Security

Storage Mode (E2E Encryption)

How end-to-end encrypted form responses work in BizForms, and how to enable it on your form.

Open in app

Storage Mode is BizForms' end-to-end encryption feature. When enabled, form responses are encrypted in the respondent's browser before they are transmitted — meaning the ciphertext (encrypted data) is all that reaches BizForms' servers. Not even BizForms can read the contents.

Available on: Pro and Business plans.

How it works

Storage Mode uses asymmetric (public-key) cryptography — specifically, the libsodium box primitive (X25519-XSalsa20-Poly1305):

  1. Key generation: When you enable Storage Mode for a form, a cryptographic key pair is generated in your browser — a public key and a private key.
  2. Key storage: The public key is uploaded to BizForms' servers. The private key is downloaded to your device and never transmitted to BizForms.
  3. Encryption: When a respondent submits the form, each response is encrypted using your public key in their browser, before it leaves their device.
  4. Storage: BizForms stores the encrypted ciphertext. The data is unreadable without your private key.
  5. Decryption: When you want to read responses, you load your private key in the BizForms UI. Decryption happens entirely in your browser — the private key is never sent to the server.

Enabling Storage Mode

  1. Open your form and go to Settings → Security → Storage Mode
  2. Click Enable Storage Mode
  3. BizForms generates your key pair in the browser
  4. Download your private key — a .key file is saved to your computer
  5. Click I've saved my private key to confirm and enable the mode

⚠️ Critical: If you lose your private key, your encrypted responses are permanently unrecoverable. BizForms cannot decrypt them for you. Store your private key in a secure location (password manager, secure cloud storage, encrypted USB drive).

Reading encrypted responses

  1. Open the Responses tab for a Storage Mode form
  2. Click Unlock responses
  3. Upload your private key file or paste the key string
  4. Responses are decrypted in your browser and displayed in the table

The private key is held in memory only for the duration of your session. It is not persisted to the browser or server.

Exporting encrypted data

CSV and JSON exports from Storage Mode forms contain encrypted ciphertext by default. To export decrypted data, unlock responses first (as above), then export.

Key rotation

If you believe your private key has been compromised, go to Settings → Security → Storage Mode → Rotate keys. This generates a new key pair. Existing responses cannot be re-encrypted with the new key — they must be decrypted with the old key first, then re-imported if needed. New responses will use the new key.

Limitations

  • Storage Mode forms cannot use webhook delivery (the payload would be encrypted ciphertext)
  • AI response summarisation is not available for encrypted responses
  • File uploads are not end-to-end encrypted (files are stored encrypted at rest using AES-256, but BizForms can access them)
PreviousSecurity OverviewNext Managing Your Encryption Key

Something unclear? Let us know.