Hosted in Germany by default
Every submission and file your forms collect is stored on servers in Germany - the default for every customer on every plan, not a paid add-on.
Security & privacy
Your respondents trusted you.We help you keep it.
Formspring is built privacy-first: EU hosting, strong encryption, automatic spam filtering, and controls that put you in charge of every answer.
Hosted in the EU Encrypted in transit & at rest Privacy-first by design
What you can count on
Big-company care. None of the creepy stuff.
Five promises that hold for every plan - including the free one.
Hosted in the EU.
Your data lives in Germany - no incidental trips through other regions. It is the default on every plan, never a paid add-on.
Encrypted, end to end of the journey.
In transit and at rest, with sensitive fields protected by a key that is unique to your workspace.
Spam doesn't get through.
Several filters plus optional moderation catch junk before it ever reaches you.
You hold the keys.
Roles, permissions, passkeys, 2-factor login, and a clear history of who did what.
Yours to keep or delete.
Export whenever you like, set how long answers stick around, and delete on demand. Privacy-first by design.
Data residency
Your data lives in Germany - and that is an advantage.
Every response and file upload is stored in one of the strongest data-protection homes in the world. It is privacy by infrastructure, not by checkbox - and it keeps your answers outside routine US-government data-access regimes.
Stored and processed in the EU
The application, databases, background workers, and file storage all run in EU data centers. Submissions and uploads never leave the EU as part of normal operation.
Encrypted in transit and at rest
Traffic is protected with TLS 1.2 or higher end to end. Uploaded files are stored with AES-256 server-side encryption, and per-form spam and captcha credentials are encrypted at rest.
Sensitive fields, additionally encrypted
Fields you mark as sensitive are encrypted with a per-workspace key before they are stored, and revealed only to authorized teammates. Strict-mode fields can be forwarded to your integrations without ever being persisted.
A stronger privacy jurisdiction
EU residency means GDPR-grade handling is the baseline, with strict limits on how personal data can be accessed, transferred, or repurposed - and no routine exposure to non-EU government access regimes.
A stronger privacy jurisdiction
EU law sets one of the highest bars for data protection anywhere, with strict limits on how personal data can be accessed, moved, or reused.
Outside routine US-government access
Because your data is stored and processed in Germany, it is not subject to routine US-government data-access regimes. Email is delivered from the EU on the same principle.
Data flow
From public form to deletion job.
Here is the whole journey an answer takes - where it arrives, how it is protected, where it rests, and when it is removed.
- 1
Visitor submits
A respondent sends a form, survey, or funnel response from their browser or via the API.
- 2
Encrypted in transit
The payload travels over TLS 1.2+ and is matched to your workspace before any handling.
- 3
Processed in the EU
Spam screening, optional moderation, and routing run on EU infrastructure - sensitive fields are encrypted here.
- 4
Stored encrypted in the EU
The submission and any files are written to encrypted EU storage, then retained or hard-deleted on your schedule.
Retain or delete: Plan limits and the per-form window you set decide when answers, files, and their history are purged for good - never soft-deleted forever.
Spam protection
Five layers before a response reaches the desk.
Start with silent bot filtering, then add stricter controls only when the audience or campaign calls for them.
Layer 1
Honeypot
Invisible trap fields catch bulk bots without adding any friction for real people.
When to enable: Keep on for every public form.
Layer 2
Captcha
A quick challenge steps in only when a session looks suspicious.
When to enable: Enable for high-risk campaigns, paid traffic, and public embeds.
Layer 3
Custom rules
Block or flag messages by field value, domain, keyword, or country.
When to enable: Use when your team knows the exact abuse pattern.
Layer 4
Reputation scoring
Past behavior and signals add up to a risk score for each new message.
When to enable: Use for forms that get repeat traffic from the same channels.
Layer 5
AI moderation
Optional review reads message intent and explains why something looks like junk.
When to enable: Enable when false positives are costly and reviewers need explanations.
Who else helps
A short, audited list of partners.
Formspring leans on a small set of trusted partners. Here is the plain-language version; the full disclosure has every contractual detail.
| Role | What it does | Region |
|---|---|---|
| Application hosting & object storage | Runs the application and stores submissions and uploaded files | EU (Germany) |
| Transactional email delivery | Sends submission notifications, autoresponders, and account email | EU data center |
| Payment processing | Subscription billing, invoicing, and EU VAT collection | EU (Ireland) |
| Spam content scoring (optional) | Optional submission spam classification; bring-your-own key supported | US (Standard Contractual Clauses) |
| Bot challenge (optional) | Optional captcha challenge on public forms; bring-your-own key supported | US (Standard Contractual Clauses) |
| AI moderation & summaries (optional) | Optional AI moderation, summaries, and autoresponder drafts on paid plans | EU/US (Standard Contractual Clauses, zero-retention) |
Yours to keep or delete
How long answers stick around.
These are the defaults; on Pro and Team you can override them per form. When something expires, it is purged together with its files.
Free plan
30 days, automatic purge
Pro plan
Until manually deleted; per-form override available
Team plan
Until manually deleted; per-form override + legal hold
Scale plan
Custom retention policy with per-team controls
Found something?
Tell us, and we will listen.
Send a quiet email; we read every one. We prefer coordinated disclosure and happily credit reporters who ask.
Contact
Scope
Production endpoints under formspring.io; ingestion under f.formspring.io. Out of scope: third-party integrations and customer-controlled webhook receivers.
Response
Acknowledgement within two business days. Triage and timeline within five. Coordinated disclosure preferred; we will credit reporters who request it.
Give your next important form a real home.
Start free with one form. Add ownership, private files, and clear history before responses pile up in inboxes.
·· no card · 50 submissions / mo · no countdown