Stepform

Security

Protecting your data is fundamental to how we build and operate Stepform. Here's how we keep your information safe.

Infrastructure

Stepform is built and hosted entirely in Europe. Our primary infrastructure runs in Frankfurt, Germany across the following providers:

  • Application hosting: Vercel (EU, Frankfurt) — serves the web application, API routes, and file storage.
  • Database: Supabase (EU, Frankfurt) — PostgreSQL database with automated backups and point-in-time recovery.
  • Real-time collaboration: Hetzner (EU, Frankfurt) — dedicated WebSocket servers for live editing.

Encryption

  • In transit: all connections use TLS 1.2 or higher. HTTP traffic is automatically redirected to HTTPS.
  • At rest: all data stored in our databases and file storage is encrypted at rest using AES-256.
  • OAuth tokens: third-party integration tokens (e.g., Slack) are encrypted before storage and only decrypted at the moment of use.

Authentication & Access Control

  • User authentication: email-based magic links and Google OAuth 2.0. No passwords are stored.
  • Session management: secure, HTTP-only session cookies with automatic expiration.
  • Organization isolation: all data is scoped to organizations. Membership is verified on every request. Users can only access data belonging to organizations they are a member of.
  • Infrastructure access: production systems are accessible only to the founding engineering team via authenticated, encrypted connections. Access follows the principle of least privilege.

Data Protection

  • GDPR compliance: Stepform is fully compliant with the General Data Protection Regulation (GDPR). See our Privacy Policy for details.
  • Data residency: all customer data is stored and processed within the European Union.
  • Sub-processors: we maintain a public list of all third-party sub-processors. See Section 6.1 of our Privacy Policy.
  • Data deletion: users can disconnect integrations and delete their organization at any time, which permanently removes all associated data. Individual deletion requests are processed within 30 days.

Application Security

  • Dependency management: automated vulnerability scanning of all dependencies with regular updates.
  • Input validation: all user input is validated and sanitized server-side to prevent injection attacks.
  • CSRF protection: all state-changing requests are protected against cross-site request forgery.
  • Rate limiting: API endpoints are rate-limited to prevent abuse.

Vulnerability Disclosure Program

We take security vulnerabilities seriously and appreciate responsible disclosure from the security community. Our vulnerability disclosure program covers all Stepform services, including the core platform, API, published forms, and all third-party integrations (e.g., our Slack app).

Reporting a vulnerability

If you believe you have found a security vulnerability in Stepform, please report it to us at security@stepform.ai. Include as much detail as possible:

  • A description of the vulnerability and its potential impact
  • Steps to reproduce the issue
  • Any relevant screenshots, logs, or proof-of-concept code

What to expect

  • We will acknowledge your report within 48 hours
  • We will provide an initial assessment within 5 business days
  • We aim to resolve critical vulnerabilities within 7 days
  • We will keep you informed of our progress throughout the process

Guidelines

We ask that you:

  • Do not access, modify, or delete data belonging to other users
  • Do not perform denial-of-service attacks or automated scanning at scale
  • Do not publicly disclose the vulnerability before we have had a reasonable opportunity to fix it
  • Act in good faith and avoid violating the privacy of others

We do not currently offer a paid bug bounty program, but we are grateful for responsible disclosures and will credit researchers (with permission) when vulnerabilities are resolved.

Contact

For security-related inquiries or to report a vulnerability, contact us at security@stepform.ai.

For general privacy questions, see our Privacy Policy or email privacy@stepform.ai.