FormOS
Get Started

Data Security

How FormOS approaches submissions, connected storage, and access control.

Effective Date: 14/06/2026
Website: https://formos.com.au
Product: FormOS
Contact: info@formos.com.au

FormOS is designed to help users create forms, collect submissions, process uploads, generate documents, and connect storage integrations while applying reasonable safeguards to protect user data.

This page explains the security practices and responsibilities related to FormOS.

No online service can guarantee absolute security, but we work to protect FormOS using technical, administrative, and organizational safeguards appropriate for the nature of the service.

1. Security Overview

FormOS uses security controls designed to protect:

  • User accounts

  • Forms

  • Submissions

  • Uploaded file metadata

  • Integration credentials

  • OAuth connections

  • Billing-related metadata

  • Workspace and staff access

  • Public form submission workflows

Security is a shared responsibility. FormOS protects the platform, while users are responsible for configuring their forms appropriately, managing account access, and handling collected information lawfully.

2. Account Security

FormOS uses authenticated dashboard access for account and workspace features.

Security measures may include:

  • Password hashing

  • Session-based authentication

  • Email verification

  • Password reset controls

  • Protected dashboard routes

  • Ownership checks

  • Role-based access controls for staff and workspace members

  • Super Admin access separation

Users are responsible for using strong passwords, protecting their email accounts, and limiting staff access to trusted users.

3. Form Ownership and Access Controls

FormOS applies ownership and permission checks so that users can access only the forms, submissions, files, settings, and workspace data they are authorized to access.

Form owners can manage forms, submissions, office-use fields, integrations, and form settings according to their account permissions and plan features.

Staff users may have limited access depending on the workspace permissions configured by the account owner.

4. Public Form Security

Published FormOS forms can be accessed by people who have the public form link or where the form is embedded on a website.

Public form submitters can submit information through the form, but they do not receive dashboard access and cannot access the form owner’s private dashboard, storage credentials, integration tokens, billing data, or other submissions.

Public form routes are designed to process form submissions without exposing private owner credentials.

5. Uploaded Files

FormOS may allow forms to collect file uploads such as images, documents, IDs, receipts, or other attachments.

Depending on the form owner’s settings, uploaded files may be saved to a connected third-party storage service such as Google Drive or Dropbox.

FormOS may store limited file metadata, including:

  • File name

  • File type

  • File size

  • Storage provider file ID or reference

  • Upload status

  • Upload timestamp

  • Related form ID

  • Related submission ID

File storage access depends on the selected integration and account configuration.

6. Google Drive Security

When a user connects Google Drive, FormOS uses Google OAuth to authorize the integration.

FormOS uses the Google Drive integration to:

  • Connect the user’s Google Drive account

  • Allow the user to select or configure a storage folder

  • Create folders for forms and submissions

  • Upload respondent files to the selected Google Drive location

  • Store generated documents such as completed PDFs where applicable

  • Display upload and integration status inside the dashboard

FormOS stores OAuth connection data and integration credentials server-side so the integration can continue working.

FormOS does not expose Google Drive OAuth tokens to public form submitters.

Public form submitters cannot access the form owner’s Google Drive account, choose the owner’s Drive destination, or view the owner’s Drive credentials.

Users can disconnect Google Drive from FormOS or revoke access through their Google Account permissions page. After access is revoked, FormOS cannot upload files to that Google Drive account unless the user reconnects it.

Files already stored in Google Drive remain under the user’s control and can be managed directly in Google Drive.

7. Dropbox and Other Storage Security

FormOS may support other storage providers such as Dropbox.

When connected, FormOS uses the integration only to provide storage-related features such as folder creation, file upload, file organization, and metadata display.

Integration credentials are handled server-side and are not shown to public form submitters.

Users can disconnect storage integrations where supported.

8. API Tokens and External Integrations

FormOS may allow users to create API tokens for external integrations such as website plugins, Shopify apps, or automation tools.

API token security practices include:

  • Tokens are generated securely

  • Raw tokens are shown only once where applicable

  • Stored tokens are protected using hashing or secure storage depending on token type

  • Users can revoke tokens

  • API access may be limited by plan or permission

  • API endpoints return only authorized and safe data

Users should keep API tokens private and revoke tokens that are no longer needed.

9. WordPress and Shopify Integration Security

FormOS may provide WordPress and Shopify integrations that allow users to embed FormOS forms on external websites or online stores.

These integrations are designed to display FormOS forms and route submissions back to FormOS.

FormOS does not require WordPress or Shopify to store form submissions unless the user separately configures another workflow.

Users are responsible for:

  • Installing integrations from trusted sources

  • Keeping plugins/apps updated

  • Using correct FormOS form IDs or connection settings

  • Testing forms after installation

  • Managing website/store access

10. Payments and Billing Security

FormOS may use third-party payment processors such as Stripe for paid subscriptions.

FormOS does not store full credit card numbers on its servers.

Billing-related data may include:

  • Customer ID

  • Subscription ID

  • Plan name

  • Billing status

  • Invoice metadata

  • Payment status

Payment processing is handled by the payment provider according to its own security standards and privacy policy.

11. Email and Notifications

FormOS may send emails for account verification, password resets, form submission notifications, completed PDF delivery, billing updates, and support messages.

Email delivery may be handled by third-party email providers.

Users should avoid including unnecessary sensitive information in email subject lines or notification templates.

12. Data Backups and Retention

FormOS may use backups, logs, and operational records to maintain service reliability, troubleshoot issues, and respond to security incidents.

Deleted data may remain in backups or logs for a limited time before being removed according to operational retention practices.

Files stored in connected third-party storage accounts, such as Google Drive, remain controlled by the storage account owner.

13. Security Logs and Audit Events

FormOS may record security and audit events such as:

  • Account creation

  • Login events

  • Form publication

  • Form submission

  • File upload events

  • Signature events

  • Office-use completion events

  • PDF generation

  • Email delivery attempts

  • Integration connection or upload errors

  • API token activity

These logs help with troubleshooting, security monitoring, and account accountability.

14. Incident Response

If we become aware of a security incident affecting FormOS, we will investigate and take reasonable steps to contain, remediate, and communicate the issue where appropriate.

Depending on the incident, this may include:

  • Restricting affected access

  • Revoking compromised credentials

  • Fixing vulnerabilities

  • Notifying affected users where required

  • Coordinating with service providers

  • Updating security controls

15. User Responsibilities

Users are responsible for:

  • Using strong passwords

  • Protecting account access

  • Managing team/staff permissions

  • Reviewing forms before publishing

  • Avoiding unnecessary collection of sensitive information

  • Securing API tokens

  • Disconnecting integrations that are no longer needed

  • Complying with privacy and data protection laws

  • Testing embedded forms and integrations

  • Managing files stored in connected third-party storage accounts

16. Sensitive Information

FormOS can technically be used to collect many types of information, but users should be careful when collecting sensitive data.

Users should not collect highly sensitive information unless they have a lawful basis, appropriate consent, suitable security controls, and any required legal or professional advice.

FormOS is not designed as a guaranteed compliance solution for highly regulated data unless a separate written agreement states otherwise.

17. Limitations

While FormOS uses reasonable safeguards, no system is completely secure.

We cannot guarantee:

  • Uninterrupted service

  • Protection against every possible attack

  • Compatibility with every third-party plugin, theme, app, or browser

  • Security of third-party services outside our control

  • Legal compliance for every user’s form or workflow

Users should evaluate whether FormOS is suitable for their use case.

18. Contact

For security questions or concerns, contact:

FormOS
Email: info@formos.com.au
Website: https://formos.com.au