Your data security is not a feature — it's the foundation
AES-256-GCM encryption at rest, SSL/TLS in transit, GDPR compliance, SOC 2 readiness, and your choice of EU or US hosting. Here's exactly how Spiceform protects your data.
Encryption
- Data at rest
- AES-256-GCM encryption — the same standard used by banks, governments, and healthcare systems.
- Data in transit
- TLS 1.2+ encryption on all connections. Every form submission, API call, and file upload is encrypted end-to-end.
- File uploads
- All uploaded files are encrypted with AES-256-GCM before storage. Access is restricted to authorized account holders.
Compliance
- GDPR
- Full compliance with the EU General Data Protection Regulation. Data processing agreements (DPAs) available. Built-in consent management, data export, and right-to-deletion capabilities.
- SOC 2
- Infrastructure and processes aligned with SOC 2 Trust Service Criteria for security, availability, and confidentiality. Formal certification in progress.
- CCPA
- Support for California Consumer Privacy Act requirements including data access requests and deletion.
Data Hosting
- Hosting regions
- Choose between EU (European Union) and US (United States) data hosting regions at account creation.
- Data residency
- Your data stays in your selected region. No cross-region transfers without explicit consent.
- Infrastructure
- Hosted on enterprise-grade cloud infrastructure with 99.9%+ uptime SLA.
Access & Authentication
- Authentication
- Secure email/password authentication with strong password requirements.
- Session management
- Automatic session expiration and secure token-based authentication.
- Team access controls
- Role-based permissions for team members. Account owners control who can access forms, responses, and settings.
Data Handling
- Backups
- Automated daily backups with encrypted storage. Point-in-time recovery available.
- Data export
- Export all your data (forms, responses, contacts) at any time in standard formats (CSV, JSON).
- Data deletion
- Delete individual responses, entire forms, or your complete account data. Deletion is permanent and irreversible.
- Data retention
- You control how long data is retained. No data is kept after account deletion beyond the standard backup rotation period.
Frequently Asked Questions
Common questions about Spiceform security and compliance.
Yes. Spiceform is fully GDPR compliant. We offer data processing agreements (DPAs), built-in consent management fields, data export capabilities, and right-to-deletion functionality. You can choose EU hosting to ensure data residency within the European Union.
Spiceform uses enterprise-grade security (AES-256-GCM encryption, SOC 2 readiness, EU/US hosting), but we do not currently hold HIPAA certification or offer signed Business Associate Agreements (BAAs). Healthcare providers handling Protected Health Information (PHI) should evaluate whether our security measures meet their specific compliance requirements.
You choose your data hosting region (EU or US) during account creation. Your data remains in your selected region with no cross-region transfers. All data is encrypted at rest with AES-256-GCM and in transit with TLS 1.2+.
Yes. You can export all forms, responses, and contacts at any time in CSV or JSON format. You can delete individual responses, entire forms, or request complete account data deletion. Deletion is permanent and irreversible.
Your data remains accessible and exportable during your billing period. After cancellation, your account is downgraded to the free Mild plan. You can continue accessing your data on the free plan or export and delete it at any time.