Schweizerform vs Self-Hosted Forms

Self-hosting an open-source form tool — LimeSurvey, Formbricks, OhMyForm, SurveyJS Service, or similar — is a defensible choice for teams that want full control of where their respondent data lives. The motivation is usually clear: nobody else's database, nobody else's TLS termination, nobody else's subpoena exposure. You run it, you own it. For a certain kind of buyer — usually with an in-house ops team, strong Linux skills, and an existing patching cadence — that trade is the right one.

Schweizerform is built around a different bet: that for most teams, the operational cost of running a form platform well outweighs the perceived control of running it themselves — and that the property they actually wanted (a vendor that physically cannot read submissions) can be delivered as a service through zero-knowledge encryption. Hosting is in Switzerland, the four UI languages (EN / DE / FR / IT) are native, and encryption is included on every plan. This page compares the two paths honestly, with the failure modes that brochures usually skip.

Where Self-Hosting Genuinely Wins

We will start where the self-hosted route is strong, because honest comparisons should. Real reasons teams pick LimeSurvey, Formbricks, or another self-hosted option:

• Total control of the data plane — your servers, your database, your jurisdiction by definition
• No vendor lock-in — open source means you can fork, audit, modify, and migrate at will
• No per-seat or per-response pricing — the marginal cost of an extra form is effectively zero
• Deep customisation possible at the source-code level — bespoke fields, integrations, branding
• Air-gapped or on-premises deployment for environments that simply do not allow outbound SaaS
• Full audit transparency — every line of code is inspectable, including the security-critical parts

If your organisation already operates production infrastructure with maturity — patching, monitoring, backups, incident response, secrets management, key rotation — adding a form server to that pipeline is incremental work. The question this comparison answers is: what does that incremental work actually look like once you stop reading the README and start running it?

The Hidden Costs Nobody Lists in the README

Open-source form tools install easily. Running them in production for sensitive data is a different exercise. The work is not exotic — it is the same operational tax that every self-hosted system carries — but it is rarely costed accurately when teams compare "free" self-hosting to a SaaS bill.

• Infrastructure: a hardened host, a managed database, a backup target, a TLS certificate pipeline, a CDN if respondents are global
• Patching: timely application updates, OS patches, dependency upgrades, security advisory triage
• Monitoring: uptime, error rates, disk space, certificate expiry, abnormal access patterns
• Backups and disaster recovery: tested restores, cross-region copies, retention policies, encryption of backup media
• Authentication and authorisation: admin SSO, role-based access, audit logging, lifecycle for ex-employees
• Secrets and key management: where the database password lives, who can read it, how it rotates
• Compliance documentation: ROPA entries you write yourself, DPIA when needed, breach response runbook, vendor questionnaires that suddenly point inward
• Encryption-at-rest configuration: the application typically stores plain text — you must layer disk or database encryption yourself
• Pen-testing and security review: external testing on your stack, not a vendor's, on a cadence you set
• On-call: someone has a pager when the form goes down at 02:00 the night before a deadline

The Encryption Nuance Most Self-Hosters Miss

There is a popular assumption that "if I host it myself, my data is encrypted by default". That is usually wrong. LimeSurvey, Formbricks, and most open-source form tools store submissions as plain text in the application database. Disk-level or database-level encryption (LUKS, TDE, Postgres pgcrypto) protects against a stolen disk — it does not protect against a database administrator, a SQL-injection bug, an over-privileged backup, or a server compromise. The application can read the data, which means anything that can talk to the application can read the data.

Schweizerform's design point is different: every submission is encrypted in the respondent's browser before it leaves the device. The ciphertext is what travels and what we store. We physically cannot read submissions; an attacker who breaches our infrastructure cannot read them either. Hosting it yourself does not, by itself, give you that property — building it correctly is a multi-month project that very few open-source form tools attempt, and the ones that do (e.g. Cryptee-style architectures) carry their own integration costs.

Side-by-Side Comparison

Total Cost of Ownership — A Realistic Sketch

Self-hosted is often described as "free". The software is. Running it is not. A realistic small-team TCO for a self-hosted LimeSurvey or Formbricks deployment, sized for a regulated workload, looks roughly like this — the numbers will vary, but the categories rarely do.

When Self-Hosting Is the Right Choice

• You already operate a hardened production stack and adding one more service is genuinely incremental
• You have a regulatory or contractual requirement that explicitly forbids any third-party SaaS for the workload
• You need air-gapped or on-premises deployment, not just a non-US jurisdiction
• You want to fork or modify the form engine itself — bespoke field types, deep integrations, custom rendering
• You have a security team that performs internal pen-testing and an SRE function that owns the platform
• Your team's labour cost is structurally lower than a SaaS plan, and the operational tax is real but manageable

Self-hosting is a credible engineering choice. We do not pretend otherwise. It is just rarely the right choice for the median team that picks it — usually because the operational cost is undercounted at the decision point and only becomes visible six months later.

When Schweizerform Is the Right Choice

• You want the data sovereignty story (Swiss hosting, no US sub-processors, vendor cannot read) without operating the stack
• Your team is small enough that an extra on-call surface is real cost, not noise
• You want zero-knowledge encryption out of the box — a property most self-hosted form tools do not actually deliver
• You handle healthcare, legal, HR, financial, research, or whistleblower data and need a clean compliance story today, not after a six-month buildout
• You want native EN / DE / FR / IT in the respondent UI without translating it yourself
• You want predictable cost and a single point of accountability when something fails or an audit asks

These are the cases where the "buy" decision is almost always cheaper, faster, and more defensible than the "build and run" decision — even before the encryption story is added.

A Decision Framework for Technical Buyers

Three questions usually decide this cleanly:

Common Objections — and Realistic Answers

"Self-hosted is always more secure"

Only if it is operated to a high standard. A poorly patched LimeSurvey instance with default credentials and no monitoring is meaningfully less secure than a managed SaaS with timely patching and a competent security team. Self-hosting moves responsibility, not security.

"We need to be sure no third party can read our data"

That is the property zero-knowledge encryption gives you, regardless of who hosts the bytes. With Schweizerform, we host the ciphertext but cannot read it; with self-hosting, you must build that property into your application, which most open-source form tools do not do for you.

"Open source is more transparent than your closed code"

Fair point. We address transparency through documented architecture, third-party security review, and the fact that the cryptographic guarantees can be verified from the client side — what leaves the browser is ciphertext that we cannot decrypt. That is a different transparency model than "read all the code", but it is verifiable, and it does not require you to read all the code yourself.

"What if Schweizerform shuts down?"

Standard CSV / JSON export is available at any point, and submissions can be decrypted on the client side using your Access Code. The data is portable. We treat business-continuity questions seriously and document the export and decryption paths so they are not theoretical.

"We already self-host other tools — what's one more?"

Often correct. If your platform team already has the muscle, the marginal cost is small. Just be honest about whether the form workload justifies the time, and whether the application actually delivers zero-knowledge encryption (most do not). For many teams, the right split is "self-host the things we have to, buy the things we can buy well".

The Bottom Line

Self-hosting LimeSurvey, Formbricks, or another open-source form tool is a real and defensible choice. It gives you control of the data plane, no vendor lock-in, and zero per-form cost — at the price of operating a production service yourself. For mature platform teams, that trade can be the right one. For most other teams, the operational tax silently outweighs the saved subscription.

Schweizerform offers a different deal: Swiss hosting, zero-knowledge encryption that most self-hosted form tools do not provide out of the box, native four-language UI, and a single point of accountability — without a pager. If your team is not in the business of running form infrastructure, the maths usually points one direction.