TRUST & SAFETY

Real questions. Honest answers.

These are the questions organizations ask before trusting a tool with sensitive data. We've answered them directly — including the limits of what we can and can't protect.

Protecting respondents

Can this system betray someone even if everything goes wrong?

Submissions are encrypted in the user's browser before being sent. We don't log IP addresses or use tracking scripts. Even if our servers were compromised, responses remain encrypted and cannot be linked back to a person.

Can using your tool contribute to harm?

We reduce the risk of doxxing by not collecting identifying metadata (like IP addresses) and encrypting all submissions end-to-end.

However, doxxing can still happen if identifying information is included in responses or shared outside the platform. We encourage organizations to design forms that minimize collecting unnecessary personal data.

Threat model

What threats are you actually designed for?

This tool is designed to protect against:

  • Data breaches (your database being exposed)
  • Platform access (we cannot read your data)
  • Third-party tracking (no analytics, no profiling)
  • Unauthorized internal access (through access controls)

It does not protect against:

  • Someone in your organization misusing access
  • A compromised device or email account
  • Information shared outside the platform

Your team

Can sensitive data be exposed through you — or through us messing up?

Client data is encrypted end-to-end and only accessible to your workspace members. You can automatically delete responses after a set period to reduce long-term risk.

Will normal human mistakes cause a breach?

We design for safe defaults — no public dashboards, no accidental sharing. Access is scoped to your team, and audit logs show when data is accessed so you can catch mistakes early.

Will collaboration weaken security?

Invite team members to your workspace with controlled access. You can grant or revoke permissions at any time, and all access is logged.

Can the wrong person inside my org see sensitive reports?

Access to reports is controlled at the workspace level. You decide who can view data, and access can be revoked at any time.

We recommend limiting access to only those who need it and regularly reviewing permissions. Audit logs help you see when data has been accessed.

Will exporting undo all the security?

You can export decrypted data when needed. Once exported, you control how it's stored and shared — we recommend secure storage practices to maintain privacy.

Your organization

Does this reduce our liability?

We can't provide legal guarantees, but we help reduce risk by minimizing the data you store, encrypting it end-to-end, and giving you control over retention and access.

Will I lose everything forever?

Because data is end-to-end encrypted, we cannot recover it if you lose access to your account. We provide backup options to help you store recovery keys safely.

Will your tool help us avoid causing harm?

Our goal is to reduce the risk of mishandling sensitive data by:

  • Encrypting all submissions end-to-end
  • Allowing automatic deletion of data
  • Limiting who can access responses

But technology alone isn't enough. Safe handling of sensitive information also depends on internal practices — like access policies, training, and data minimization.

Will using your tool help us maintain credibility?

Trust is built on how you handle sensitive information — not just what tools you use. We support that by ensuring:

  • You can clearly communicate that submissions are encrypted end-to-end
  • You are not exposing respondents to tracking or hidden data collection
  • You can minimize and delete data when it's no longer needed

Many organizations use these guarantees to be transparent with their communities about how data is handled.