Security

Security at TruForms

How we protect your account and your users' submissions — encryption, secrets, sessions, and abuse prevention. A living document, last reviewed June 2026.

HTTPS + HSTSAES-256-GCMArgon2idHMAC-SHA256CSRF protected

Encryption in transit

All traffic is served over HTTPS with HSTS. TLS certificates are provisioned via Cloudflare or Let's Encrypt and rotated automatically.

Encryption at rest

Integration secrets, captcha keys, and OAuth state are AES-256-GCM encrypted with per-instance keys derived from a rotatable master secret. Object storage uses server-side encryption.

Password hashing

Argon2id (memory 19 MiB, time cost 2, parallelism 1) with a server-wide pepper. Cheap to verify, expensive to brute-force.

Session model

Opaque 32-byte random tokens stored only as SHA-256 hashes. Cookies are HttpOnly + SameSite=Lax + Secure (prod). CSRF is enforced via double-submit on all state-changing requests.

Data residency

Default region: Mumbai (ap-south-1). EU-region hosting available for Business plans on request. Self-host for sovereign deployment — same code, same features.

Retention & deletion

Submissions are retained per your plan's retention window. Deletion is immediate and cascades to attachments in object storage. Free plan: 30 days. Pro/Business: 365 days.

Spam controls

Rate limits per IP (60/min) and per form (300/min), honeypot fields, heuristic scoring, and optional Cloudflare Turnstile or hCaptcha. Spam submissions are stored but never trigger emails, webhooks, or integrations.

Webhook integrity

Outbound webhooks are HMAC-SHA256 signed and include a timestamp to prevent replay. Delivery is retried 8 times with exponential backoff; failures land in an auditable dead-letter log.

Access control

Workspace-scoped membership with owner, admin, member, and viewer roles. Billing actions are restricted to owners and admins.

Responsible disclosure

Report security issues to [email protected]. We respond within 3 business days and credit researchers in release notes (unless you prefer anonymity).

Standards we build on

Our controls follow established, openly published security standards rather than house rules. The primary references:

Password hashing — Argon2 (RFC 9106)
Application controls — OWASP ASVS
Transport security — OWASP HSTS guidance
Webhook signatures — HMAC (RFC 2104)

Found a vulnerability?

We welcome responsible disclosure. Include reproduction steps and any relevant logs — we acknowledge every report within 3 business days and credit researchers in our release notes.

[email protected]