Security & trust

Your data. Your database. Your control.

Gravity Tables is a self-hosted WordPress plugin. It reads from the entries table Gravity Forms already writes to, and edits go through the same `GFAPI` pipeline as native form submissions. There is no cloud component, no analytics endpoint, no telemetry. This page documents exactly what that means in practice.

Report a vulnerability How it works

pings to external servers

100%

data on your hosting

Every

change logged with user + time

24h

security-issue first response

The three pillars

The questions every security review asks. Answered, plainly.

Where the data lives

On your hosting, in your database, in tables you already own.

Entries are read directly from wp_gf_entry, the same table Gravity Forms writes to. No duplicate database, no synced cache, no third-party data warehouse.
Edits go through the standard GFAPI::update_entry_field() pipeline. Validation rules, conditional logic, and per-field hooks all run exactly as if a form was submitted.
There is no Gravity Tables cloud. No telemetry endpoint, no analytics ping, no "anonymous usage statistics" opt-out, because there is nothing to opt out of.

Who can do what

Three independent permission layers, each gated separately.

Layer 1, view access via allowed_roles="...", controls who can see the table at all. Anyone outside the allow-list gets the table's configured fallback (a 403, a "log in to view" message, or hidden silently).
Layer 2, column-level edit access via allow_edit="...", picks the columns that are editable inline. Columns not in the list render read-only, regardless of role.
Layer 3, per-column role gates via edit_permissions="column:role,...", the editable columns can each require a different role. A rep can update notes, only the manager can change value.
All three layers check WordPress capabilities, not role names. Custom-role plugins (Members, User Role Editor, PublishPress Capabilities) work without rewriting the shortcode.

What gets logged

Every edit, every export, every bulk action, with user, timestamp, and the before/after values.

audit_log="true" enables the audit table. Every cell edit records: entry id, field id, old value, new value, user id, IP address, timestamp.
Exports are logged with the column set + active filter state, so you know not just *that* someone exported, but *what slice* of data left the system.
Bulk actions are logged as a single audit entry with the affected entry ids, action name, and outcome.
Audit log retention is configurable. Default: forever. For high-volume sites, set audit_log_retention_days="365" to auto-prune older rows.
Audit data is queryable from the WordPress admin: Tables → System → Audit log, filterable by user, by entry, by date.

Compliance

GDPR, data residency, subprocessors. All in one place.

We're a small team, so the compliance picture is small too, which is the point. Less surface area, fewer places things can go wrong.

GDPR / data subject rights: WordPress's built-in personal data export and erasure tools include Gravity Forms entries by default. Gravity Tables doesn't add a separate data store, so when a request comes in, the existing WP exporter handles it. No custom plumbing required.
Right to rectification: A logged-in user with `allow_edit` access can correct their own data inline. Pair with `filter_user_owns="..."` to scope the table to the user's own rows, and the rectification right is self-serve.
Audit trail for compliance reviews: Auditors asking "who accessed this record" get a single CSV export from the audit log. Auditors asking "who changed this field" get exact before/after values with user attribution.
Data residency: Whatever country your WordPress hosting is in, that's where your data is. EU data on EU hosting stays in the EU. We literally can't move it because we don't store it.
No third-party processors: License activation goes through Freemius (the licensing layer used by 8,000+ WP plugins). No customer entry data is ever transmitted to Freemius, only the license key.
Subprocessor list: **Freemius** (license validation, payment processing). That's it. The full list is one item long, deliberately.

Responsible disclosure

Found a vulnerability? Here's the contract.

We treat disclosure as a partnership, not a reporting form. The expectations both ways are explicit and listed below, so neither side has to guess what happens next.

security@fahdmurtaza.com

How to report: Email security@fahdmurtaza.com with reproduction steps. PGP key on request.
Acknowledgement window: Within 24 hours. We'll confirm receipt and assign a tracking id.
Triage window: Within 72 hours. We'll classify severity and share the patch plan.
Patch window: Critical: ≤ 7 days. High: ≤ 14 days. Medium: next minor release. Low: next major release.
Public disclosure: Coordinated. We credit the reporter in the release notes (opt-out available) and avoid technical details until ≥ 80% of installs have updated.

Track record

Recent security work. Visible in the changelog, not buried.

v4.1.6

Dec 25, 2025

Full sanitization sweep across every shortcode parameter. Output escaping audit on every cell renderer. Capability check tightening on AJAX edit endpoints.

v4.0.3

Nov 2025

CSRF nonce tightening on bulk-action endpoints. Patched a low-severity nonce-reuse window when the same nonce was passed across multiple actions.

v3.0.0

Oct 2025

Rewrite to service-oriented architecture introduced explicit input/output boundaries. Dramatically narrowed the "anything-goes" surface area inherited from earlier versions.

Honesty section

What we don't claim.

Most security pages list certifications the company doesn't actually have. We list ours plainly:

,No SOC 2. The plugin doesn't store your data on our infrastructure, so SOC 2 wouldn't apply to anything that matters. Audit your hosting provider instead.
,No ISO 27001. Same reason.
,No third-party penetration test on file. We do internal static analysis on every release (PHPStan, PHPCS-WPCS, security-focused linters) and engage paid review on major versions. If your security team needs an external pen-test, the source is on hand to share under NDA.
,No bug bounty program. We pay reporters case-by-case based on severity; we don't hide behind a "scope" doc that tries to define disclosure away.

If your procurement requires any of the above, that's a signal Gravity Tables may not be the right fit yet, and that's fine. Tell us; we'll let you know honestly whether we can meet the bar.

Ready when you are

Stop exporting CSVs. Start shipping dashboards.

10 days of full Pro access. If it doesn't pay for itself in the first week, you don't have to keep it.

Start free trial Talk to Fahd