Security & audit

• Email + password with optional 2FA.
• SSO via SAML and OIDC on the Enterprise plan.
• SCIM 2.0 provisioning for just-in-time user creation.
• API keys for server-to-server access, scoped per workspace.

• TLS 1.3 for all traffic, enforced with HSTS.
• AES-256 at rest for the primary database and object storage.
• Customer-managed keys via KMS on the Enterprise plan (AWS, GCP, Azure).

Every security-relevant action — login, key creation, form publish, role change — is recorded. The audit log is searchable in the UI and exportable via the API.

• Immutable, append-only storage.
• Per-entry diff of what changed.
• IP, user agent, and auth method captured.

SOC 2 Type II (annually renewed), GDPR ready with a DPA, HIPAA BAA available on request, and ISO 27001 (in progress). Region pinning — us, eu, ap — is available for enterprise deployments.