SignalForm

Technical Details

Benchmarks, architecture, and privacy disclosures.

Performance

65KB
Renderer size (gzipped)
Single-chunk bundle. Zero third-party dependencies.
<100ms
API response time (p95)
CloudFront CDN with edge caching.
<200ms
Time to interactive
React 19 with minimal JS execution.

Why 65KB matters

Most form builders ship 300KB+ of JavaScript. We ship 65KB by cutting everything that isn’t the form:

  • Zero third-party analytics or tracking libraries
  • Single-chunk build, no code splitting overhead
  • React 19 with aggressive tree-shaking
  • Direct API calls, no SDK wrappers

Architecture

Stack overview

Frontend
React 19, TypeScript, Tailwind CSS v4
Dashboard and renderer with full type safety
Backend
Go 1.22, chi router, pgx
Compiled Go with connection pooling
Database
PostgreSQL 15 on RDS
JSONB schemas, automated daily backups
Infrastructure
AWS (EC2, S3, CloudFront, RDS)
CloudFront CDN, us-east-1 primary

How it works

  1. Build in the dashboard. Autosaves every second.
  2. Publish to a unique URL. Schema cached globally via CloudFront.
  3. Load — 65KB React app fetches schema (cached, sub-100ms) and renders client-side.
  4. Submit — responses stored in PostgreSQL (JSONB). Webhooks fire async.
  5. Export — view in dashboard or download as CSV.

Deployment details

  • API: Single ARM64 EC2 instance (t4g.small) behind CloudFront
  • Database: RDS PostgreSQL with automated daily backups to S3
  • Static assets: S3 + CloudFront (signalform.io, app.*, forms.*)
  • Monitoring: Datadog APM for performance tracking and error alerting

Privacy & Security

Zero third-party trackers

No Google Analytics, Facebook Pixel, Hotjar, or ad network scripts. We collect only what’s needed:

  • Form submission data (answers you collect)
  • Metadata: timestamps, form ID, response ID
  • User accounts: email, hashed password, OAuth tokens

Datadog is used for internal monitoring only. No end-user PII is sent to Datadog.

Your data stays yours

No AI training on responses. No data sales. CSV export anytime. Delete your account and everything is gone within 30 days.

Security practices

  • Encryption: TLS 1.2+ for all traffic, AES-256 for data at rest
  • Authentication: JWT tokens with httpOnly cookies, 15-minute access token expiry
  • Secrets management: AWS Secrets Manager for API keys and database credentials
  • Backups: Automated daily PostgreSQL backups to S3 with 90-day retention
  • Infrastructure: VPC with private subnets, security groups restricting SSH to known IPs

Compliance

Designed for GDPR compliance with data export, deletion, and access controls. Not yet SOC 2 certified. You are responsible for consent and legal basis when collecting personal data.

Roadmap

  • In ProgressWebhook delivery with retry logic and failure notifications
  • In ProgressEmail notifications for form owners on new responses
  • PlannedZapier integration for no-code workflow automation
  • PlannedCustom domains (forms.yourdomain.com instead of forms.signalform.io)
  • PlannedConditional logic editor (show/hide questions based on answers)
  • ExploringSelf-hosted option for teams with strict data residency requirements
  • ExploringMulti-language form support and automatic translation

Questions? hello@signalform.io