Collect sensitive data.
Without ever seeing it.
Schweizerform is the end-to-end encrypted form builder, engineered in Switzerland. Every answer and every uploaded file is locked inside the respondent's browser before it leaves their device. We — the people who run the service — have no way to unlock it.
Three hard promises
Security as architecture. Not as a slogan.
Most form tools promise privacy, then store your data unprotected on their servers. We've built ours so that promise is enforced by the architecture — we couldn't read your data even if we wanted to.
01 — Encryption
You hold the keys. Literally.
Every answer is locked inside the respondent's browser using AES-256-GCM — the same encryption used by banks and governments. The lock can only be opened with your form's private key, which is itself sealed by your personal Access Code. The starting key of the whole chain never leaves your head.
02 — Sovereignty
Switzerland, end to end.
Our application servers, your database, your file storage, and even the emails we send all live on Swiss soil at Infomaniak. No US or EU vendor ever sits in the data path.
03 — Code sovereignty
Zero third-party scripts.
No Google Analytics, no Mixpanel, no chat widget, no advertising pixel. The respondent's browser only ever talks to us — and to no one else.
How it works
Readable answers go in. Scrambled bytes come out.
We call this a zero-knowledge system — we genuinely don't know what's inside your forms. Here's what actually happens when someone hits submit, and why a court order to us would only ever produce scrambled bytes.
- 01
Respondent opens the form
The form page loads from Switzerland carrying only the form's public lock — never the key that opens it. If you've turned on password protection, the questions don't even download until the password is accepted.
- 02
Browser generates a fresh AES-256 key
The browser creates a brand-new, one-time encryption key for this submission alone. It's bound to this specific form, so it can never be reused or replayed against another form.
- 03
Answers and files encrypt locally
Every answer and every uploaded file is locked inside the browser. We also replace the original filenames with random IDs before anything is sent — so our storage never sees the real names.
- 04
The Submission Key is wrapped with your form's public key
That one-time key is sealed with your form's public lock. Only you — holding the unlocked Access Code — can ever open it. Our servers just see an unreadable bundle.
- 05
You open the dashboard with your Access Code
When you open the dashboard with your Access Code, your browser walks back through the chain of locks (form → private key → submission) right on your own device. Our servers never see plaintext, even for a moment.
The product
Everything a modern form builder has — minus the part where they read your data.
22 question types
Text, long text, number, email, date, phone, URL, signature, file upload, dropdown, single/multi choice, star rating, number & text scales, sliders, smileys, custom emoji.
Form profiles
Reusable brand identities — your logo, contact details, and links — that attach to any form. Set up your practice's profile once, then reuse it across every intake.
File uploads, encrypted
File-upload questions encrypt each file in the respondent's browser before it leaves their device. We also replace original filenames with random IDs — so even browsing the storage folder reveals nothing.
Scheduling & gating
Open and close forms by date, by time of day, or by day of the week. Cap responses. Add password protection per form — the question list never leaves the server until the password is accepted.
Per-form overview
Live response and view counts, schedule status, and a daily submissions chart for every form — visible the moment a respondent submits.
In-browser submission viewer
Open a submission, watch it unlock right on your screen, and preview attached images or PDFs — without the server ever seeing the contents.
Four-locale UI
German, French, Italian, English — formal Swiss tone throughout. Respondents pick their language independently of yours.
Tags & submission triage
Color-coded tags for sorting incoming submissions. Filter, group, and bulk-tag — and like everything else, tags stay encrypted in storage and only become readable on your screen.
Swiss-hosted, end to end
App servers, database, object storage, and transactional email — all on Infomaniak inside Switzerland. No US/EU vendor in the data path.
Encryption architecture
Four nested locks. None of the keys live on our servers.
Think of it as four nested locks. Your Access Code (only in your head) opens the first lock in your browser. That opens the form's key. That opens the form's private key. And that opens each individual submission. The starting key of the chain never leaves your memory — so the chain ends in you, not in our database.
Built for sensitive work
When confidentiality is a regulation — not a preference.
Healthcare & Medical Forms
Patient data deserves more than a privacy policy. Collect health information with end-to-end encryption — no plain text, no server access, no compromise.
Read moreLegal & Law Firm Intake Forms
Intake, conflicts, document collection — for firms that take attorney-client privilege seriously. End-to-end encrypted, Swiss-hosted, and designed around the realities of legal practice.
Read moreHR & Whistleblower Reporting Forms
Anonymous reporting, grievances, exit interviews, investigations — for HR and compliance teams. End-to-end encrypted, Swiss-hosted, and designed around real whistleblower protection.
Read moreFinancial Advisory & KYC Forms
Onboarding, risk profiles, source of wealth, AML intake — for advisors and wealth managers. End-to-end encrypted, Swiss-hosted, and built around the confidentiality expectations of regulated financial practice.
Read moreResearch & Clinical Trial Participant Forms
Informed consent, screening, eligibility, adverse-event self-reports, withdrawal flows — for IRB and ethics-committee-governed research. End-to-end encrypted, Swiss-hosted, built around the realities of pseudonymised research data and the right to withdraw.
Read moreGovernment & Public Sector Citizen Forms
Permits, civic intake, grievances, public consultations, whistleblower channels — built for public-sector teams that owe citizens a measurably higher standard of confidentiality. Encrypted in the browser, Swiss-hosted, four-language native.
Read moreA different category
How we compare to the form builders you've heard of.
Most "secure" form tools encrypt only in transit. Once your data lands on their servers, they can read it. We can't.
End-to-end encryption
Typical SaaS form builders
In transit only
Schweizerform
AES-256-GCM, client-side
Operator can read your submissions
Typical SaaS form builders
Yes — they hold the keys
Schweizerform
No — mathematically impossible
Data residency
Typical SaaS form builders
US-routed, multi-region
Schweizerform
Switzerland only — Infomaniak
Third-party tracking on the public form
Typical SaaS form builders
GA, Hotjar, Intercom, etc.
Schweizerform
Zero. No third-party trackers.
What we hand over if subpoenaed
Typical SaaS form builders
Readable submissions
Schweizerform
Opaque ciphertext only
Open about what we cannot do
Typical SaaS form builders
Marketing language
Schweizerform
Documented architecture
Frequently asked