Most forms contain personally identifiable information. Some contain extremely sensitive information, for example the kinds of forms that you describe-visas, etc.- contain national ID numbers and so forth. The idea of providing this to a third party web site scares the daylights out of me. Is it possible for me to obtain the source code on Github and host it myself?
I totally agree, these forms can contain very sensitive information. Actually there is some information that is too sensitive - We are not currently PCI DSS Certified or HIPAA compliant, so we cannot handle credit card details or protected health information.
We are very serious about protecting PII. One of the ways we achieve that is by using battle-tested frameworks and libraries with the default settings (Rails and devise), and not writing our own code for crypto and security.
By default, we delete generated PDFs and any associated data after 7 days. This can be configured in the template settings [1], so you can make the retention period much shorter. You can also immediately delete any submitted data by making an API request [2]. (Disclaimer: Data may be present in our automated database backups for up to 2 weeks.)
Finally, FormAPI is not open source, but we can provide a license for a self-hosted installation. For enterprise plans and on-site hosting, please contact: enterprise@formapi.io
Problem is, everyone (from Equifax to Yahoo) says that. If I can't trust a huge multi-billion corporate, I would certainly be nervous about trusting a very new startup with much more than my email address.
I am planning to move my hosting to Aptible [1], and will become PCI certified and HIPAA compliant.
If anyone is interested in FormAPI, but requires PCI certification and HIPAA compliance, please send an email to compliance@formapi.io. We'll let you know when we are ready. You can also send an email to enterprise@formapi.io to inquire about on-site hosting.
On the one hand, I understand the concerns about PII in your app.
On the other hand, I'd be willing to bet there are a ton of line-of-business apps that don't handle PII that could benefit from this (purchase orders, B2B shipping forms, etc.).
Unless you have investors, I would suggest waiting until you get >100 paying customers to find out whether you need to pay the premium for PCI/HIPAA hosting.
Thanks for the feedback @runako, yes PCI and HIPAA compliance is very expensive. I will need to hear from more customers who need this level of security and compliance before I can afford to make the jump.
