What Schweizerform can and cannot see
The exact boundary of our zero-knowledge design — worth reading once, and worth showing your clients.
Last updated July 7, 2026
We can never see (end-to-end encrypted):
- The answers to every question
- Uploaded files, photos and their original filenames
- Drawn signatures
- Your Vault key, and every key protecting the above
These are sealed in the respondent's browser and unsealed only in yours. Our servers store sealed packages; a breach, a curious employee, an official demand — none of them can produce readable answers, because readable answers don't exist on our side.
We can see (the minimum needed to run the service):
- Your account e-mail, name and plan
- Your forms' questions and settings — they must be readable to display the form publicly
- Form titles, response counts, timestamps
- Coarse anonymous statistics (completion time, device class) that power your insights
- Billing status — payments themselves are handled by Stripe; card numbers never touch us
Note
This split is honest physics, not small print: any provider that displays a public form can read that form's questions. The difference lies in the answers — and there, we hold nothing readable. The one-sentence version for your clients: "We can see the questions you ask — never the answers people give."