Skip to main content
When a respondent submits a form, a chain of events begins: the data is validated, stored, routed to your integrations, and made available for export and API access. This page describes each stage so you understand exactly where your data lives and how to work with it.

Capture and validation

When a respondent clicks the submit button, FormFlows.ai performs client-side validation first (required fields, format checks) and then sends the submission to FormFlows.ai servers over an encrypted HTTPS connection. On the server side, the platform:
  1. Re-validates all field values against the rules you configured — server-side validation cannot be bypassed by a modified client.
  2. Runs spam and abuse detection — see AI features → Spam and abuse detection.
  3. Assigns a unique submission ID (sub_xxxxxxxxxxxxxxxx) and records the exact submission timestamp in UTC.
  4. Stores the submission in persistent, encrypted storage.
  5. Queues workflow execution — all active workflows attached to the form are scheduled for immediate asynchronous processing.
The respondent sees the thank-you screen as soon as server-side validation passes and storage succeeds, before any workflows run.

Storage

Each submission is stored as a structured JSON document containing:
  • The submission ID and form ID
  • The submission timestamp (UTC, ISO 8601)
  • The respondent’s IP address (hashed and stored separately from the response body; see privacy section below)
  • The value of every submitted field, keyed by field ID
  • Metadata: user agent string, referrer URL, and any UTM parameters captured from the form URL
  • File attachment references (uploaded files are stored in object storage; the submission record holds a reference URL, not the binary data)

Submissions inbox

Every form has a Submissions inbox in the FormFlows.ai dashboard where you can browse, filter, search, and view individual submissions. From the inbox you can also:
  • Flag or unflag submissions for follow-up
  • Add internal notes visible only to your team
  • Manually mark a submission as spam or restore a quarantined submission
  • Delete individual submissions (permanent; cannot be undone)

Data retention

Submission data is retained for the duration of your active subscription and for 90 days after a subscription is cancelled or downgrades below the threshold that collected the data. After the 90-day window, data is permanently deleted from all FormFlows.ai systems.If you need to preserve data beyond this window, export it before cancelling or configure a workflow to mirror submissions to your own storage in real time.
PlanSubmissions retainedFile storage per form
Free100 most recent submissions100 MB
Starter12 months of submissions1 GB
Growth24 months of submissions10 GB
BusinessUnlimitedUnlimited
File attachments count toward your plan’s storage quota. You can download and delete individual attachments at any time without affecting the associated submission record.

Routing to integrations and webhooks

After a submission is stored, FormFlows.ai executes any active workflows you have configured. Workflows can route data to:
  • Email — formatted notification or confirmation emails sent via FormFlows.ai’s mail infrastructure
  • Google Sheets — rows appended or updated in real time
  • Slack — messages posted to channels or users
  • Zapier — your Zap’s webhook trigger fires, unlocking thousands of downstream actions
  • Webhooks — an HTTP POST to any URL you specify, with the full submission payload in the request body

Webhook payload

When a webhook action executes, FormFlows.ai sends a POST request with a JSON body:
webhook payload
{
  "event": "submission.created",
  "submission_id": "sub_01hx4k9bfzc3q8y7v2mn6p",
  "form_id": "frm_01hw3j8azb1r5t6u9ndc4e",
  "form_name": "Customer Feedback",
  "submitted_at": "2026-04-05T14:23:07Z",
  "data": {
    "name": "Alex Rivera",
    "email": "[email protected]",
    "rating": 4,
    "comments": "Really smooth experience overall."
  },
  "metadata": {
    "ip_hash": "a3f1b2c9...",
    "user_agent": "Mozilla/5.0 ...",
    "referrer": "https://example.com/contact"
  }
}
FormFlows.ai signs every webhook request with an HMAC-SHA256 signature in the X-FormFlows-Signature header. Verify this signature in your receiving server to confirm the request is authentic.
The signature verification pattern is: HMAC-SHA256(secret, raw_request_body). Your webhook secret is available in Form settings → Webhooks. See the webhooks API reference for a code example.

Exporting data

You can export submission data at any time from the Submissions inbox or via the API.
From the Submissions inbox, click Export → CSV. Each row represents one submission. Columns map to field IDs (with display labels in the header row). File attachment fields export as download URLs.You can filter the export by date range, submission status (all, starred, spam), or a custom search query before exporting.

Data privacy and security

Encryption

  • In transit — all data between respondents, your dashboard, and FormFlows.ai servers is encrypted using TLS 1.2 or higher.
  • At rest — submission data and file attachments are encrypted at rest using AES-256.
  • IP addresses — IP addresses are one-way hashed before storage. The original IP address is not retained and cannot be recovered by FormFlows.ai or accessed by you.

GDPR

FormFlows.ai is designed to support GDPR compliance for organizations subject to EU data protection law.
If your forms collect personal data from EU residents, FormFlows.ai acts as a data processor on your behalf. You remain the data controller. Review the Data Processing Agreement (DPA) available in your account settings under Billing → Legal.
Features that support your GDPR obligations:
  • Consent field — add a GDPR-compliant consent checkbox to any form, with a configurable consent statement and link to your privacy policy.
  • Individual deletion — delete any single submission from the inbox to fulfill a right-to-erasure request. Deletion is permanent and propagates to all associated backups within 30 days.
  • Data export — export all submissions associated with a specific email address to fulfill subject access requests.
  • Data residency — Business plan customers can request that their data be stored in EU-region infrastructure. Contact support to enable this.

SOC 2 and certifications

FormFlows.ai maintains SOC 2 Type II certification. The most recent audit report is available to Business plan customers under NDA. Contact [email protected] to request a copy.

Access controls

  • Submission data is accessible only to authenticated workspace members with the appropriate role.
  • API keys are scoped to a workspace and can be restricted to read-only access.
  • Webhook secrets are unique per form.

Next steps

Webhooks API reference

Signature verification, payload schema, and retry behavior.

Submissions API reference

Query, retrieve, and delete submissions via the REST API.

Workflows

Configure automated routing of submission data to your tools.

Integrations

Connect Google Sheets, Slack, Zapier, and more.