Security.
Formspring is the form backend other developers trust with their customer data. Here is how submissions, files, API tokens, and webhook deliveries are actually protected — without the marketing fog.
Application and object storage hosted in Germany; transactional mail delivered from an EU region.
Server-side encryption on uploaded files; per-form spam and captcha credentials encrypted at rest.
Mature, audited application baseline; managed services for queues, mail, storage, and billing.
How submissions are protected.
Every submission walks the same gauntlet — from the browser request to the inbox notification. Each step is independently auditable.
- 1
Ingest
CORS-allow-listed per form, honeypot rejection, optional hCaptcha challenge, hard payload size cap.
- 2
Spam screening
Custom rules → Akismet (BYO key) → optional AI moderation. Spam never triggers notifications or webhooks.
- 3
Persist
Submission stored in our primary database; uploaded files written to private object storage with server-side encryption.
- 4
Notify & forward
Notification emails go through our transactional mail provider; webhooks signed with HMAC-SHA256 over the raw body and retried with exponential back-off.
What customers control.
Defaults that are safe out of the box; overrides that scale with the team. Everything below is configurable per form, never hard-coded into a shared multi-tenant blob.
Allowed origins
Per-form allow list rejects browser submissions from unexpected domains at the edge.
BYO captcha & spam keys
hCaptcha and Akismet keys are stored encrypted and never proxied through a shared key.
Retention windows
Configure how long submissions are retained per form; expired submissions are purged with their attachments.
AI moderation toggle
Optional content classification with full opt-out and audit logging.
Webhook signing secrets
Rotate per-webhook secrets without dropping deliveries. Receivers verify in constant time.
Scoped API tokens
Personal-access tokens with explicit abilities; team-plan role-based access on top.
Who else processes data.
Formspring runs on a small, audited list of providers. The list below is the short version; the legal disclosure has full contractual details.
| Name | Purpose | Region |
|---|---|---|
| Hetzner Online | S3-compatible file storage and application hosting | Germany (EU) |
| Postmark | Transactional + broadcast email delivery | EU region |
| Stripe | Subscription billing and invoicing | EU/US |
| Akismet | Spam content scoring (BYO API key) | US |
| hCaptcha | Optional bot challenge (BYO site/secret keys) | US |
How long submissions stick around.
Defaults below; per-form overrides on Pro and Team. Expired submissions are purged together with their attachments — not soft-deleted forever.
Reporting a vulnerability.
Found something? Send a quiet email; we will read it. We prefer coordinated disclosure and will credit reporters who request it.
Production endpoints under formspring.io; ingestion under f.formspring.io. Out of scope: third-party integrations and customer-controlled webhook receivers.
Acknowledgement within two business days. Triage and timeline within five. Coordinated disclosure preferred; we will credit reporters who request it.
Ship your form in two minutes.
No credit card. 50 free submissions a month, every month.