Choosing a form builder seems simple. They all collect form submissions, right?
But when it comes to security, form builders vary dramatically. Some treat your data like Fort Knox. Others… not so much.
Here are the questions you should ask before trusting a service with your users’ data.
1. “Where is encryption applied?”
What you want to hear: “Data is encrypted in the user’s browser before transmission.”
Red flag: “We encrypt data at rest in our database.”
Why it matters: Server-side encryption means the provider can access your data. Client-side encryption means they literally cannot—they only store encrypted blobs.
2. “Who holds the encryption keys?”
What you want to hear: “You generate and control your own keys. We never have access to your private key.”
Red flag: “We manage encryption keys on your behalf.”
Why it matters: If the provider holds the keys, they can decrypt your data. So can hackers who breach their systems, or governments who compel them.
3. “What user tracking do you do?”
What you want to hear: “We don’t track users. No cookies, no fingerprinting, no IP logging.”
Red flag: “We collect analytics to improve our service” (without specifics).
Why it matters: Tracking creates privacy risks and compliance headaches. Many form builders track users extensively for their own analytics and advertising.
4. “Can your employees access my form data?”
What you want to hear: “No. Data is encrypted with your keys, so it’s impossible for our team to read submissions.”
Red flag: “Access is limited to authorized personnel.”
Why it matters: Even “authorized” access creates insider threat risks. True security means technical controls, not just policies.
5. “What happens if you’re breached?”
What you want to hear: “Attackers would only get encrypted data they cannot decrypt without your private key.”
Red flag: “We have strong security measures to prevent breaches.”
Why it matters: Every company says they have strong security. The question is what happens when those measures fail—because eventually, they might.
6. “How do you handle data deletion?”
What you want to hear: “Permanent deletion on request, with automatic retention policies available.”
Red flag: “Data is removed from active systems but may persist in backups.”
Why it matters: GDPR and other regulations require actual deletion, not just removing data from the UI.
7. “Do you share data with third parties?”
What you want to hear: “Never. Your data stays on our infrastructure, encrypted with your keys.”
Red flag: “We use third-party services for analytics/processing.”
Why it matters: Every third party that touches your data is another potential breach point.
8. “What compliance certifications do you have?”
What you want to hear: SOC 2 Type II, ISO 27001, HIPAA BAA (if needed), GDPR compliance documentation.
Red flag: “We follow industry best practices” (without specifics).
Why it matters: Certifications require independent audits. “Best practices” is just marketing.
9. “Is your security architecture documented?”
What you want to hear: Detailed technical documentation explaining encryption methods, key management, data flows.
Red flag: Vague descriptions or “proprietary security measures.”
Why it matters: Security through obscurity isn’t security. Legitimate security can be explained openly.
10. “What happens to my data if I leave?”
What you want to hear: “Full data export in standard format, followed by complete deletion.”
Red flag: “Data is retained for X months after account closure.”
Why it matters: Your data should be portable and deletable.
Comparison: Common Form Builders
| Question | Traditional Builders | VeilForms |
|---|---|---|
| Encryption location | Server-side | Client-side (browser) |
| Key ownership | Provider | You |
| User tracking | Yes (analytics, ads) | None |
| Employee access | Possible | Impossible |
| Breach impact | Full data exposure | Encrypted blobs only |
| Data deletion | Varies | Immediate + automatic |
| Third-party sharing | Often | Never |
The Bottom Line
Form data is sensitive. Email addresses, phone numbers, messages, health information, financial details—it all passes through forms.
Before choosing a form builder, ask these questions. The answers reveal whether a service treats security as a core principle or an afterthought.
Most importantly: Who can access your data?
With client-side encryption, the answer is simple: only you.
Want to see how VeilForms handles security? Check our Features page or try a live demo.