Security Practices at Formbricks

Formbricks is built with a "privacy-first" philosophy. We understand that you entrust our platform with potentially sensitive feedback and survey data, and we take that trust to heart. Our team is committed to transparency and rigorous security practices to protect your data, eliminate system vulnerabilities, and ensure reliable access for all users. Below is an overview of our security measures, crafted for both technical and non-technical readers.

TL;DR

Data Encryption: All data is encrypted in transit (HTTPS/TLS 1.3) and at rest (AES-256). Even backup copies of data are stored in encrypted form.
Security Updates: We encourage all users ( including Community Edition users ), to sign up here to receive occasional notices, patches, and best practices directly by email.
Code Quality & Safety: Automated static code analysis (SonarQube) runs on every change, catching bugs, code smells, and security vulnerabilities before they reach production. We maintain a strict "quality gate" critical issues must be fixed before merge.
Privacy Frameworks: Fully compliant with GDPR and CCPA.
Security Frameworks: SOC-2 Type II certification is in progress powered by OneLeet.
Hosting: Formbricks Cloud is hosted in Germany to ensure EU privacy law compliance.
Vulnerability Disclosure: We encourage responsible disclosure. Reports regarding critical issues in the Formbricks platform (not the marketing website under formbricks.com) receive acknowledgment within 48 hours and get fixed according to our vulnerability management policy. We credit good-faith researchers and never pursue legal action against them. Check out our trust center policies.
Penetration Testing: Annual independent penetration tests are conducted. Critical findings are addressed immediately. You can request the full most-recent pentest report here.
Infrastructure Security: Robust firewalls, network segmentation, hardened servers, and strict access controls. MFA and logging are mandatory for all production access.
Operational Resilience: Daily encrypted backups, disaster recovery plan, continuous monitoring, and DDoS protection.
Automated Error monitoring with Sentry: We employ automated error monitoring with Sentry, which reports critical issues directly to the Formbricks engineering team to ensure rapid detection and resolution of bugs in production systems.
Secure Development Practices: Developers trained in secure coding standards. Peer review, automated testing, and dependency scanning (Dependabot) are in place.

Data Encryption

All data handled by Formbricks is protected against unauthorized access or tampering through strong encryption practices. Traffic between clients and servers is secured with HTTPS/TLS 1.3, ensuring that sensitive data cannot be intercepted in transit. At rest, our databases and storage systems are encrypted with AES-256, the industry standard for high-security environments.

Stay Informed with Formbricks Security Updates

We take security seriously and want to ensure all Formbricks users ( including those on the Community Edition ) stay protected. By signing up below, you’ll receive occasional security notices, important patches, and recommended best practices directly in your inbox.

We only use your email to share essential security-related information, no marketing, no spam. Staying updated helps you keep your instance secure and up to date with the latest improvements from our team.

Code Quality & Safety

To prevent vulnerabilities from entering production, all code changes are scanned automatically with SonarQube. This process highlights bugs, code smells, and potential security risks before they can affect the platform. Our development pipeline enforces a strict quality gate: no code with critical issues can be merged until it is fixed.

Beyond static analysis, every change is peer-reviewed by another engineer and tested in CI/CD. This multi-layered approach ensures that flaws are caught early and that the codebase remains both secure and maintainable. Together, automated tools and human review provide strong safeguards against introducing insecure code.

Compliance

Formbricks is fully compliant with both GDPR and CCPA, giving users clear rights to access, modify, or delete their personal data. Privacy by design is a guiding principle in our platform: we minimize data collection, give organizations control over their data, and ensure transparent data processing practices.

We are also in the process of achieving SOC 2 Type II certification. This independent audit validates that our security, availability, and operational processes meet stringent industry standards. It covers how we manage access controls, change management, incident response, and data protection over time.

By combining regulatory compliance with independent certification, we not only meet legal requirements but also provide assurance that our internal processes and controls are continuously monitored and improved to protect customer data.

See our live Trust Center for the latest security, compliance, and reliability updates.

Vulnerability Disclosure

We operate a responsible disclosure program to ensure that security issues are found and addressed quickly. Security researchers and users can report potential vulnerabilities through our dedicated email channel at security@formbricks.com or via our GitHub Security page.

Our security disclosure policy covers critical vulnerabilities in the Formbricks platform and infrastructure. Security issues relating to our marketing website (formbricks.com) fall outside of this disclosure program and are not subject to the 48-hour acknowledgment timeframe.

Every report is acknowledged within 48 hours, and we provide regular updates as we investigate and resolve the issue. Depending on severity, fixes are deployed depending on our Vulnerability Management Policy.

We strongly value the contributions of good-faith researchers. We commit to taking no legal action against those who follow responsible disclosure practices, and we are happy to provide public credit for validated reports. This approach allows us to collaborate openly with the security community while strengthening the safety of our platform.

Penetration Testing

We conduct independent penetration tests annually, and also after major feature releases or infrastructure changes. These tests cover our application, APIs, and supporting infrastructure, simulating real-world attack scenarios to identify weaknesses before malicious actors can exploit them.

All findings are prioritized based on risk. Critical issues are addressed immediately, while medium- and low-severity findings are remediated in a timely manner. To maintain transparency, we plan to share high-level summaries of penetration test results publicly once available, giving customers confidence in our ongoing security posture.

Our most recent pentest report can be requested here

Infrastructure Security

Our infrastructure is protected using a defense-in-depth approach. Servers are hardened, regularly patched, and segmented across networks to reduce risk exposure. Strict firewall rules and intrusion detection systems further limit the attack surface.

Only a small number of engineers have access to production systems. Access requires multi-factor authentication and is continuously logged. Detailed audit trails ensure accountability, and real-time monitoring alerts us to any suspicious activity. This layered model provides strong safeguards against unauthorized access and system compromise.

We also perform automatic Docker image scans with Trivy and AWS ECR vulnerability scanning to detect and remediate container vulnerabilities before deployment.

Operational Resilience

Formbricks takes operational continuity seriously. On Formbricks Cloud, we perform daily encrypted backups of all critical data and regularly test our disaster recovery procedures to ensure quick restoration in the event of hardware failure, corruption, or incident.

We also deploy DDoS protection and continuous monitoring, ensuring that the platform remains resilient under unexpected traffic spikes or malicious attempts to disrupt service. Together, these measures provide reliability, data durability, and confidence in system availability.

Our Trust Center provides ongoing visibility into our infrastructure controls and certifications.

Automated Error monitoring with Sentry

We use automated error monitoring with Sentry to maintain high reliability in production systems. Sentry continuously tracks application errors and performance anomalies, immediately alerting our engineering team when critical issues arise. This proactive monitoring allows us to detect and resolve problems quickly, often before they impact users. By integrating error monitoring into our operational workflows, we ensure faster incident response, reduced downtime, and a more stable experience for all customers.

Secure Development Practices

Security is built directly into our software development lifecycle. All developers are trained in secure coding principles and follow established standards such as the OWASP Top 10. Every code change undergoes peer review and automated testing in our CI/CD pipeline before deployment.

We also use tools like Dependabot to automatically scan third-party libraries for vulnerabilities. This ensures that our dependencies are kept up to date and secure. By embedding security into daily workflows from design to deployment we proactively reduce risk and maintain the integrity of our platform.

Conclusion & Contact

Security is a journey, not a destination. We are committed to maintaining the highest standards and improving continuously as new threats emerge.

If you have questions or suggestions, contact us at security@formbricks.com.

Your trust is our most valuable asset, and we will continue earning it with robust security, privacy, and reliability.

Disclaimer

The information provided in this document is for general informational purposes only and reflects Formbricks’ current security and privacy practices at the time of writing. While we make every effort to maintain accurate and up-to-date information, we cannot guarantee that all details will remain current as our systems and policies evolve.