At a Glance:
Palform is an open-source, end-to-end encrypted form builder with a privacy-focused design, featuring a full codebase written in Rust and Svelte, with cryptographic handling via the Sequoia PGP library and client-side performance boosted by WASM.
Overview:
Palform is an open-source form builder that prioritizes end-to-end encryption and user privacy by minimizing third-party scripts. Its entire codebase, including marketing pages, is publicly available, allowing anyone to inspect, build, or operate the service. The backend is built with Rust using the Rocket framework and SeaORM for high performance, while the frontend leverages Svelte with auto-generated TypeScript bindings. Performance-critical client-side tasks, such as encryption and analytics, are compiled to WASM from Rust. The project uses the Sequoia PGP library for key management and form encryption on both the frontend and backend. It is free to use via European-hosted servers, though self-hosting is possible but currently unsupported and undocumented, with no guaranteed stability from the main branch.
Key Decision Points:
End-to-end encryption: Forms are encrypted using PGP through the Sequoia library, with key management handled on both client and server sides.
Self-hosting limitations: While the codebase allows for self-hosting, it is not officially supported, lacks documentation, and the
mainbranch has no stability guarantees or versioned releases.Performance via WASM: Compute-heavy operations like bulk analytics and encryption are executed as WASM binaries on the frontend, compiled from Rust for significantly better performance than native JS libraries.
Full-stack architecture: The system combines a Rust/Rocket backend, a Svelte frontend, and shared Rust logic compiled to WASM, using auto-generated OpenAPI TypeScript bindings to connect them.
Core Features:
End-to-end encrypted forms: Uses the Sequoia PGP library to encrypt form data and manage keys across the backend and frontend.
Custom TSID database IDs: Uses a prefixed TSID system mapped to Rust types to prevent mismatched resource IDs in the code.
WASM-powered frontend performance: Compiles Rust components into WASM binaries for client-side tasks like encryption and analytics, improving performance over native JS.
Auto-generated OpenAPI bindings: Generates TypeScript bindings automatically from the backend OpenAPI specification for the Svelte frontend.
Privacy-focussed design: Limits the use of third-party scripts and offers the service on European-hosted servers without mandatory user fees.
Use Cases:
Developers and privacy-conscious users who need to build forms with end-to-end encryption and want to avoid third-party script dependencies in their data collection workflows.
Operators who want full source access to a form builder's entire platform, including marketing pages, to inspect its security model or experiment with deployment, despite current self-hosting limitations.
Open-Source Alternative Value:
As an open-source tool, Palform makes its entire codebase available, from the encryption logic and backend architecture to the landing pages. This transparency allows developers to directly examine its end-to-end encryption implementation, which relies on the Sequoia PGP library, and its performance-oriented design using Rust compiled to WASM. While it provides a path for full code inspection and potential customization, official self-hosting support and versioned releases are not yet available, limiting practical independence for self-hosted deployments at this stage.
