Skip to content
MobyformMobyform
  • Pricing
  • Alternatives
  • Blog
  • Docs
MobyformMobyform

Smart forms, connect everything

GitHubGitHubEmail

Product

  • Form Builder
  • Form Components
  • Analytics
  • Integrations
  • Exam & Assessment

Solutions

  • Surveys
  • Online Exams
  • Event Registration
  • Customer Feedback
  • HR & Recruitment

Resources

  • Documentation
  • Blog
  • Alternatives
  • Changelog
  • Roadmap

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service
  • Cookie policy
  • Data Processing Agreement
  • Subprocessors
  • Security overview
  • GDPR
© 2026 Mobyform All Rights Reserved.
Built withLogo of MobyformMobyform

Security

Public overview of the security practices, controls, and operational safeguards used to operate Mobyform.

2026/03/26

Overview

This page provides a high-level overview of the security practices we use to operate Mobyform. It is intended for customers, security reviewers, and procurement teams that need a concise public reference.

Because public pages should not become a roadmap for attackers, this overview is intentionally high level. It does not disclose every internal control, monitoring rule, or incident-handling procedure.

Security Principles

Our security approach is built around a few practical principles:

  • protect access to customer data
  • reduce unnecessary exposure of systems and credentials
  • log important security-relevant actions
  • limit abuse, automation, and suspicious traffic
  • respond to incidents with containment, investigation, and remediation

Infrastructure and Network Controls

Depending on the deployment and traffic path, Mobyform uses infrastructure controls such as:

  • HTTPS/TLS for web traffic
  • edge delivery, caching, traffic filtering, and custom-domain routing through infrastructure such as Cloudflare
  • DNS and custom-domain management controls
  • service-level rate limiting and abuse defenses
  • separation between public traffic, application logic, and operational systems

Access Control

Mobyform is designed to support controlled access to workspaces, forms, settings, and operational actions. Depending on the product area, this may include:

  • authenticated user sessions
  • workspace, team, and role-based permissions
  • administrative restrictions around billing, domains, publishing, and integrations
  • scoped programmatic access where enabled
  • audit or activity records for important actions and operational reviews

Application Security Practices

We use a combination of engineering and operational controls intended to reduce common application risks, including:

  • server-side validation and authorization checks
  • rate limiting around sensitive endpoints
  • protections against abusive submission patterns
  • review and testing of changes to sensitive flows such as auth, billing, or public form access
  • file upload controls such as MIME-type handling, denied-extension safeguards, and integrity metadata where applicable
  • signed URL expiry controls and storage access boundaries where file delivery depends on backend storage
  • dependency and infrastructure updates as part of ordinary maintenance

Data Protection

We use measures designed to protect customer-controlled data and service metadata, including where appropriate:

  • encrypted transport for browser and API traffic
  • controlled access to operational tooling
  • logging for security, troubleshooting, abuse detection, and audit-oriented review
  • retention and deletion mechanisms aligned with service operation and customer configuration
  • file registry metadata such as checksums, upload context, and retention fields where the product uses managed file storage
  • managed infrastructure and subprocessors subject to contractual safeguards

Incident Readiness

The product stack includes operational tooling for tracking and documenting security or privacy incidents. In GDPR-related incident handling, the platform can record discovery time, regulator-notification time, data-subject-notification time, and whether an authority notification was completed within 72 hours. Public documentation of these capabilities should not be treated as a guarantee that every legal threshold applies automatically to every incident.

See also:

  • Privacy Policy
  • Data Processing Agreement
  • Subprocessors
  • GDPR

Shared Responsibility

Security in a form platform is shared. Mobyform is responsible for the platform and hosted service controls we operate. Customers remain responsible for:

  • choosing what data to collect
  • setting the right permissions and operational controls
  • configuring lawful notices and consent where required
  • reviewing connected integrations and downstream systems
  • managing account security within their organization

Reporting Security Issues

If you believe you found a security issue, suspicious behavior, phishing flow, or abuse pattern involving Mobyform, contact support@mobyform.com and include as much detail as possible:

  • affected URL or workspace
  • reproduction steps
  • screenshots or logs
  • timing and impact

Changes

We may update this page over time as the service evolves and as the public documentation set improves.