Trust and security
Security, privacy, and compliance details for Motivation Form.
Motivation Form is built for form owners who need to collect real responses without sending sensitive data through unnecessary systems. This page summarizes the safeguards that matter for vendor review, privacy review, and security-conscious teams.
Data handling
- Public forms are served over HTTPS at
form.gold/[handler]/[slug]. - Responses are stored in Supabase Postgres and file uploads are stored in Supabase Storage.
- File uploads go directly to Supabase Storage; the form response stores the resulting storage URL instead of raw file bytes.
- Form owners can export responses as CSV, JSON, or Markdown reports.
- Motivation Form publishes privacy and data-processing terms for teams that need a review trail.
Access control
- Form-owner data is protected with Supabase row-level security.
- API keys are bearer credentials for REST, MCP, and CLI access.
- API keys are shown once at creation and stored as hashes.
- Service-role credentials are used only server-side.
- Dashboard access uses Supabase Auth.
Respondent protection
- Cloudflare Turnstile is included for public forms.
- Turnstile tokens are verified server-side before a response is written.
- Respondents do not need a Motivation Form account to complete a public form.
- Form owners decide what personal data their forms request and are responsible for collecting required consent.
Compliance references
These documents are the canonical review materials:
Infrastructure subprocessors
Motivation Form uses focused infrastructure providers for the hosted service:
| Provider | Purpose |
|---|---|
| Supabase | Database, auth, and object storage |
| Vercel | Application hosting |
| Resend | Email delivery |
| Cloudflare | Turnstile bot protection and DNS |
| Stripe | Billing |
For self-hosted deployments, see Self-hosting.