Security
We implement technical and organizational measures to protect your data and our platform. This page gives a high-level overview. Details are in our Privacy Policy and Data Processing Agreement.
Encryption
Data is encrypted in transit using HTTPS/TLS between your device and our servers. Stored message content (form submissions and replies) and other sensitive data are encrypted at rest. Backups are encrypted. We do not store raw message content in application logs.
Tenant isolation
Customer data is logically segregated. Access to forms, conversations, and messages is scoped by authenticated user so that one customer cannot access another customer's data.
Token security
Reply links for form submitters and data subject request links are secured via time-limited cryptographic tokens. Tokens are single-use or invalidated after use where applicable. Rate limiting is applied on sensitive endpoints (e.g. reply submission, data request) to reduce abuse and brute-force risk.
Access control and audit
Access to personal data is restricted to authorized personnel who need it for their role. We apply access controls, authentication protections, and audit logging where appropriate. We follow secure development practices.
Incident response
In the event of a personal data breach, we will notify affected customers and, where we act as processor, the relevant controller without undue delay and, where feasible, within 72 hours of becoming aware, in line with GDPR Article 33.
Availability
We target 99.9% uptime for our production services. Real-time system status and historical uptime data are available on our status page. Planned maintenance windows are communicated in advance and scheduled during low-traffic periods to minimize disruption.
For questions about security, contact us via our contact page.