Security & Privacy

What if I lose my private key?

Your data becomes unrecoverable. This is the trade-off for true end-to-end encryption.

VeilForms uses client-side encryption where only you hold the private key. We intentionally cannot help you recover lost keys because that would mean we could also access your encrypted data.

Best practices:

We provide key export functionality in the dashboard to make secure backups easy.

Can VeilForms read my data?

No. We only see encrypted ciphertext.

When a user submits a form:

  1. Data is encrypted in their browser using your public key
  2. We receive and store only the encrypted blob
  3. We have no access to your private key
  4. We cannot decrypt the data, even if legally compelled to do so

This is mathematically guaranteed by RSA-2048 encryption. The only way to decrypt submissions is with your private key, which never leaves your device.

How does this compare to Typeform?

FeatureVeilFormsTypeform
Data encryptionClient-side (E2EE)Server-side only
Who can read dataOnly youTypeform + you
User trackingZero trackingExtensive analytics
Third-party cookiesNoneMultiple trackers
GDPR complianceBuilt-in PII detectionManual configuration
Data ownershipYou hold the keysThey hold the keys

When to use Typeform:

When to use VeilForms:

Is this open source?

The SDK is open source. The backend is not (yet).

Our JavaScript SDK is MIT licensed and available on GitHub. You can audit:

The backend infrastructure (storage, key management, dashboard) is currently proprietary, but we’re evaluating open-sourcing components as we mature.

Why this approach:

What happens if VeilForms shuts down?

You can still decrypt all your data.

Because you control the private keys, you’re not locked into our platform:

  1. Export your data: Download all encrypted submissions as JSON
  2. Decrypt locally: Use your private key to decrypt everything
  3. Self-host: Use our open-source SDK to decrypt submissions on your own infrastructure

We also provide:

Your data is yours, encrypted with your keys. We’re just the storage layer.

Has this been security audited?

Not yet, but it’s on the roadmap.

We’re currently:

Security roadmap:

In the meantime:

We take security seriously and welcome audits from the community.

Technical Questions

What encryption algorithms do you use?

RSA-2048 for key exchange, AES-256-GCM for data encryption.

The encryption flow:

  1. You generate an RSA-2048 keypair (public + private)
  2. Users’ browsers generate a random AES-256 key per submission
  3. Form data is encrypted with AES-256-GCM (authenticated encryption)
  4. The AES key is encrypted with your RSA public key
  5. We receive the encrypted AES key + encrypted data

This hybrid approach combines:

All implemented using the Web Crypto API and standard libraries.

Does VeilForms work with React/Vue/other frameworks?

Yes. It’s framework-agnostic.

The SDK is vanilla JavaScript that works everywhere:

// Vanilla JS
<form data-veilform="form-id">

// React
<form data-veilform={formId}>

// Vue
<form :data-veilform="formId">

// Next.js, Nuxt, Svelte, etc.

We also provide official React hooks and Vue composables for easier integration:

// React
import { useVeilForm } from '@veilforms/react';

// Vue
import { useVeilForm } from '@veilforms/vue';

Check the SDK documentation for framework-specific guides.

Can I decrypt submissions on my server?

Yes, using webhooks and the server-side SDK.

Setup:

  1. Configure a webhook URL in the VeilForms dashboard
  2. We POST encrypted submissions to your endpoint in real-time
  3. Use your private key to decrypt on your server
  4. Process, store, or forward the decrypted data

Example (Node.js):

const { VeilForms } = require('@veilforms/node');

app.post('/webhook', async (req, res) => {
  const submission = req.body;
  const decrypted = await VeilForms.decrypt(
    submission,
    yourPrivateKey
  );

  // Process decrypted data
  await saveToDatabase(decrypted);
  res.sendStatus(200);
});

This enables custom workflows while maintaining end-to-end encryption in transit.

How do you handle PII detection without reading the data?

PII detection happens client-side before encryption.

The process:

  1. User fills out the form in their browser
  2. Our SDK scans for PII patterns (emails, phones, SSNs, credit cards)
  3. PII is flagged and optionally stripped/masked
  4. Then everything is encrypted
  5. We receive encrypted data + metadata about PII detected (not the actual PII)

We never see the plaintext PII. The detection runs entirely in the user’s browser.

This gives you compliance metadata without compromising encryption:

{
  "encrypted_data": "...",
  "pii_detected": ["email", "phone"],
  "pii_locations": ["field_2", "field_5"]
}

Billing & Support

Do you offer refunds?

Yes. 30-day money-back guarantee, no questions asked.

Not satisfied? Email support@veilforms.com within 30 days for a full refund.

What’s included in the free tier?

Perfect for testing or low-volume use cases. See pricing for full details.

How do I get support?

Still have questions? Contact us or email hello@veilforms.com