The foundation of our approach to security is that we don't keep form submission data. Our service is designed to be a user interface to other systems that store data. Form submissions are held temporarily during validation, workflow & delivery, and then permanently deleted subject to the Data Retention Period configured for your account, the default is 20 days.


All connections to our website, forms and API use HTTPS encryption via a 2048-bit SSL certificate.

Form data is encrypted with the industry standard AES-256 algorithm while it's temporarily held by us.

Form data is delivered via secure channels wherever possible, we discourage delivery of form data by email.

User passwords and access tokens for third-party services are encrypted with AES-256.


Form data can be accessed via our portal and API while it is temporarily held by us.

Portal access requires a FormsByAir account login. Logins have a minimum password length requirement and support Two Factor Authentication using the Google Authenticator app.

We also support login IP address whitelisting to restrict access to specific networks.

API access requires a bearer token generated by an Administrator in the portal. Tokens can be manually revoked at any time, and automatically expire after 3 years.


FormsByAir is hosted by Microsoft Azure

DNS and SSL certificate services are provided by GoDaddy

SMTP email services are provided by SendGrid


The design of our infrastructure within Azure follows best practice to ensure high availability. Our production environment is monitored 24/7 every minute from multiple geographic locations using A public status page is available here

PCI Compliance

FormsByAir is not PCI-Compliant and does not store or transfer credit card information.


FormsByAir offers spam protection by monitoring for unusual patterns of activity against your forms and blocking access if thresholds are exceeded.