Skip to main content

Security at AntForms

We treat your form data the way we'd want our own treated. This page is the short version of how we run the service. For procurement-grade questions, email security@antforms.com.

Hosting and infrastructure

AntForms runs on managed cloud infrastructure with hardened defaults: isolated network perimeters, least-privilege IAM, and audit logging on the control plane. Production systems are accessible only through SSO with hardware-backed second factors.

Customer data is stored in the European Union and the United States depending on the region of the AntForms account. EU customer data does not leave the EU without a documented transfer mechanism (Standard Contractual Clauses).

Encryption

  • In transit: TLS 1.2+ enforced on every public endpoint. HSTS preloaded on antforms.com.
  • At rest: AES-256 server-side encryption on object storage and managed databases.
  • Secrets: stored in a managed secrets vault, never committed to source control.

Authentication and access control

  • Passwords are hashed with a memory-hard algorithm (bcrypt with cost factor 12+ / argon2id where supported). We never store plaintext passwords.
  • Two-factor authentication (TOTP) is available on every account.
  • Sessions expire after a period of inactivity and can be revoked from the account settings.
  • Internal access to production data is gated by SSO + role-based access control and is logged.

Backups and recovery

Production databases are backed up at least daily and retained for 30 days. Backups are encrypted with the same key management as primary storage. We test recovery procedures on a regular schedule.

Sub-processors

AntForms uses a small set of vetted sub-processors to operate the service:

  • Cloud hosting: production application and database hosting.
  • Email delivery: transactional email (account verification, notifications).
  • Analytics: Google Analytics 4 (anonymized) for marketing-site traffic only.
  • AI assist: a third-party LLM provider used to generate forms from a prompt. Prompts and form text are sent at request time; we do not send respondent data to the LLM.

The full, current sub-processor list (with provider names and regions) is available in our Privacy Policy.

Incident response

If we discover a security incident that affects your data, we will notify you without undue delay and within 72 hours of becoming aware, in line with GDPR Article 33. Notifications include what happened, what data was involved, and what we're doing about it.

Found something? Email security@antforms.com. We respond to every report and do not pursue legal action against good-faith researchers who follow our responsible disclosure guidelines (no data exfiltration, no service disruption, give us reasonable time to fix).

Compliance

  • GDPR: we are a data processor for our customers' form data. EU SCCs are in place for any cross-border transfers. A Data Processing Agreement is available on request.
  • SOC 2 Type I: preparation in progress. We are not currently SOC 2 attested.
  • HIPAA: AntForms is not currently a HIPAA Business Associate. Do not use AntForms to collect PHI.

Reporting and contact

Security: security@antforms.com

Privacy: privacy@antforms.com

Machine-readable contact: /.well-known/security.txt

Last updated: April 27, 2026