splitforms security — how we protect your form submissions.

Infrastructure

splitforms is built on a small, well-known stack. We don't run our own datacentres; we trust providers whose security programmes are stronger than anything a tiny SaaS could replicate. Each provider holds its own SOC 2 / ISO 27001 attestations, which we inherit downstream.

We do not use third-party analytics, marketing pixels, ad networks, or session-replay tools inside the splitforms dashboard or on submission endpoints. The fewer places your submissions touch, the smaller the blast radius.

Data isolation — Postgres Row-Level Security

Every customer-facing table — profiles, forms, submissions, webhooks, user_integrations — has Row-Level Security enabled in Postgres, with policies that scope reads, updates and deletes to auth.uid() = user_id. There is no shared "all-tenants" view, and there is no admin tooling that bypasses RLS for normal application traffic. The dashboard runs as the signed-in user, so the database itself enforces tenant isolation — even if app code had a bug, RLS would catch it.

The single exception is /api/submit, which runs as the Supabase service role to insert a row on behalf of an unauthenticated form visitor. That code path looks up the target form by its public access_key, applies rate limits and origin checks, and writes only to that form's user_id — it never reads cross-tenant data.

Read more about how Supabase implements RLS: Supabase RLS docs.

Authentication — magic links, no passwords

splitforms uses Supabase Auth's magic-link flow. To sign in, you enter your email and click the one-time link we send. Sessions are managed via short-lived JWT access tokens (refreshed automatically) stored in HttpOnly, SameSite=Lax cookies. Refresh tokens can be revoked server-side at any time.

What this means in practice:

• We do not store any passwords — there is no password field in the signup flow and nothing for an attacker to crack from a database dump.
• We do not use SMS for 2FA today. (TOTP / passkeys are on the roadmap.)
• An admin tool exists to force-logout a user across every device by revoking all of their refresh tokens — used for account-recovery and abuse cases.
• Optional Google OAuth is also offered on the login page; we only request email + name and do not access any other Google data.

Spam and abuse protection

Form submissions are an internet-facing endpoint, which means spam, scrapers, and runaway scripts try to abuse them constantly. splitforms ships several layered controls out of the box, with no setup on your part:

• Honeypot field. Every form looks for a hidden botcheckfield. If a submission fills it in (which only automated bots do), the row is silently flagged as spam and we don't email or webhook you.
• Domain whitelist. Each form has an optional allowed_domainssetting. When set, submissions are only accepted from origins matching that list — so even if your access key leaks, attackers can't POST from evil-clicker.com.
• Rate limit. A rolling per-form cap of 60 submissions per 60 seconds. Bursts above that get rejected with HTTP 429 — protecting our SMTP reputation and your monthly quota from runaway loops or scripted attacks.
• Monthly quota.Free, Pro, and 4-Year plans each have a monthly submission ceiling enforced at the database layer. Submissions over the cap are rejected cleanly so spam can't silently burn through your tier.
• AI spam classifier (flag-gated). An optional GPT-based spam scoring layer exists behind a feature flag and is enabled per-account at our discretion.

Data retention

We keep your submissions for as long as your account is active. There is no automated "expire after N days" policy out of the box — many customers want a permanent CRM of every lead they've received, so we don't delete on your behalf.

You stay in control:

• Per-submission delete from the dashboard at any time.
• CSV export from the dashboard for any form, so you can keep your own archive offsite.
• Account deletion cascades through Postgres foreign keys and removes every form, submission, webhook, uploaded file, and profile row associated with your account. Backups are rotated within 30 days.

If you need a custom retention policy (e.g. auto-delete submissions older than 90 days for compliance), email hello@splitforms.com.

What we don't do (yet)

Honesty is a security feature. Here's what splitforms does notcurrently have, so you can decide up-front whether we're a fit:

• No SOC 2 report. Our infrastructure providers (Supabase, AWS, Vercel, Cloudflare) hold SOC 2, but splitforms itself is not yet audited. On the roadmap once revenue justifies the cost.
• No formal third-party penetration test report. We perform internal review and follow secure-by-default practices, but we don't yet commission an annual external pen-test.
• No HIPAA BAA. Do not use splitforms for Protected Health Information.
• No formal SLA on the Free tier. Pro and 4-Year plans receive priority support and a best-effort 99.9% uptime target; Free is provided as-is.
• No bug bounty programme yet. We pay attention to responsible disclosure and credit reporters, but there is no formal monetary bounty today.

We'd rather tell you these gaps exist than imply controls we can't actually back up under audit.

Reporting a security issue

Found a vulnerability or have a security concern? Please email security@splitforms.com (also reachable at hello@splitforms.com). Include reproduction steps and any proof-of-concept relevant. We aim to acknowledge within one business day and keep you updated through remediation.

Please don't run automated scans or fuzzing against production endpoints — set up a free account and test against your own forms instead. We will not pursue good-faith researchers reporting under responsible-disclosure norms.

Frequently asked questions