Data Privacy
Privacy Friendly
Built with privacy in mind with no third-party cookies, fingerprinting, or invasive tracking.
- IP addresses (country is derived from timezone, not IP geolocation)
- Device fingerprints (no Canvas, WebGL, or storage-based fingerprinting)
- Social profiles (no Twitter, Discord, or email collection)
- Third-party cookies
Transparency
Open Source
Formo SDKs are 100% open source with a fully permissive MIT license.
Compliance
SOC 2 (in progress)
Formo’s SOC 2 compliance report will be available on request.
Supply Chain Security
NPM Trusted Publishing
Eliminates security risks from long-lived write tokens, which can be compromised.
Subresource Integrity
Formo supports SRI, which helps prevent attacks like cross-site scripting (XSS) and NPM hijacking.
Content Security Policy
Formo supports CSP, which helps prevent attacks like cross-site scripting (XSS) and data injection.
Minimal Dependencies
Having fewer runtime dependencies significantly reduces the supply chain attack surface.
SDK Dependencies List
The @formo/analytics SDK maintains a minimal dependency footprint to minimize attack surface:| Package | Purpose | Risk Level |
|---|---|---|
| ethereum-cryptography | Cryptographic operations (Keccak256, SHA256) | Low - Audited pure JS library containing all Ethereum-related cryptographic primitives by the Ethereum Foundation |
| mipd | EIP-6963 wallet discovery | Low - standard EIP-6963 implementation by the wevm team, authors of wagmi |
| fetch-retry | HTTP retry with exponential backoff | Low - simple utility |
Secure Installation Methods
There are two ways to install the Formo SDK, each with different security properties:| Method | MITM Protection | Supply Chain Verification |
|---|---|---|
NPM package (npm install @formo/analytics) | Script is bundled into your own assets - no third-party script loading at runtime | npm integrity checks (SHA-512) + provenance attestations verify the package came from GitHub |
| CDN script tag | Enable SRI + CSP for cryptographic verification | SRI hash verifies the script before browser execution |
Infrastructure Security
Encryption in Transit
All connections secured with industry-standard TLS 1.2+ encryption.
Encryption at Rest
All data volumes, including backups, are encrypted at rest with unique AES-256 keys.
Backups
All customer databases are continuously backed up to highly durable storage.
Data Center Security
Formo runs on AWS, which have the highest levels of security and reliability.
Monitoring
24/7 on-call rotations with internal escalations monitor across all systems.
Software Security
Quality Assurance
Automated tests and code reviews run after each code change as part of QA.
Security Reviews
Engineering review for security best practices to address potential security threats.
Vulnerability Management
Formo conducts regular penetration tests in addition to internal security reviews.
Partner Security
Payments and PCI
Formo uses Paddle to process payments and does not store credit card information.
Subprocessors
Formo keeps the list of data subprocessors updated in the Terms of Service.
Access Control
Single Sign-On (SSO)
SAML-based SSO allows centralized authentication through your identity provider.
Multi-Factor Authentication
MFA adds an additional layer of security to user accounts and workspaces.
Role Based Access Control
RBAC enforces the least privilege principle on users based on specific roles.
Others
Changelog
Formo publishes a weekly summary of updates and fixes.