How we protect your data and keep DodoForm secure.
All data is encrypted in transit using TLS 1.3 and at rest using AES-256. Database connections are encrypted end-to-end between our application servers and Supabase.
DodoForm uses Supabase Auth for secure authentication. Passwords are hashed with bcrypt and never stored in plain text. We support Google OAuth and email/password login with rate limiting to prevent brute force attacks.
Every database query is scoped to the authenticated user via Supabase RLS policies. Users can only access their own forms, submissions, and workspace data. Admins have no direct database access outside of read-only audit views.
When you use AI features, prompts and form schemas are sent to Google Gemini for processing. We do not use your data to train AI models. Prompts are logged for 90 days for debugging and billing purposes, then automatically purged.
Hosted on Vercel (Edge + Serverless) with Supabase (PostgreSQL, Auth, Storage). Our infrastructure providers are SOC 2 Type II compliant. We do not run our own data centres.
Found a security issue? Please email security@dodoform.com rather than posting publicly. We aim to respond within 12 hours and will never take legal action against good-faith researchers.