A: Hey matt571, thanks for the important question.

Here's where things stand on security today:

All data transmitted between your users and FormRobin is encrypted in transit via HTTPS/TLS -- that includes form submissions and file uploads. Email notifications are also sent over TLS. Our forms are protected by Google reCAPTCHA v3 to prevent spam and abuse, and we use industry-standard password hashing and encrypted cookies.

That said, you raise a fair point about email notifications specifically. When email notifications are enabled, the submission content is included in the email body. While the email is sent over TLS, email as a protocol isn't end-to-end encrypted. If that's a concern, you can disable email notifications per form and instead access submissions directly through the FormRobin dashboard, which is fully HTTPS-secured. You can also use the API or Google Sheets integration to pull responses through encrypted channels.

On the broader topic of PII handling and compliance certifications (GDPR, SOC2, HIPAA, etc.) -- we don't claim those certifications at this time. We're a newer product focused on building out core features first, and enterprise-grade compliance is a bigger undertaking that we'd want to do properly.

If data compliance features are important to you, please add it to our feedback page: https://formrobin.com/feedback. We can't commit to a specific timeline, but the more users who request it, the higher it moves on our priority list.