Skip to content
Forms365
Security · Data Residency · Privacy

Your form data never leaves
your Microsoft 365 tenant.

Forms 365 is an SPFx solution deployed inside your own SharePoint environment. Form submissions go directly to your SharePoint lists. No data passes through Forms 365 infrastructure.

Start free trial
Data residency

Data stays in your tenant, in your region.

Forms 365 Internal and Forms 365 Public both write submissions directly to SharePoint list items inside your Microsoft 365 tenant. Form data does not transit through any Forms 365 server. It goes directly from the respondent's browser to Microsoft's infrastructure under your tenancy.

Your Microsoft 365 tenant data residency settings determine where the data is stored. For Australian organisations, Microsoft stores Microsoft 365 data in Australian data centres (located in New South Wales and Victoria) when the tenant region is set to Australia.

Forms 365 holds no copy of your form data. If you cancel your subscription, your SharePoint list data remains intact in your tenant. Nothing is lost or held.

Architecture

How Forms 365 deploys inside your environment.

Forms 365 Internal deploys as an SPFx (SharePoint Framework) solution. SPFx solutions run inside the SharePoint page DOM, using your user's existing authentication context. There is no separate server to provision, and no credentials passed to an external system.

Forms 365 Public runs a public-facing form renderer that authenticates with your SharePoint tenant using an app registration with least-privilege permissions. The app registration is created in your Entra ID tenant. The form renderer calls the SharePoint list API to write submissions. No SharePoint data is cached or stored outside your tenant.

The Forms 365 designer (the tool you build forms in) is a web application hosted on Forms 365 infrastructure. When you publish a form, the published form configuration is stored in a SharePoint list inside your tenant, not on Forms 365 servers.

Privacy

Australian Privacy Act compliance

Data collected by Forms 365

Forms 365 collects account and billing data for subscribers (name, email, organisation, payment method). This data is used solely for account management and is not sold or shared with third parties for marketing.

Data collected by your forms

Any personal information collected through your Forms 365 forms (names, email addresses, responses) is stored in your SharePoint tenant. You are the data controller for that information under the Australian Privacy Act 1988. Forms 365 is the processor and handles that data only as directed.

Australian-based company

DevPros is an Australian company headquartered in Australia. Forms 365 is built and supported in Australia. We are subject to Australian Privacy Act obligations and the Australian Privacy Principles (APPs).

Permissions

Least-privilege by design

Forms 365 requests only the SharePoint permissions it needs to function. It does not request access to Exchange, Teams, OneDrive, Entra ID user directories, or any other Microsoft 365 service.

For Forms 365 Internal (SPFx): the solution runs in the context of the logged-in user. It reads the SharePoint list schema the user already has access to, and writes items to lists the user has permission to write to. No elevated permissions are required.

For Forms 365 Public (the app registration): the app is granted Sites.Selected permission, scoped specifically to the SharePoint sites you designate during setup. It cannot read or write to any other SharePoint site in your tenant.

Forms 365 Internal (SPFx)
Runs as the logged-in user, no elevated access User-delegated
Forms 365 Public (app registration)
Sites.Selected (read/write to designated sites only) App-only, scoped
Forms 365 Designer
Read SharePoint list schema, write form config to designated list User-delegated
Microsoft 365 platform

Built on Microsoft's security infrastructure

Because Forms 365 stores data in your Microsoft 365 tenant, your data inherits the security, compliance, and certification coverage of your Microsoft 365 subscription. This includes ISO 27001, SOC 2 Type II, and Australian IRAP assessment coverage where applicable to your Microsoft 365 plan.

ISO 27001 (via Microsoft)SOC 2 Type II (via Microsoft)Australian data centres (NSW + VIC)IRAP (via Microsoft)Australian Privacy ActEntra ID authentication

Questions about security or compliance?

We are happy to provide documentation, answer infosec questionnaires, or arrange a call with your IT team.