Built to protect your form data
Formtorch handles submission data on behalf of developers and their users. We take that responsibility seriously. Encryption, access controls, spam detection, and rate limiting are enabled by default.
Encryption in Transit & at Rest
All connections use TLS 1.2+. Submission data, account info, and credentials are encrypted at rest in our managed Postgres database. Passwords are never stored in plaintext.
Workspace Isolation
Every form and submission belongs to an authenticated workspace. There is no cross-tenant data access, and your data is only accessible to you.
Managed Infrastructure
Formtorch runs on Vercel (edge + serverless) and Neon Postgres (AWS-backed). Both providers maintain SOC 2 compliance, DDoS protection, and automatic backups.
Secure Authentication
Accounts are powered by Clerk. We support email/password with verification and Google OAuth. No plaintext credentials are ever stored or logged.
Spam & Abuse Detection
TorchWarden™, our built-in scoring engine, evaluates every incoming submission for spam signals. Flagged submissions are quarantined and never reach your inbox or count against your quota.
Rate Limiting
A four-layer rate limiter (IP, form, global, and burst) protects your endpoints from abuse and automated floods. Redis-backed with an in-memory fallback for high availability.
Data practices
- We never sell your data or your respondents' data to third parties.
- Submission data is retained only for your plan's storage period. You can delete any submission or form at any time from the dashboard.
- When you close your account, associated data is deleted within 30 days.
- We collect the minimum data necessary to operate the Service.
For the full picture, see our Privacy Policy.
Responsible disclosure
If you discover a security vulnerability in Formtorch, please report it to security@formtorch.com. We will acknowledge your report within 48 hours and work with you on a coordinated disclosure timeline.
We ask that you do not publicly disclose the issue until we have had a chance to investigate and release a fix. We do not operate a bug bounty program at this time, but we genuinely appreciate responsible reports.