The foundation of our approach to security is that we don't keep form submission data. Form submissions are held temporarily during validation, workflow & delivery, and then permanently deleted subject to the Data Retention Period configured for your account, the default is 10 days.


All connections to our website, API and forms use HTTPS encryption with TLS 1.2.

Form data is encrypted with the industry standard AES-256 algorithm while it's temporarily held by us.

Form data is delivered to all services using HTTPS encryption.

User passwords and access tokens for third-party services are encrypted with AES-256.


Form data can be accessed via our portal and API while it's temporarily held by us.

Portal access requires a FormsByAir account login. We support 2FA using a mobile app and IP address whitelisting to restrict access to specific networks.

API access requires a bearer token generated by an Administrator in the portal. Tokens can be manually revoked at any time, and automatically expire after 3 years.

FormsByAir staff can only access metadata by default, and must request access to form data as required to troubleshoot an issue, which is logged with a comment.

Our website, API and all forms sit behind a Web Application Firewall with a comprehensive set of OWASP-based rules.


FormsByAir is hosted by Microsoft Azure

Domain registration and SSL certificate services are provided by GoDaddy

SMTP email services are provided by SendGrid and SMTP2GO

Monitoring services are provided by Pingdom and Atlassian

Malware detection is supported by ClamAV

Data Sovereignty

You can nominate your preferred region to store encrypted form data while it's temporarily held by us, see Regions


The design of our infrastructure within Azure follows best practice to ensure high availability including global CDN endpoints. Our production environment is monitored 24/7 every minute from multiple geographic locations. A public status page is available here. We target at least 99.95% availability every month.


An independent report from SecurityScorecard and our CASA Tier 2 Certification are available on request.

GDPR Compliance

FormsByAir is compliant with the obligations on data processors under GDPR and UK GDPR.

Form data is temporarily held and processed in the UK and EU for accounts configured to operate in the UK.

Subprocessors include Cliniko and SMTP2GO

PCI Compliance

FormsByAir is not PCI-Compliant and does not store or transfer credit card information.


FormsByAir offers spam protection by monitoring for unusual patterns of activity against your forms and blocking access if thresholds are exceeded.


FormsByAir scans all form attachments for malware including viruses immediately after submission. Infected files are quarantined and account administrators are automatically notified.