Security & Compliance

At Kitoform, we take the security and privacy of your data extremely seriously. Our infrastructure is built on industry-leading cloud platforms with enterprise-grade security measures to ensure your form submissions are protected at all times.

Infrastructure

Kitoform is built on a robust, globally distributed infrastructure designed for security, performance, and reliability.

  • Edge Computing: Powered by Cloudflare Workers for ultra-low latency and DDoS protection
  • Database: PostgreSQL hosted on Neon (EU regions) with automatic backups and point-in-time recovery
  • File Storage: Cloudflare R2 and AWS S3 for secure, redundant file storage
  • CDN: Global content delivery through Cloudflare's network spanning 300+ cities

Data Encryption

All data is encrypted both in transit and at rest using industry-standard encryption protocols.

Encryption in Transit

  • • TLS 1.3 for all API communications
  • • HTTPS enforced on all connections (256-bit SSL certificates)
  • • Perfect Forward Secrecy (PFS) enabled

Encryption at Rest

  • • AES-256 encryption for all stored data
  • • Encrypted database backups with automatic key rotation
  • • Encrypted file uploads with secure access controls

Compliance & Certifications

Our infrastructure providers maintain the highest industry certifications and compliance standards:

Neon Database

  • ✓ SOC 2 Type II certified
  • ✓ ISO 27001:2022 certified
  • ✓ ISO 27701:2019 (Privacy)
  • ✓ GDPR compliant
  • ✓ CCPA compliant
  • ✓ HIPAA compliant (2025)

Cloudflare Platform

  • ✓ SOC 2 Type II certified
  • ✓ ISO 27001/27002 certified
  • ✓ PCI DSS Level 1
  • ✓ GDPR compliant
  • ✓ CCPA compliant
  • ✓ EU-US Privacy Framework

Note: We use infrastructure providers that comply with industry-leading certifications and maintain the highest security standards.

Security Practices

We follow industry best practices to ensure your data remains secure throughout its lifecycle:

Application Security

  • • Secure session-based authentication with Better-Auth
  • • OAuth 2.0 support for Google authentication
  • • CSRF protection on all forms
  • • Rate limiting to prevent abuse and DDoS attacks
  • • Input validation and sanitization on all endpoints

Spam Protection

  • • Advanced spam detection scoring system
  • • Domain whitelist for trusted submissions
  • • Honeypot fields for bot detection
  • • IP-based rate limiting and blacklisting
  • • Email verification for suspicious submissions
  • • Configurable security levels per form

Development & Deployment

  • • Code review process for all changes
  • • Automated security scanning in CI/CD pipeline
  • • Staging environment for thorough testing before production
  • • Zero-downtime deployments with instant rollback capability
  • • Regular dependency updates and security patches

Data Privacy & Retention

We respect your privacy and give you full control over your data:

  • Data Ownership: You own all data submitted through your forms. We never share, sell, or use your data for purposes other than providing the service.
  • Data Portability: Export your data anytime in CSV format.
  • Data Deletion: Delete submissions, forms, or your entire account at any time. Deleted data is permanently removed from all systems and backups within 30 days.
  • Data Retention: Your data is retained indefinitely until you choose to delete it or close your account. You have full control over your data lifecycle.
  • Geographic Data Storage: Primary database in EU regions (Neon), with edge caching globally through Cloudflare.

Monitoring & Incident Response

  • • 24/7 infrastructure monitoring with real-time alerting
  • • Automated anomaly detection for suspicious activity
  • • Security incident response plan with defined escalation procedures
  • • Regular security audits and penetration testing
  • • Comprehensive logging for security and compliance purposes

Responsible Disclosure

We welcome security researchers and encourage responsible disclosure of security vulnerabilities.

How to Report a Security Issue

  1. 1. Email security@kitoform.com with detailed information about the vulnerability
  2. 2. Include steps to reproduce, potential impact, and suggested fixes if possible
  3. 3. Allow us reasonable time to address the issue before public disclosure
  4. 4. We'll acknowledge your report within 48 hours and keep you updated on progress

We do not currently offer a bug bounty program but recognize and appreciate responsible disclosure with public credit (if desired).

Questions About Security?

If you have questions about our security practices, compliance certifications, or need specific documentation for your organization, please contact us:

Security Inquiries: security@kitoform.com

General Support: support@kitoform.com

Sales & Enterprise: sales@kitoform.com

Website: https://kitoform.com

Your Data, Your Control

We're committed to maintaining the highest security and privacy standards. Your trust is our top priority, and we continuously invest in security infrastructure, compliance certifications, and transparent practices to protect your data.