Can Form Builders Read Your Submissions?

Most form products market security with phrases like “secure” and “encrypted.” Those words are usually true for TLS in transit and often for encryption at rest on the vendor’s disks. They do not automatically mean “the vendor cannot read answers.”

What “provider can read” actually means

If the product can render your responses in a dashboard, send you email notifications with fields filled in, or run server-side logic on answers, the plaintext existed on systems they control. That is not a scandal—it is how most SaaS works. It only becomes a problem when your threat model says the operator must not be able to access content.

Mainstream builders (typical model)

Google Forms, Typeform, SurveyMonkey, Microsoft Forms, Tally: You should assume the provider can access submission data consistent with their architecture, support tooling, and legal process. They encrypt in transit and often at rest, but they also hold the keys needed to operate the service.

Password-gated “encrypted” forms

Some products add a shared password or passphrase layer. That can be better than nothing, but it is a different shape than browser-generated RSA keys. If the product helps users recover, search, or export decrypted data, ask who can participate in that flow—the user only, or the vendor too?

Zero-knowledge (Cyphorm’s model)

Cyphorm encrypts in the respondent’s browser with your public key. Our servers receive blobs that correspond to the ciphertext demo on our homepage. We never receive your private key; therefore we cannot turn those blobs back into answers.

When should you care?

• Attorney–client intake and other privileged channels (law firms).
• Anonymous reporting (whistleblower).
• Sensitive workforce feedback (HR).
• Health-adjacent workflows where minimizing vendor access supports your compliance story (healthcare intake).