary data collected
  • No unnecessary tracking
  • No selling of data
  • No third-party data sharing (except integrations you configure)
  • Clear privacy policy
Consent Management:
  • Legal field type for consent
  • Checkbox with custom text
  • Required for submission
  • Audit trail maintained

Data Access Control

Workspace Level:
  • Owner has full access
  • Admins have most access
  • Members have limited access
  • Configurable per workspace
Organization Level:
  • Organization-wide access model
  • Workspace-specific access model
  • Controlled by organization owner
Form Level:
  • Password protection
  • Custom domain isolation
  • White labeling
  • Access logs

Privacy Policy & Terms

Display in Forms:
  • Add legal/statement field
  • Link to privacy policy
  • Link to terms of service
  • Required checkbox for consent
Example: 
Legal Field:
☑ I agree to the [Privacy Policy](https://company.com/privacy)
   and [Terms of Service](https://company.com/terms)
Best Practice: Always include privacy policy link in forms collecting personal data.

Security Best Practices

Account Security

Password Best Practices:
  • Use strong, unique passwords
  • Enable password manager
  • Don’t share account credentials
  • Change password if compromised
OAuth Security:
  • Use Google OAuth for easier login
  • Revoke access if suspicious activity
  • Review connected apps regularly
  • Use work email (not personal)
Session Management:
  • Sessions expire after inactivity
  • Logout from all devices option
  • Active sessions visible in settings

Form Security

Do:
  • Enable reCAPTCHA on public forms
  • Use password protection for sensitive forms
  • Set form closing dates when appropriate
  • Monitor submissions for spam patterns
  • Use HTTPS custom domains
  • Enable email verification
Don’t:
  • Share form passwords publicly
  • Disable reCAPTCHA on high-traffic forms
  • Collect unnecessary personal data
  • Use weak passwords
  • Ignore spam submissions
  • Share admin access freely

Data Handling

Collecting Data:
  • Only collect necessary information
  • Mark sensitive fields clearly
  • Don’t collect SSN, credit cards, or passwords
  • Use appropriate field types
  • Add privacy disclaimers
Storing Data:
  • Review submissions regularly
  • Delete old/unnecessary data
  • Export important data for backup
  • Clean up test submissions
Sharing Data:
  • Use secure methods to share submissions
  • Don’t email sensitive data unencrypted
  • Use workspace permissions appropriately
  • Revoke access when no longer needed

Integration Security

API Keys:
  • Store securely (not in public repos)
  • Rotate regularly
  • Revoke if compromised
  • Use separate keys per integration
Webhooks:
  • Verify webhook signatures
  • Use HTTPS endpoints only
  • Whitelist TopFormBuilder IPs
  • Monitor webhook logs
OAuth:
  • Use workspace accounts (not personal)
  • Review permissions requested
  • Revoke unused integrations
  • Re-authorize if suspicious activity

Compliance Features

GDPR

Features:
  • Data export (JSON, CSV)
  • Right to deletion
  • Consent management
  • Data processing agreements
  • Privacy by design
  • Breach notification (within 72 hours)
Form Fields:
  • Legal/consent field type
  • Checkbox for privacy policy acceptance
  • Required field validation
  • Audit trail of consents

CCPA (California Consumer Privacy Act)

Features:
  • Do Not Sell option
  • Data access requests
  • Data deletion requests
  • Opt-out mechanisms

Data Residency

Server Locations:
  • Data stored in secure data centers
  • Backup locations disclosed
  • Enterprise: Choose data region (optional)
Cross-Border Data:
  • Standard contractual clauses
  • Privacy Shield compliance (where applicable)
  • GDPR-compliant data processing

Reporting Security Issues

Found a Vulnerability?

Please report security issues responsibly. How to Report:
  1. Email: [email protected]
  2. Include:
    • Detailed description
    • Steps to reproduce
    • Potential impact
    • Your contact information
  3. Do Not:
    • Exploit the vulnerability
    • Share publicly before fix
    • Access other users’ data
Response Time:
  • Acknowledgment: Within 24 hours
  • Investigation: Within 7 days
  • Fix timeline: Depends on severity
  • Public disclosure: After fix deployed
Rewards:
  • Critical vulnerabilities: Recognition + bounty (case-by-case)
  • Hall of Fame: Security researchers credited

Security Updates

How We Communicate:
  • Email notifications for critical issues
  • Changelog for security patches
  • Status page for incidents
  • Blog posts for major updates
Update Policy:
  • Critical patches: Immediate deployment
  • High priority: Within 48 hours
  • Medium priority: Within 2 weeks
  • Low priority: Next release cycle

Security Checklist

For Form Owners

Before Publishing:
  • Enable reCAPTCHA if public form
  • Set password protection if needed
  • Add privacy policy link
  • Test submission process
  • Configure notifications
  • Review form permissions
  • Check custom domain SSL
Regular Maintenance:
  • Review submissions for spam
  • Update passwords quarterly
  • Check integration security
  • Review workspace members
  • Export data backups
  • Delete old test forms
  • Monitor activity logs

For Workspace Admins

Setup:
  • Configure strong password policy
  • Enable SSO if available (Enterprise)
  • Set up MFA (if available)
  • Define workspace permissions
  • Configure SMTP securely
  • Set up integrations carefully
Ongoing:
  • Audit user access quarterly
  • Review activity logs monthly
  • Update API keys annually
  • Monitor security alerts
  • Train team on security practices
  • Document security procedures

Certifications & Standards

Security Standards:
  • SOC 2 Type II (in progress)
  • GDPR Compliant
  • CCPA Compliant
  • HTTPS/SSL Encrypted
  • Data encryption at rest
Infrastructure:
  • AWS/Cloud hosting
  • DDoS protection
  • Firewall protection
  • Regular security audits
  • Penetration testing (annual)
Third-Party Services:
  • Stripe for payments (PCI DSS compliant)
  • Google reCAPTCHA
  • Let’s Encrypt SSL certificates
  • Cloudflare CDN

Incident Response

In Case of Breach

Our Response:
  1. Detect - 24/7 monitoring
  2. Contain - Immediate isolation
  3. Investigate - Root cause analysis
  4. Notify - Affected users within 72 hours
  5. Remediate - Fix vulnerability
  6. Review - Prevent recurrence
Your Actions:
  1. Change Password - Immediately
  2. Review Activity - Check access logs
  3. Revoke Sessions - Logout all devices
  4. Update API Keys - If compromised
  5. Monitor - Watch for suspicious activity
  6. Contact Support - Report concerns

Status Page

Check system status and incidents: 
https://status.topformbuilder.com
Subscribe to Alerts:
  • Email notifications
  • SMS alerts (critical only)
  • RSS feed
  • Slack integration

FAQs

Q: Is my data encrypted? A: Yes, all data is encrypted in transit (SSL/TLS) and at rest (AES-256). Q: Who can see my submissions? A: Only users with access to your workspace. TopFormBuilder staff cannot access your data unless you grant support access for troubleshooting. Q: How long is data retained? A: Submissions are retained until you delete them. Logs are retained 30-90 days depending on your plan. Q: Can I delete all my data? A: Yes, you can delete forms, submissions, or your entire account anytime. Data is permanently removed within 30 days. Q: Is TopFormBuilder GDPR compliant? A: Yes, we are fully GDPR compliant with data export, deletion, and consent management features. Q: What happens if there’s a data breach? A: We follow our incident response plan, notify affected users within 72 hours, and take immediate action to secure systems. Q: Can I use TopFormBuilder for healthcare data? A: Standard plans are not HIPAA compliant. Contact sales for HIPAA-compliant Enterprise solutions. Q: Are forms protected from spam? A: Yes, we offer reCAPTCHA, rate limiting, fingerprinting, and spam detection. Q: Can I whitelist IPs for form access? A: IP whitelisting is an Enterprise feature. Contact sales for details. Q: How are API keys stored? A: API keys are hashed using bcrypt and stored securely in encrypted database. Security Concerns? Contact [email protected]