Security is the product.
You are trusting us with data that ranges from user feedback all the way to protected health information. We take that seriously — and publish how.
SOC 2 Type II
Current
GDPR
DPA available
HIPAA
BAA on request
ISO 27001
Audit in progress
CCPA
Compliant
CAIQ Lite
Published
How we protect data
Six principles we won't compromise on.
Encryption everywhere
TLS 1.3 in transit, AES-256 at rest. Customer-managed keys available on Enterprise.
Auditable by default
Every security-relevant action is logged with a full diff. Immutable, append-only, exportable.
Least privilege
Role-based access on every object. API keys scoped per workspace with IP allow-lists.
Data minimization
Only what you collect is stored. Submissions can be auto-expired on a per-form schedule.
Where it lives
US, EU, and AP regions. Data never leaves your pinned region — even for backups.
Continuous monitoring
Real-time security telemetry, automated dependency patching, and quarterly penetration tests.
Live
All systems normal.
90-day uptime across API, app, and webhook delivery. Public status page with historical incidents and post-mortems.
US
99.99%
EU
99.98%
AP
99.99%
Resources
Documents your security team will ask for.
Found something concerning?
We run a responsible disclosure program. Email security@autoform.com or visit the contact page.
Contact security