Security Gateway
Built for production data
We handle form data with extreme care. Here is the exact technical breakdown of how we isolate, encrypt, and protect your payloads at scale.
Application-Layer Field Encryption
We encrypt your form submissions before they are ever committed to disk. Payloads are stringified and run through AES-256 encryption on our server nodes. Even if our database cluster is physically compromised, your customer data remains an unreadable ciphertext hash.
Hardened Row-Level Security (RLS)
Direct client-side database insertions are completely disabled on our PostgreSQL tables. All submissions must pass through our Next.js API Gateway (/api/f/[endpoint]). This gateway performs validation, rate limiting, and spam filtering before securely inserting data using a restricted service role client.
Silent Honeypot & Anti-Spam
Our API handles bot spam silently. You simply include a hidden input named '_trap_field'. Automated bots fill it out; our edge engine intercepts it and drops the request silently. This blocks 99% of automated bots without ruining your conversion rate with ugly captchas.
Strict Payload Limitations
To mitigate buffer overflow and Denial of Service (DoS) attacks, our API gateway enforces a strict 64KB maximum payload size verification on all incoming POST requests, preventing memory-exhaustion exploits.
Submission Data Pipeline
Complete Data Sovereignty
We operate under a simple architecture: we collect only what is necessary to run your forms and protect your limits.
Because form data is encrypted prior to database commit using an environment secret key, we cannot inspect the content of your submissions on our dashboard tables without authorization keys. If you decide to purge your data, deleting a submission permanently deletes the record from our high-availability PostgreSQL database instantly. We keep no hidden backups or archive pools of deleted data.
Ready to build secure forms?
Experience secure form backends without writing a single line of backend database code.