NodumForms for Security-led Teams

Your data,
protected by default.

Strong security built into every plan — TLS encryption, hashed IPs, server-side upload validation, and plan limits enforced on every API call.

Graphic placeholder
Animated encryption-stream demo: rows of submitted form-field data (name, IP, card, notes) being progressively masked into bullets behind a padlock, captioned 'Encrypted in transit · TLS 1.2+ · hashed on storage'.
16/9
↳ drop file at /graphics/security-encryption-stream.html

Secure by default,
on every plan.

Encrypted, end to end.

Every byte on the wire uses TLS 1.2 or greater. Your respondents are protected from the very first keystroke — no upgrade required.

Graphic placeholder
TLS encryption diagram: a respondent's browser connected to NodumForms servers over a padlocked wire, with a 'TLS 1.2+ · End-to-end encrypted' badge on the connection.
4300/2231
↳ drop file at /graphics/security-tls.html

Validated file uploads.

Every upload is checked on our servers — type, extension, and size — and anything unexpected (ZIP, EXE…) is rejected. Files are stored on private server storage, never listed or indexed.

Graphic placeholder
Upload validation panel: an incoming file checked against three rules (allowed type, extension matches, under size limit) all passing, with a 'backup.zip' upload rejected beside a 'Validated on our servers' header.
4300/2231
↳ drop file at /graphics/security-private-files.html

Hashed IPs.

Raw IP addresses are never persisted. We hash on the way in — so what we hold isn't traceable back to your respondents.

Graphic placeholder
IP hashing flow: a raw IP address (203.0.113.42) struck out, an SHA-256 arrow, and the resulting stored hash, with a 'Raw IP never stored' confirmation chip.
4300/2900
↳ drop file at /graphics/security-hashed-ips.html

Server-side enforcement.

Plan limits, permissions, and access controls all run on our servers. Client-side gating is cosmetic only.

Graphic placeholder
API Request Pipeline card with four green-check rows (Auth verified, Plan limits checked, Rate limited, Input sanitized) and a 'server enforces everything' footer.
4300/2900
↳ drop file at /graphics/security-enforcement.html

No data training.

Your form data is never used to train AI models, and never sold or shared with third parties. Ever.

Graphic placeholder
'No training. No sharing.' pledge card with an AI-model icon crossed out and three badges: Zero data training, No third-party sharing, Your data only.
4300/2900
↳ drop file at /graphics/security-no-training.html

Responses stay private.
Share only what you choose.

Access controls

Private by default.
Shared on your terms.

Every form and its responses are private until you invite someone. Add collaborators to a form by email — they can edit it and see its responses — and revoke access any time.

Talk to security
Graphic placeholder
'Who can edit this form' sharing panel with an invite-by-email field, the list of current collaborators each with a remove (×) button, and a 'private until you invite someone' note.
4300/3000
↳ drop file at /graphics/security-workspace-sharing.html
Deletion

Keep what you need.
Delete the rest.

Delete any response and it’s permanently removed within 24 hours; delete a form or your account and every response and uploaded file goes with it.

See the responses view
Graphic placeholder
Response deletion in the responses table: rows selected with a 'Delete selected' action and a confirmation noting responses are permanently removed within 24 hours — a GDPR right-to-erasure aid.
4300/2231
↳ drop file at /graphics/security-retention.html
Compliance

Working toward SOC 2,
already aligned.

Our security practices already follow SOC 2 Type 2 standards. We are working toward formal certification — and happy to share our current security posture with your team.

Request our security overview
Graphic placeholder
Security & Compliance posture sheet listing SOC 2 Type 2 (In progress), GDPR, CCPA, TLS 1.2+, and IP Hashing, each with a status pill.
4300/2231
↳ drop file at /graphics/security-compliance.html

Designed to be trusted
by every type of team.

Security & IT

A platform you can hand to your security team without a long checklist of caveats. Hashed IPs, server-side enforcement, no training on your data.

Read our security overview

Legal & Compliance

GDPR- and CCPA-aligned: hashed IPs, response and account deletion on demand, and a custom DPA on Enterprise. Working toward SOC 2 Type 2.

See compliance details

People & HR

Collect sensitive applications and surveys with confidence — server-side upload validation, hashed IPs, and per-form access keep the data tight.

See HR templates

Security that ships
with every form.

Start on the free plan — every protection above is on by default. Talk to us about a custom DPA and dedicated support on Enterprise.