Security

Security Overview

How BizForms protects your data at every layer — infrastructure, encryption, access controls, and more.

Open in app

Security is a first-class concern in BizForms, not an afterthought. This page explains the controls in place at every layer.

Infrastructure

BizForms is hosted on:

  • Vercel Edge Network — global CDN for the application layer
  • Supabase (PostgreSQL) — database, storage, and authentication

Encryption at rest: all data in Supabase is encrypted at rest using AES-256.
Encryption in transit: all connections use TLS 1.2 or higher. HSTS is enforced.

Database access controls

BizForms uses Supabase's Row-Level Security (RLS) — a Postgres-native feature that enforces data access policies at the database level, not just the application layer.

Every query is automatically scoped to the authenticated user's workspace memberships. It is architecturally impossible for one workspace's data to be read by another workspace's users, even if there were a bug in the application code.

Authentication

User authentication is handled by Supabase Auth. Passwords are hashed using bcrypt. Session tokens are short-lived JWTs stored in secure HTTP-only cookies.

Application security

  • All user inputs are validated server-side with Zod before being written to the database
  • File uploads are scanned for common malicious file signatures
  • Rate limiting is applied to all public endpoints (form submissions, auth routes)
  • CSRF protection is applied to all state-changing requests

End-to-end encryption

For the highest level of response data security, BizForms offers Storage Mode — a client-side encryption system where responses are encrypted in the respondent's browser before transmission. See Storage Mode for full details.

Vulnerability disclosure

If you discover a security issue, please email security@bizforms.io. We acknowledge reports within 24 hours and aim to patch critical issues within 72 hours. We do not currently operate a formal bug bounty programme but we treat responsible disclosures with respect and gratitude.

Penetration testing

BizForms undergoes periodic security reviews. Contact us at security@bizforms.io if you require security documentation for your vendor assessment process.

PreviousResponse AnalyticsNext Storage Mode (E2E Encryption)

Something unclear? Let us know.