Security

Security at Humanform

This page describes practices that are in place today. We do not claim certifications or programs we have not completed. As Fieldwork grows, formal compliance work may follow, but nothing here should be read as a current certification or SLA.

Infrastructure

Humanform runs on established cloud providers: Vercel for application hosting, Neon for the database, and Cloudflare for DNS and object storage. These providers are also listed in our Privacy Policy as subprocessors.

Data in transit

HTTPS is enforced for the marketing site, dashboard, and API. API requests and responses travel over TLS.

API keys

API keys are stored as one-way hashes. We never store or log plaintext keys. Dashboard and logs reference key prefixes or IDs only.

Payments

Credit purchases are processed by Stripe. Humanform does not receive or store full card numbers.

Account authentication

Dashboard sign-in is handled by Clerk, a third-party authentication provider. Humanform does not manage passwords directly.

Rate limiting

Per-key rate limits help prevent abuse and protect service availability for paying customers.

Subprocessors

Humanform relies on the following providers to operate the service. See the Privacy Policy for more detail on how data is shared.

  • Clerk: Authentication and account management
  • Stripe: Payment processing
  • Neon: Database hosting
  • Vercel: Application hosting
  • Cloudflare: DNS and object storage

Responsible disclosure

If you believe you have found a security vulnerability in Humanform, please report it to hello@fieldwork.design. Include enough detail for us to reproduce the issue. We will acknowledge reports and work to understand and address valid findings.

For privacy and data handling questions, see the Privacy Policy. For procurement or enterprise evaluation, contact us.