Platform Security

Every record encrypted before it leaves your browser. Only decoded inside the app.

Start Free 60-Day TrialSee all features →
Platform SecurityPlatform Security

FormVault applies AES-256-GCM encryption at the application layer before any student data is written to a database or cloud storage. This means your infrastructure providers — Amazon, Google, whoever hosts the underlying servers — only ever see encrypted blobs they cannot read. Decryption happens exclusively inside the FormVault application when an authorized, authenticated user requests it. Not at the database. Not at the CDN. Not by the storage provider. Only in the app, only for the right person, only at the right moment.

  • AES-256-GCM — the same cipher used by the U.S. Department of Defense, financial institutions, and healthcare systems
  • Application-layer encryption: cloud infrastructure providers cannot read your student records even with direct database access
  • TLS 1.3 in transit — no deprecated cipher suites, no downgrade attacks
  • Unique encryption context per record — a single compromised record cannot expose others
  • Zero unencrypted data at rest: storage, backups, and replicas all contain only ciphertext
  • FERPA-compliant by architecture, not just policy — the data model enforces privacy at every layer
Platform Security — FormVault admin interface screenshot

How It Works

1

When a parent submits a form or you upload a document, FormVault encrypts it with AES-256-GCM at the application layer before the data is written to storage

2

All data moving between your browser and FormVault's servers is protected by a separate layer of TLS 1.3 transport encryption — data in motion is never exposed on the wire

3

Encrypted payloads are stored in SOC 2-certified cloud infrastructure — infrastructure providers only receive ciphertext they cannot decrypt without the application keys

4

When an authorized user opens a record, the application decrypts it server-side using role-scoped access controls — the unencrypted data is rendered in your browser and never persisted outside the app session

Frequently Asked Questions

What does AES-256-GCM mean and why does it matter for student data?

AES-256-GCM is the Advanced Encryption Standard with a 256-bit key in Galois/Counter Mode. It is the encryption standard specified by the U.S. National Institute of Standards and Technology for protecting classified government information, and is used by financial institutions, healthcare systems, and defense contractors. For student data, it means that even if a storage server were physically seized, the contents would be unreadable without the application-layer decryption keys — which are never stored alongside the data.

What does 'only decoded in the app' mean in practice?

FormVault encrypts data before writing it to the database, not after. The database itself only ever stores encrypted ciphertext. When you open a student record or a submitted form, the application server decrypts it in memory and delivers the readable result to your browser. The storage layer, the CDN, any backup system, and any cloud infrastructure provider see only the encrypted version — they have no key and cannot read the contents.

Can FormVault employees read our student records?

No. FormVault staff have no mechanism to decrypt individual school records through normal operations. Access to decryption capabilities is restricted to the application processes that serve authenticated users. Any support access request goes through a formal access-log process that is visible to your account. We cannot and do not read the contents of form submissions, uploaded documents, or student data.

Is data encrypted in transit as well as at rest?

Yes, with two independent layers. First, data is encrypted at the application layer before it leaves your browser — so the network never carries plaintext. Second, the connection itself uses TLS 1.3 transport encryption, protecting against any network-level interception. Both layers are always active — there is no configuration option that would allow unencrypted transmission.

How does application-layer encryption differ from standard database encryption?

Standard database encryption (sometimes called 'encryption at rest') encrypts the disk where the database lives but the database software itself can read the contents directly. Application-layer encryption means the data is encrypted before it reaches the database — so even the database software, a database administrator, or anyone with direct database access sees only ciphertext. FormVault uses application-layer encryption for student PII and uploaded documents, providing a significantly stronger privacy guarantee than disk-level encryption alone.

What happens to encryption if FormVault is breached?

A breach of the storage infrastructure alone would yield only encrypted ciphertext — unreadable without the application keys, which are managed separately. A breach would need to simultaneously compromise both the encrypted data store and the key management system to expose plaintext. FormVault's architecture separates these deliberately. All breach attempts and anomalous access patterns are logged in the audit trail and trigger automated alerts. We also maintain a responsible disclosure program for security researchers.

Explore more FormVault features

AI Smart Form ScanningQR Code CampaignsExpiring Share LinksEmergency Access Links
See all 13 features →

Ready to get started?

No credit card required · 60 days free

Start Free 60-Day Trial