> ## Documentation Index
> Fetch the complete documentation index at: https://help.topformbuilder.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Security & Privacy

> TopFormBuilder takes security seriously. Learn about our security features, privacy protection, and best practices to keep your data safe.

## Security Features

### Password Protection

Protect your forms with passwords so only authorized users can access them.

**How it Works:**

1. Enable password protection in Form Settings
2. Set custom password
3. Users must enter password before viewing form
4. Wrong password = access denied

**Use Cases:**

* Internal surveys
* Employee feedback forms
* Confidential applications
* Private event registrations
* Client-specific forms

**Setup:**

```
Form Builder → Settings → Security → Password Protection
→ Toggle ON
→ Enter password
→ Save
```

**Password Requirements:**

* Minimum 6 characters
* No maximum length
* Case-sensitive
* Can include special characters

**Best Practices:**

* Use strong passwords (mix of letters, numbers, symbols)
* Don't share password publicly
* Change password periodically
* Use different passwords for different forms
* Share password securely (not in email subject)

### reCAPTCHA v2 Protection

Block spam and bot submissions with Google reCAPTCHA.

**How it Works:**

1. Enable reCAPTCHA in Form Settings
2. Users see "I'm not a robot" checkbox
3. Suspicious users get image challenge
4. Bots blocked automatically

**Setup:**

```
Form Builder → Settings → Security → reCAPTCHA
→ Toggle ON
→ Save
```

**Configuration:** Site admin configures reCAPTCHA keys in system settings.

**When to Use:**

* ✅ Public forms (high spam risk)
* ✅ Contact forms
* ✅ Registration forms
* ✅ Newsletter signups
* ❌ Internal/password-protected forms (not needed)
* ❌ Very short forms (may reduce conversions)

**Impact on Conversions:**

* May slightly reduce completion rate (1-3%)
* Protects from spam (worth the tradeoff)
* Legitimate users pass easily

### Form Closing

Automatically close forms after a deadline or submission limit.

**Close by Date:**

```
Form Builder → Settings → Closing → Set Closing Date
→ Select date and time
→ Choose timezone
→ Save
```

**What Happens:**

* Form accessible until closing date
* After deadline: Shows "Form Closed" message
* New submissions blocked
* Existing submissions preserved

**Use Cases:**

* Event registration deadlines
* Application periods
* Limited-time surveys
* Seasonal campaigns

**Close by Submission Limit:** *Note: Currently not available, planned feature*

### Spam Protection

Advanced spam detection and rate limiting.

**Fingerprinting:**

* Tracks device fingerprints
* Blocks repeated spam submissions
* Rate limits per device

**Rate Limiting:**

* Default: 5 submissions per hour per device
* Configurable per form
* Prevents submission flooding
* Protects database from abuse

**Blocked Submissions:** Users see: "Too many submissions. Please try again later."

**Configuration:**

```
Form Settings → Advanced → Spam Protection
→ Max submissions per hour: 5
→ Time window: 60 minutes
```

**What's Tracked:**

* Device fingerprint (browser + system info)
* IP address (not stored long-term)
* Submission frequency
* Suspicious patterns

**Privacy:**

* No personal data in fingerprint
* Hashed for privacy
* Used only for spam detection
* Not shared with third parties

## Data Privacy

### Data Encryption

**In Transit:**

* All data encrypted with SSL/TLS
* HTTPS enforced on all pages
* API requests encrypted
* Webhook payloads encrypted

**At Rest:**

* Database encrypted at rest
* Backups encrypted
* File uploads encrypted
* API keys hashed

### Data Storage

**Submission Data:**

* Stored in secure database
* Encrypted at rest
* Regular backups
* Geo-redundant storage

**File Uploads:**

* Stored in encrypted cloud storage
* Virus scanning
* Size limits enforced
* Temporary files cleaned up

**Retention:**

* Submissions: Kept until you delete
* Logs: 30-90 days depending on plan
* Deleted data: Permanently removed within 30 days
* Backups: 90 days

### GDPR Compliance

TopFormBuilder is GDPR compliant.

**User Rights:**

* **Right to Access** - Export your data anytime
* **Right to Deletion** - Delete data on request
* **Right to Rectification** - Update incorrect data
* **Right to Portability** - Download data in standard format
* **Right to Object** - Stop processing on request

**How to Exercise Rights:**

1. Go to Account Settings → Privacy
2. Select action (export, delete, etc.)
3. Confirm request
4. Process completed within 30 days

**Data Processing:**

* Only necessary data collected
* No unnecessary tracking
* No selling of data
* No third-party data sharing (except integrations you configure)
* Clear privacy policy

**Consent Management:**

* Legal field type for consent
* Checkbox with custom text
* Required for submission
* Audit trail maintained

### Data Access Control

**Workspace Level:**

* Owner has full access
* Admins have most access
* Members have limited access
* Configurable per workspace

**Organization Level:**

* Organization-wide access model
* Workspace-specific access model
* Controlled by organization owner

**Form Level:**

* Password protection
* Custom domain isolation
* White labeling
* Access logs

### Privacy Policy & Terms

**Display in Forms:**

* Add legal/statement field
* Link to privacy policy
* Link to terms of service
* Required checkbox for consent

**Example:**

```
Legal Field:
☑ I agree to the [Privacy Policy](https://company.com/privacy)
   and [Terms of Service](https://company.com/terms)
```

**Best Practice:** Always include privacy policy link in forms collecting personal data.

## Security Best Practices

### Account Security

**Password Best Practices:**

* Use strong, unique passwords
* Enable password manager
* Don't share account credentials
* Change password if compromised

**OAuth Security:**

* Use Google OAuth for easier login
* Revoke access if suspicious activity
* Review connected apps regularly
* Use work email (not personal)

**Session Management:**

* Sessions expire after inactivity
* Logout from all devices option
* Active sessions visible in settings

### Form Security

**Do:**

* Enable reCAPTCHA on public forms
* Use password protection for sensitive forms
* Set form closing dates when appropriate
* Monitor submissions for spam patterns
* Use HTTPS custom domains
* Enable email verification

**Don't:**

* Share form passwords publicly
* Disable reCAPTCHA on high-traffic forms
* Collect unnecessary personal data
* Use weak passwords
* Ignore spam submissions
* Share admin access freely

### Data Handling

**Collecting Data:**

* Only collect necessary information
* Mark sensitive fields clearly
* Don't collect SSN, credit cards, or passwords
* Use appropriate field types
* Add privacy disclaimers

**Storing Data:**

* Review submissions regularly
* Delete old/unnecessary data
* Export important data for backup
* Clean up test submissions

**Sharing Data:**

* Use secure methods to share submissions
* Don't email sensitive data unencrypted
* Use workspace permissions appropriately
* Revoke access when no longer needed

### Integration Security

**API Keys:**

* Store securely (not in public repos)
* Rotate regularly
* Revoke if compromised
* Use separate keys per integration

**Webhooks:**

* Verify webhook signatures
* Use HTTPS endpoints only
* Whitelist TopFormBuilder IPs
* Monitor webhook logs

**OAuth:**

* Use workspace accounts (not personal)
* Review permissions requested
* Revoke unused integrations
* Re-authorize if suspicious activity

## Compliance Features

### GDPR

**Features:**

* Data export (JSON, CSV)
* Right to deletion
* Consent management
* Data processing agreements
* Privacy by design
* Breach notification (within 72 hours)

**Form Fields:**

* Legal/consent field type
* Checkbox for privacy policy acceptance
* Required field validation
* Audit trail of consents

### CCPA (California Consumer Privacy Act)

**Features:**

* Do Not Sell option
* Data access requests
* Data deletion requests
* Opt-out mechanisms

### Data Residency

**Server Locations:**

* Data stored in secure data centers
* Backup locations disclosed
* Enterprise: Choose data region (optional)

**Cross-Border Data:**

* Standard contractual clauses
* Privacy Shield compliance (where applicable)
* GDPR-compliant data processing

## Reporting Security Issues

### Found a Vulnerability?

Please report security issues responsibly.

**How to Report:**

1. **Email:** [security@topformbuilder.com](mailto:security@topformbuilder.com)
2. **Include:**
   * Detailed description
   * Steps to reproduce
   * Potential impact
   * Your contact information
3. **Do Not:**
   * Exploit the vulnerability
   * Share publicly before fix
   * Access other users' data

**Response Time:**

* Acknowledgment: Within 24 hours
* Investigation: Within 7 days
* Fix timeline: Depends on severity
* Public disclosure: After fix deployed

**Rewards:**

* Critical vulnerabilities: Recognition + bounty (case-by-case)
* Hall of Fame: Security researchers credited

### Security Updates

**How We Communicate:**

* Email notifications for critical issues
* Changelog for security patches
* Status page for incidents
* Blog posts for major updates

**Update Policy:**

* Critical patches: Immediate deployment
* High priority: Within 48 hours
* Medium priority: Within 2 weeks
* Low priority: Next release cycle

## Security Checklist

### For Form Owners

**Before Publishing:**

* Enable reCAPTCHA if public form
* Set password protection if needed
* Add privacy policy link
* Test submission process
* Configure notifications
* Review form permissions
* Check custom domain SSL

**Regular Maintenance:**

* Review submissions for spam
* Update passwords quarterly
* Check integration security
* Review workspace members
* Export data backups
* Delete old test forms
* Monitor activity logs

### For Workspace Admins

**Setup:**

* Configure strong password policy
* Enable SSO if available (Enterprise)
* Set up MFA (if available)
* Define workspace permissions
* Configure SMTP securely
* Set up integrations carefully

**Ongoing:**

* Audit user access quarterly
* Review activity logs monthly
* Update API keys annually
* Monitor security alerts
* Train team on security practices
* Document security procedures

## Certifications & Standards

**Security Standards:**

* SOC 2 Type II (in progress)
* GDPR Compliant
* CCPA Compliant
* HTTPS/SSL Encrypted
* Data encryption at rest

**Infrastructure:**

* AWS/Cloud hosting
* DDoS protection
* Firewall protection
* Regular security audits
* Penetration testing (annual)

**Third-Party Services:**

* Stripe for payments (PCI DSS compliant)
* Google reCAPTCHA
* Let's Encrypt SSL certificates
* Cloudflare CDN

## Incident Response

### In Case of Breach

**Our Response:**

1. **Detect** - 24/7 monitoring
2. **Contain** - Immediate isolation
3. **Investigate** - Root cause analysis
4. **Notify** - Affected users within 72 hours
5. **Remediate** - Fix vulnerability
6. **Review** - Prevent recurrence

**Your Actions:**

1. **Change Password** - Immediately
2. **Review Activity** - Check access logs
3. **Revoke Sessions** - Logout all devices
4. **Update API Keys** - If compromised
5. **Monitor** - Watch for suspicious activity
6. **Contact Support** - Report concerns

### Status Page

Check system status and incidents:

```
https://status.topformbuilder.com
```

**Subscribe to Alerts:**

* Email notifications
* SMS alerts (critical only)
* RSS feed
* Slack integration

## FAQs

**Q: Is my data encrypted?** A: Yes, all data is encrypted in transit (SSL/TLS) and at rest (AES-256).

**Q: Who can see my submissions?** A: Only users with access to your workspace. TopFormBuilder staff cannot access your data unless you grant support access for troubleshooting.

**Q: How long is data retained?** A: Submissions are retained until you delete them. Logs are retained 30-90 days depending on your plan.

**Q: Can I delete all my data?** A: Yes, you can delete forms, submissions, or your entire account anytime. Data is permanently removed within 30 days.

**Q: Is TopFormBuilder GDPR compliant?** A: Yes, we are fully GDPR compliant with data export, deletion, and consent management features.

**Q: What happens if there's a data breach?** A: We follow our incident response plan, notify affected users within 72 hours, and take immediate action to secure systems.

**Q: Can I use TopFormBuilder for healthcare data?** A: Standard plans are not HIPAA compliant. Contact sales for HIPAA-compliant Enterprise solutions.

**Q: Are forms protected from spam?** A: Yes, we offer reCAPTCHA, rate limiting, fingerprinting, and spam detection.

**Q: Can I whitelist IPs for form access?** A: IP whitelisting is an Enterprise feature. Contact sales for details.

**Q: How are API keys stored?** A: API keys are hashed using bcrypt and stored securely in encrypted database.

[**Security Concerns? Contact contact@topformbuilder.com**](mailto:contact@topformbuilder.com)
