End-to-end encrypted · OpenPGP

Encrypted forms

For the responses that truly can't leak. Each submission is encrypted in the visitor's browser to your public key. We only ever store ciphertext — not even we can read it. You hold the only key that can.

formformform.com/f/get-in-touch
Get in touch
We usually reply within a day.
privateencrypted
Your name
Maya Pearce••••••••••
Email
maya@hey.com•••••••••••
Your message
A quick pricing question.•••••••••••••••••
Your answers are locked the moment you send them.
Submit securely
Encrypted on your device
Only the form owner can read your answers.
sealed · just now

What your visitors see: a normal form. The moment they hit submit, every answer is locked on their own device — only you can open it.

Under the hood
1
Patient intake
respondent · their browser
public key
NAME
Dana Whitfielda7f3 9c21 d4b0 7e65 c1a8 f24e
DIAGNOSIS
Type II diabetesb40e 28ad 5f19 c3d7 0a6b e914
PATIENT ID
048-22-9931d9c1 7e08 3b52 af16 9d40 c1e2
sealed on their device, before anything is sent
SEALED
2formformformvault
no key
response.pgpsealed
-----BEGIN PGP MESSAGE-----
hQEMA4Rf2kq9TnF8AQf/Vx9pK2mLZr8wcBMA2y8nQf
n4PqRtUo7iJ0dKfWpZ3xY6tLbN1cE5sQ9vHmRdG8aK
fP0oUjBnXTqWz4yLcVe2iD7gMh3sAuO1pR5tkY9wF6
bQxZn2mC8vJ7dLpT0eRf4UoIa1HsGgBmZ4xCvN2pR=
-----END PGP MESSAGE-----
no key on our servers — we cannot open it
SEALED
you hold the only key
formformform never holds a copy.
only your private key opens this.
3
Your dashboard
owner · decrypted on your device
private key
NAME
Dana Whitfielda7f3 9c21 d4b0 7e65 c1a8 f24e
DIAGNOSIS
Type II diabetesb40e 28ad 5f19 c3d7 0a6b e914
PATIENT ID
048-22-9931d9c1 7e08 3b52 af16 9d40 c1e2
only your private key reveals the answers
public key seals · your private key alone opens · end-to-end OpenPGP

Answers are sealed to your public key in the respondent's browser, reach us as ciphertext we can't read, and are decrypted only by your private key.

True end-to-end, not "encrypted at rest"

Most "secure" forms encrypt data in transit (TLS) and on our disks — but the server still sees your responses in the clear. Encrypted forms are different: the data is encrypted on the respondent's device before it ever leaves their browser, using your public key. It reaches us already sealed. There is no point at which our servers, our staff, or anyone who compromised them could read a submission.

Powered by OpenPGP

We didn't invent our own crypto. Encrypted forms use OpenPGP — the open, standardised, decades-scrutinised protocol behind PGP and GnuPG (RFC 9580). The encryption runs in your browser via the audited OpenPGP.js library, with modern Curve25519 elliptic-curve keys selected by default. Your keys are real OpenPGP keys: you can decrypt your responses with GnuPG or any other OpenPGP tool, not just with us.

A short history: PGP and Phil Zimmermann

In 1991, Phil Zimmermann wrote Pretty Good Privacy — the first strong, freely available encryption for ordinary people — and released it to the world. He built it so that human-rights activists, journalists, and dissidents could communicate without their governments reading along.

At the time, strong cryptography was classed as a munition under US export law. When PGP spread overseas, Zimmermann became the target of a three-year criminal investigation for "exporting munitions without a license." In a now-famous act of protest, the entire PGP source code was printed as a book and shipped abroad — because exporting a book was protected speech under the First Amendment, even when exporting the same bytes was not. The case was dropped in 1996, a pivotal moment in the "crypto wars" that won everyday people the right to real privacy.

PGP's format was later standardised as OpenPGP so anyone could implement it openly. Thirty years on, that same standard quietly secures the most sensitive submissions to your forms.

How it works
  1. Turn on encryption for a form and generate a keypair — right in your browser.
  2. Download and safely store your private key. We only ever receive the public half.
  3. Share your form. Every visitor's browser encrypts their answers to your public key.
  4. We store the sealed ciphertext. Notifications and integrations carry no readable content.
  5. To read a response, unlock it in your dashboard with your private key. Decryption happens locally — your key never touches our servers.
File uploads, encrypted too

Attachments are encrypted in the browser the same way before upload. We store only the ciphertext, under a random name, with no readable filename or type. You decrypt and download them locally when you review the response.

You hold the only key

This is the whole point — and the responsibility. If you lose your private key, your form's responses are gone for good. We cannot reset it, recover it, or read around it, because we never had it. Store your key the way you'd store the keys to a safe.

When "encrypted" has to mean "even the vendor can't read it"

Some answers can't afford to be readable on anyone else's server. These are the people who reach for end-to-end forms — and the duties that bring them here.

Law firms and in-house counsel

Client intake, witness statements, and conflict checks arrive as ciphertext, sealed in the respondent's browser to your firm's public key — our infrastructure never receives readable content, and your private key stays in your hands. It's a concrete way to support the reasonable efforts to prevent unauthorized access that ABA Model Rule 1.6(c) asks of you, and it leaves a vendor with nothing readable to hand to a subpoena. Whether any given incident triggers notification remains your judgment under ABA Formal Opinion 483 — the decision stays with you.

Therapists, psychiatrists, and private practices

Intake forms, PHQ-9 and GAD-7 scores, and history questionnaires are among the most sensitive records a practice holds — and under the HIPAA Breach Notification Rule, you are the one who must notify patients and OCR if they leak. Each response is encrypted in the respondent's browser to your public key, so we store only ciphertext and never hold the means to read it — designed to help your data meet HHS's standard for secured PHI, the difference between a quiet non-event and a reportable breach. A vendor that stores your encrypted responses is still a business associate, so you'll still need a signed BAA in place.

Ethics and whistleblower hotlines

Under the EU Whistleblower Directive (2019/1937), a reporter's identity — and any detail it could be deduced from — may not reach anyone beyond your authorised compliance handlers without their consent. Each submission is sealed in the reporter's browser to your team's public key, so we store only ciphertext and never hold a key that could open it. That keeps the circle of people who can read a report limited to exactly the staff the law intends, helping you meet your confidentiality duty and reduce the retaliation risk that follows a leak.

Newsrooms and investigative reporting

Protecting a source is a promise you may one day have to keep in front of a judge. When tips are encrypted in the source's browser to your newsroom's public key, the form vendor only ever holds ciphertext — so a subpoena or seizure served on the vendor produces nothing readable, and the decision to fight stays where it belongs: with you. That matters more than ever, with federal shield protections still unsettled and the Justice Department's 2025 rollback of internal limits on subpoenaing journalists' records. End-to-end protects what a source writes, not their network identity — for full source anonymity, pair it with a tool like SecureDrop.

Accountants, tax preparers, and advisers

If you collect Social Security numbers, bank details, and KYC documents, the FTC Safeguards Rule expects you to encrypt customer information in transit and at rest, and your written security program commits you to keeping it confidential. Every submission is encrypted in the client's browser to your public key, so we store ciphertext we can't decrypt and the only readable copy lives behind the one private key you hold. A breach of our systems is not a reportable exposure of your clients' data — though once you decrypt and store submissions in your own systems, protecting that copy remains your responsibility.

Human rights organizations and victim services

For human rights monitors, crisis advocates, and refugee caseworkers, a data breach is not a compliance footnote — it can put a real person in front of the people they fled. Most secure forms encrypt submissions on the vendor's servers, which means the vendor still holds the keys and can be hacked, subpoenaed, or pressured into producing plaintext. We encrypt every response in the respondent's browser to your public key and store only the ciphertext, so we have nothing readable to surrender — helping you uphold confidentiality duties under frameworks like VAWA, FVPSA, and UNHCR's data-protection policy, while keeping the decision about who ever reads a testimony entirely in your hands.

Security teams and vulnerability disclosure

An unpatched vulnerability and a working proof-of-concept stay dangerous until the fix ships, so the intake channel has to be at least as trustworthy as the team receiving it. A form whose vendor can read submissions quietly aggregates every inbound exploit, credential, and incident detail into someone else's database — exactly the target an attacker would choose. We encrypt each response in the reporter's browser to your public key, so we only ever store ciphertext and you hold the only key that opens it — a confidential channel by design, consistent with RFC 9116's encryption field and ISO/IEC 29147's call for a secure communication option, without asking researchers to wrangle PGP first.

HR and people ops

Accommodation requests, harassment and grievance reports, and diversity self-ID collect exactly the data the law treats as most sensitive — health, ethnicity, and protected-class details that fall under GDPR Article 9 as special-category data. Sealing each submission in the employee's browser to your team's public key keeps it out of vendor-readable storage and narrows who inside the organization can ever open it — reducing both your breach exposure and the trust you're asking employees to extend when they disclose something difficult.

At a glance — what each team encrypts
Law firms

Client intake, witness statements, conflict checks, evidence uploads, financial disclosures

Therapy & private practice

New-patient intake, PHQ-9 / GAD-7 / PCL-5 screeners, medication and substance-use history, risk screens

Ethics & whistleblower hotlines

Misconduct and fraud reports, harassment complaints, conflict-of-interest disclosures, evidence uploads

Newsrooms

Confidential tips, whistleblower document submissions, "got a tip?" source contact forms

Accounting, tax & advisory

Tax organizers, KYC/ID documents, onboarding with SSN/EIN, loan and ACH authorizations

Human rights & victim services

Incident and testimony intake, crisis-line and shelter forms, asylum case collection, defender security reports

Security & IT

VDP "report a vulnerability" forms, bug-bounty PoC submissions, internal incident reports, leak reports

HR & people ops

ADA accommodation requests, harassment/grievance reports, diversity self-ID, background-check inputs

Collect what others can't be trusted to hold

Create an end-to-end encrypted form in minutes. Keep the key. Keep the trust.

Create an encrypted form