Form Filling Security: How We Keep Your Data Safe
Deep dive into our privacy-first architecture and security measures that protect your sensitive information. Transparency about how we handle your most private data.
When you trust Fyllyo with your passport numbers, Social Security numbers, and financial information, you deserve to know exactly how we protect that data. This isn't marketing fluff—it's a technical deep dive into our security architecture.
The Stakes Are High
Form filling tools handle the most sensitive data imaginable. A security breach isn't just inconvenient—it can ruin lives. That's why we built Fyllyo with security as the foundation, not an afterthought.
Our Core Security Principle: Zero-Knowledge Architecture
The most secure data is data we never see. Fyllyo is built on a zero-knowledge architecture where your sensitive information never leaves your device.
Local Storage Only
Your personal data is encrypted and stored only on your device. We literally cannot access it, even if we wanted to.
End-to-End Encryption
Even data sync between your devices uses end-to-end encryption. Only you have the keys.
No Analytics on Personal Data
We collect usage analytics, but never on the content of your forms or personal information.
Minimal Server Interaction
Our servers only handle authentication and feature updates. No personal data ever touches our infrastructure.
Technical Deep Dive: How It Actually Works
1. Data Encryption
Every piece of personal information is encrypted using AES-256 encryption before being stored locally. The encryption keys are derived from your master password using PBKDF2 with 100,000 iterations.
Personal Data → AES-256 Encryption → Local Storage
Encryption Key ← PBKDF2(Master Password, Salt, 100k iterations)2. Form Field Matching
When Fyllyo analyzes a form, it sends only the field structure (labels, types, context) to our AI service—never the actual values. The AI returns mapping instructions that are executed locally on your device.
What we return: "Map to profile.personalInfo.firstName"
What we never see: Your actual first name
3. Cross-Device Sync
When you sync data between devices, we use a zero-knowledge sync protocol. Your encrypted data passes through our servers, but we don't have the keys to decrypt it.
🔐 Technical Note
We use the Signal Protocol for secure messaging between your devices. The same technology that protects WhatsApp messages protects your form data.
What Data We Do Collect (And Why)
Transparency means being honest about what we do collect. Here's the complete list:
Email address, encrypted password hash, account creation date
Why: To verify your identity and protect your account
Which features you use, how often, error rates, performance metrics
Why: To improve the product and fix bugs
Field types, labels, and website domains (but never the values you enter)
Why: To train our AI to recognize new form types
⚠️ What We Never Collect
- • Your actual form data (names, addresses, SSNs, etc.)
- • Screenshots or recordings of your screen
- • Browsing history outside of form interactions
- • Passwords or login credentials for other sites
- • Financial information or payment details
Security Measures Beyond Encryption
Infrastructure Security
- All servers run on AWS with SOC 2 Type II compliance
- Network traffic encrypted with TLS 1.3
- Regular penetration testing by third-party security firms
- 24/7 monitoring for suspicious activity
- Automated security updates and patch management
Application Security
- Content Security Policy (CSP) to prevent XSS attacks
- Subresource Integrity (SRI) for all external resources
- Regular security audits of our Chrome extension
- Sandboxed execution environment for AI processing
- Rate limiting and DDoS protection
Access Controls
- Zero-trust architecture with multi-factor authentication
- Principle of least privilege for all team members
- All access logged and monitored
- Regular access reviews and deprovisioning
- Separate development and production environments
Compliance and Certifications
🇪🇺 GDPR Compliant
Full compliance with European data protection regulations, including right to deletion and data portability.
🇺🇸 CCPA Compliant
California Consumer Privacy Act compliance with transparent data practices and user control.
🏥 HIPAA Ready
Architecture designed to support HIPAA compliance for healthcare organizations.
🔒 SOC 2 Type II
Annual audits of our security controls and procedures by independent auditors.
Incident Response and Recovery
Despite all precautions, we're prepared for the worst-case scenario:
🛡️ The Bottom Line
Because your data never leaves your device in unencrypted form, even a complete breach of our servers wouldn't expose your personal information. That's the power of zero-knowledge architecture.
Your Role in Security
Security is a partnership. Here's how you can protect yourself:
- Use a strong master password: It's the key to all your data
- Enable two-factor authentication: Adds an extra layer of protection
- Keep your browser updated: Security patches are critical
- Be cautious on public WiFi: Use a VPN when possible
- Review your data regularly: Remove old or unnecessary information
- Report suspicious activity: Help us keep everyone safe
Transparency and Accountability
We believe in radical transparency about our security practices:
- Annual security reports published publicly
- Bug bounty program with responsible disclosure
- Open-source security libraries where possible
- Regular third-party security audits
- Clear incident communication with lessons learned
Questions? We're Here to Help
Security shouldn't be a black box. If you have questions about our security practices, want to see our latest audit reports, or need clarification on any aspect of our data handling, reach out to our security team.
We're proud of the security architecture we've built, but we're always working to make it better. Your trust is our most valuable asset, and we'll never take it for granted.