Your form data never leaves
your Microsoft 365 tenant.
Forms 365 is an SPFx solution deployed inside your own SharePoint environment. Form submissions go directly to your SharePoint lists. No data passes through Forms 365 infrastructure.
Start free trialData stays in your tenant, in your region.
Forms 365 Internal and Forms 365 Public both write submissions directly to SharePoint list items inside your Microsoft 365 tenant. Form data does not transit through any Forms 365 server. It goes directly from the respondent's browser to Microsoft's infrastructure under your tenancy.
Your Microsoft 365 tenant data residency settings determine where the data is stored. For Australian organisations, Microsoft stores Microsoft 365 data in Australian data centres (located in New South Wales and Victoria) when the tenant region is set to Australia.
Forms 365 holds no copy of your form data. If you cancel your subscription, your SharePoint list data remains intact in your tenant. Nothing is lost or held.
How Forms 365 deploys inside your environment.
Forms 365 Internal deploys as an SPFx (SharePoint Framework) solution. SPFx solutions run inside the SharePoint page DOM, using your user's existing authentication context. There is no separate server to provision, and no credentials passed to an external system.
Forms 365 Public runs a public-facing form renderer that authenticates with your SharePoint tenant using an app registration with least-privilege permissions. The app registration is created in your Entra ID tenant. The form renderer calls the SharePoint list API to write submissions. No SharePoint data is cached or stored outside your tenant.
The Forms 365 designer (the tool you build forms in) is a web application hosted on Forms 365 infrastructure. When you publish a form, the published form configuration is stored in a SharePoint list inside your tenant, not on Forms 365 servers.
Australian Privacy Act compliance
Data collected by Forms 365
Forms 365 collects account and billing data for subscribers (name, email, organisation, payment method). This data is used solely for account management and is not sold or shared with third parties for marketing.
Data collected by your forms
Any personal information collected through your Forms 365 forms (names, email addresses, responses) is stored in your SharePoint tenant. You are the data controller for that information under the Australian Privacy Act 1988. Forms 365 is the processor and handles that data only as directed.
Australian-based company
DevPros is an Australian company headquartered in Australia. Forms 365 is built and supported in Australia. We are subject to Australian Privacy Act obligations and the Australian Privacy Principles (APPs).
Least-privilege by design
Forms 365 requests only the SharePoint permissions it needs to function. It does not request access to Exchange, Teams, OneDrive, Entra ID user directories, or any other Microsoft 365 service.
For Forms 365 Internal (SPFx): the solution runs in the context of the logged-in user. It reads the SharePoint list schema the user already has access to, and writes items to lists the user has permission to write to. No elevated permissions are required.
For Forms 365 Public (the app registration): the app is granted Sites.Selected permission, scoped specifically to the SharePoint sites you designate during setup. It cannot read or write to any other SharePoint site in your tenant.
Built on Microsoft's security infrastructure
Because Forms 365 stores data in your Microsoft 365 tenant, your data inherits the security, compliance, and certification coverage of your Microsoft 365 subscription. This includes ISO 27001, SOC 2 Type II, and Australian IRAP assessment coverage where applicable to your Microsoft 365 plan.
Questions about security or compliance?
We are happy to provide documentation, answer infosec questionnaires, or arrange a call with your IT team.