Security is not a feature.
It's the foundation.

Brieform uses Better Auth, a modern authentication framework with first-class TypeScript support. All passwords are hashed using bcrypt with an appropriate cost factor. Plain-text passwords are never stored or transmitted.

OAuth sessions (Google) use short-lived access tokens. Session cookies are httpOnly, secure, and sameSite=lax. Two-factor authentication (TOTP) is available for all accounts.

All connections to Brieform are served exclusively over HTTPS. HTTP connections are permanently redirected to HTTPS. HSTS headers enforce this policy in browsers.

API requests to AI providers for form generation use encrypted connections. We use providers whose terms prohibit using API inputs for model training. We recommend reviewing your chosen AI provider's current data policy for your own due diligence.

Your forms and responses are stored in a PostgreSQL database with at-rest encryption enabled at the storage layer. Database access is restricted to application service accounts with the minimum necessary permissions.

Automated backups are encrypted and retained on a rolling basis for disaster recovery purposes.

Brieform integrates with Google Sheets, Notion, and Slack via OAuth. We request the minimum scopes needed to write submissions to your destination of choice (a single sheet, a single Notion database, or a single Slack channel) and never request broader workspace permissions on your behalf.

OAuth refresh and access tokens are encrypted at rest and stored at the account level so you connect each provider once and reuse the same connection across every form. You can revoke any connection from your account settings at any time. Revocation is immediate: in-flight routing for that destination stops, and we never retain the tokens after disconnect.

As a form builder, Brieform acts as a data processor for the personal data your respondents submit. You (the form owner) are the data controller and are responsible for your legal basis for collecting that data.

We support your GDPR obligations by:

• Providing a full data export of your account on request
• Permanently deleting your account and all associated data within 30 days of a deletion request
• DPAs available on request for enterprise customers
• Using sub-processors with appropriate data handling commitments

Anonymous form generation is rate-limited to 2 prompts per 24 hours per IP address to prevent abuse. Authenticated users have higher limits. API endpoints are protected against brute force via rate limiting middleware.

If you discover a security vulnerability in Brieform, please disclose it responsibly by emailing dany@brieform.app. We will acknowledge your report promptly and work to resolve critical issues as quickly as possible.

Please do not publicly disclose the vulnerability until we've had a chance to investigate and patch.