Encryption

Form encryption is a standard option on every account, including Free. Turn it on when you build a form and each submission is encrypted in its entirety with AES-256-GCM (authenticated encryption), keyed by a password run through Argon2id, a modern memory-hard key derivation function. The password is either one you set for the form or a one-time passphrase issued at submission — in both cases it never reaches our servers in plaintext, so the data is unreadable to us at rest.

Higher tiers add public-key encryption built on X25519 keypairs: each submission is sealed to the form owner’s keys, and access for additional reviewers is granted by re-wrapping the data key to their keypair — never by sharing a password. Private keys are themselves wrapped with an Argon2id-derived key from the owner’s passphrase.

Protected Health Information may be collected only on the HIPAA tier and only after a Business Associate Agreement (BAA) is on file for your account or organization. Without an executed BAA you must not submit PHI through the Service, regardless of which encryption options are enabled.

Student education records may be collected only on the FERPA (education) tier and only after a Data Privacy Agreement (DPA) — the school-official agreement used for student-data protection — is on file. Without it you must not submit student education records through the Service.

Enabling encryption (on any tier) does not make us the steward, custodian, or reviewer of your content. You retain ownership of — and sole responsibility for — what you collect, the lawfulness of collecting it, and the consents you obtain from respondents and signers. Encryption also cuts both ways: we cannot access, decrypt, recover, or reset encrypted content. If every key-holder loses access, the data is permanently unrecoverable, and we have no ability and no obligation to recover it.

Your use of encryption and of the Service as a whole is governed by our Terms of Use (see in particular the sections on your content, encryption non-recovery, and regulated data) and our Privacy Policy. If you intend to handle PHI or student records, start with those, then put the BAA or DPA in place before collecting anything.