Details on Fillout's security practices.

Fillout is specifically designed for intaking customer data securely. We follow industry best practices to keep your responses secure and let you backup responses to third-party services and databases. We also offer an optional self-hostable agent to prevent customer form responses from ever passing through or being stored on Fillout servers.

Data we collect and store

Infrastructure and network security

Security is a top priority for us and we take the following measures to keep your data and account secure.


Fillout is hosted on Google Cloud Platform (GCP, via and our GCP/ servers are located in the United States and the European Union (EU). EU servers are only used if requested by the customer. GCP data centers have state-of-the-art physical access controls, logical access controls, and frequent third-party independent audits. Google has published a detailed security whitepaper outlining these measures. employees have as-needed access to infrastructure on All employees have dedicated user accounts and access infrastructure via two-factor authentication.


All data in transit is encrypted over HTTPS/TLS between you and's servers. All data is replicated for durability.

Application security

Two-factor authentication and single sign-on supports G Suite SSO, allowing customers to enforce that users sign in using customer-managed identity providers. Two-factor authentication for application login can be enforced at the identity provider level (e.g. by turning it on within G Suite).
Contact us to enable other SSO providers, like Okta, Active Directory, or other SAML providers.

Business continuity and disaster recovery

Business Continuity keeps daily and point-in-time encrypted backups of data on While never expected, in the case of production data loss, we are able to restore customer data from these backups.

Disaster Recovery

In the event of a region-wide outage, will bring up a duplicate environment in a different Google Cloud Platform region. infrastructure is designed to be portable and restorable under different regions.

How to report vulnerabilities

You can email security<@> with details on any security vulnerabilities you discover.