Picking a form backend in 2026 is harder than “just use Formspree” or “just use Netlify Forms” suggests

I compared six products that all answer “POST my contact form somewhere useful” but sit in your stack very differently: Formspree, Web3Forms, Basin, Netlify Forms, Formcarry, and Forminit. The quick forum answers skip the part that actually matters: whether the endpoint is portable across hosts, how painful spam gets at scale, what retention and webhooks cost you later, and whether the vendor’s compliance story will survive procurement.

For a hobby static site or landing page, my default is Web3Forms. The free tier gives you 250 submissions per month, unlimited forms and domains, hCaptcha, and custom redirects. Paid plans add file uploads, webhooks, and more bot checks. The tradeoff is a practical privacy story, not an enterprise one: HTTPS, encryption at rest on AWS, and GDPR/CCPA language in the docs, but no public SOC attestation that I could find.

For an SMB marketing site or lead funnel where spam filtering and webhook reliability matter, I would look at Basin first. Basin has the broadest workflow depth in this set: signed webhooks with retries, configurable retention, Google Sheets and Slack integrations, multi-step forms on higher tiers, and published overage pricing that keeps accepting submissions instead of hard-stopping you. The free tier is tighter (50 submissions per month, one form).

For teams that need a vendor review packet, Formspree is the strongest documented option here. It publishes AWS US hosting, AES-256 at rest, TLS 1.2+, SOC 2 Type II, GDPR with SCCs, and a maintained JS/React toolchain. I could verify free-tier feature gates from official help content, but not reliably extract current dollar prices from the client-rendered pricing page at research time.

If you are already on Netlify and do not care about portability, Netlify Forms is hard to beat on price since April 2026: forms are free and unlimited on credit-based plans. You trade host independence for deploy-time form detection and same-platform notifications.

For EU-centric privacy, Formcarry and Forminit are the shortlist. Formcarry’s DPA names Frankfurt for core hosting; Forminit states AWS Ireland residency and ships typed fields with protected submission modes. One naming note: Getform.io rebranded to Forminit in January 2026. If you are following older tutorials, update the links.

I prioritized official docs, pricing pages, security pages, and status pages from mid-June 2026. Where docs were thin, I say so instead of guessing.

You cannot compare these on free submission counts alone

Two architectural groups explain most of the tradeoffs.

flowchart LR
    Site[Static site or SPA]
    subgraph HostAgnostic
      FS[Formspree]
      W3[Web3Forms]
      B[Basin]
      FC[Formcarry]
      FI[Forminit]
    end
    subgraph PlatformCoupled
      NF[Netlify Forms]
    end
    Site -->|POST to endpoint| FS
    Site -->|POST to endpoint| W3
    Site -->|POST to endpoint| B
    Site -->|POST to endpoint| FC
    Site -->|POST to endpoint| FI
    Site -->|Same-site submit after deploy scan| NF
PatternProductsWhat you trade
Host-agnostic endpointFormspree, Web3Forms, Basin, Formcarry, ForminitPortability vs running a separate vendor
Platform-coupled featureNetlify FormsZero extra vendor on Netlify vs lock-in and deploy parsing

The questions I ask before picking one:

QuestionWhy it matters
Stack positionNeutral API endpoint vs Netlify deploy-time form detection
Operational depthSpam controls, webhooks, retention, uploads, and export
Privacy postureSOC 2, EU hosting, DPA clarity, subprocessors
Quota behaviorHard stop vs overage billing vs storing excess until upgrade

A cheap plan with weak spam tooling can cost more in staff time than a pricier plan with better filtering. Basin, Formspree, and Web3Forms all call this out in their docs or product copy, and I think they are right.

Free tiers at a glance

ProviderFree tierPaid entryUploads, spam, webhooksSecurity / residencyBest fit
FormspreeVerified free plan; 30-day submission history, 2 notification emails; dollar prices not reliably extracted from pricing pagePaid tiers expand retention, uploads, collaboration; exact prices not stated hereUploads on paid; 25 MB/file, 10 files/submission, 20 posts/min; AJAX, domain restriction, exportsAWS US, AES-256 at rest, TLS 1.2+, SOC 2 Type II, GDPR/SCCs, CCPASecurity-conscious dev teams wanting a general-purpose backend
Web3Forms250/mo; unlimited forms/domains; hCaptcha; 30-day historyStarter $49/year (5,000/mo special); Pro $149/year (~$12/mo); Agency $399/year (~$33/mo); over limit: submissions stopFree: redirects, spam protection. Paid: uploads, reCAPTCHA/Turnstile, autoresponders, webhooks, Slack/Discord/Telegram/SheetsHTTPS, encryption at rest on AWS; 30-day free / 1-year paid retention; GDPR/CCPA languageHobby sites, landing pages, fast prototypes
Basin50/mo, 1 form, 30-day retention, basic spam, AJAX, ZapierStarter $12.50/mo yearly (250/mo); Growth $24.17; Pro $40.83; Agency $108.33; overages billed, submissions continueBroadest set: signed webhooks with retries, Sheets/Slack/Zapier/Make, multi-step forms, advanced spam filtersEncryption in transit/at rest, 2FA, RBAC; hosting region and certifications not clearly documentedSMBs, agencies, lead funnels needing workflow depth
Netlify FormsFree and unlimited on credit-based plansPlatform: Free $0, Personal $9, Pro $20 (credits, not per-form pricing)Akismet default; honeypot/reCAPTCHA optional; 8 MB/request upload cap, 30s timeout; CSV export, FunctionsPlatform SOC 2 Type II, ISO 27001; forms tied to Netlify deploy modelTeams already on Netlify
FormcarryBaby: 50/mo, 1 formStarter $5/mo annual (500/mo); Basic $15; Premium $80; enterprise 99.9% SLA advertisedAJAX all plans; files paid only (10 MB/file); Zapier, webhooks, APIs; own SMTP on paidCore hosting on DigitalOcean Frankfurt; DPA lists subprocessorsEU-centric privacy-sensitive SMBs
Forminit100/mo, 30-day archivePro $19/mo (3,000/mo); Business $49/mo (10,000/mo)25 MB files; public/protected modes; REST API and webhooks on paid; JS SDKAWS Ireland stated; GDPR positioning; thinner incident/SLA evidenceDevs wanting typed validation beyond email pipes
FormKeepNot fully captured in this passNot stated hereWebhooks, Zapier, JSON API, email/Slack advertisedPricing, retention, security not fully diligencedSecond diligence pass if already shortlisted

Formspree file uploads gate to Personal, Professional, and Business. Custom email templates gate to Business. API versioning gates to Professional and Business, per official help content.

What the free tiers actually feel like in use

Formspree: mature general-purpose backend with the best security docs

Formspree is the most polished host-agnostic option in this group if you want HTML forms, JavaScript/AJAX submission, React tooling, stored submissions, exports, thank-you redirects, and project-level domain restriction. It also documents a CLI and API versioning on higher tiers, which tells me it is built for teams that operationalize forms, not just forward emails.

Platform limits are published and useful: 20 posts per minute per form, 25 MB per file, up to 10 files per submission, 100 MB total request size, 30-second timeout. Server-side validation and ML spam protection are advertised on the product page.

Security documentation is unusually strong for a form-backend vendor. Formspree states AWS US hosting, AES-256 at rest, TLS 1.2+, least-privilege controls, incident response processes, SOC 2 Type II, GDPR with SCCs, and CCPA participation. Its status page showed 100% uptime over the visible 90-day window for submissions API, processing, dashboard, and website at capture time. That is transparency, not a contractual SLA.

Pricing is where my research hit a wall. I verified free-tier retention (30 days) and notification email limits (two linked emails). I could not reliably pull current public dollar amounts from the client-rendered pricing page, so I am not quoting Formspree plan prices in this post. Re-check live pricing before you commit.

The public JS monorepo on GitHub had a relatively short open-issue list at capture time, and developer threads show working React Hook Form integrations. Quieter than Netlify’s forum noise, generally cleaner signal.

Web3Forms: browser-first endpoint for static sites

Web3Forms optimizes for “give me an endpoint right now.” POST to https://api.web3forms.com/submit with an access key, get email notifications and stored submissions, optionally add bot checks and redirects. The docs recommend client-side usage, which keeps setup light for static sites and marketing pages.

The free tier is generous relative to Basin or Formcarry: 250 submissions per month, unlimited forms and domains, advanced spam protection, hCaptcha, custom redirects. Paid tiers add file uploads, reCAPTCHA and Cloudflare Turnstile, autoresponders, domain restriction, multiple recipients, CC, webhooks, and integrations like Slack, Discord, Telegram, and Google Sheets. Zapier, Airtable, Make, Notion, and n8n route through webhooks.

Exceeding the monthly limit does not trigger overage billing. Submissions stop until the next month or you upgrade. I prefer predictable bills, but hard stops beat surprise invoices on a side project.

The submissions API is rate limited at 20 requests per second with a burst of 50, returning 429 and Retry-After when exceeded. Troubleshooting docs say IPs can be blocked for an hour after too many rapid submissions. That fits a browser-first product with real abuse pressure.

Security is practical: HTTPS, encryption at rest on AWS, 30-day retention on free and one year on Pro/Agency. CleanTalk and Akismet appear as spam subprocessors in the privacy policy. I did not find a public SOC or ISO attestation. The status page showed 100% uptime on visible API surfaces over 90 days, with no incidents reported March through May 2026.

Basin: the operations-heavy pick for lead funnels

Basin is what I would choose when a contact form is really a lead pipeline. Notification emails, autoresponses, file uploads, analytics, geolocation, secure attachments, API access, signed webhooks, custom email domains, SMTP, Google Sheets, Slack, Discord, Mailchimp, Zapier, Make, and a drag-and-drop form builder are all in the official materials. Higher tiers add multi-step forms, incomplete submission capture, automated reprocessing, and AI lead tooling.

Pricing is unusually transparent. Free: one form, 50 submissions per month, 30-day retention. Starter $12.50/month yearly (250/mo), Growth $24.17 (1,000/mo), Pro $40.83 (5,000/mo), Agency $108.33 (25,000/mo). Unlike most competitors, Basin keeps accepting submissions over quota and bills overages on a published sliding scale from $5.25 per extra 1,000 down to $2 per 1,000 at volume.

Spam and workflow controls are where Basin pulls ahead. Docs cover reCAPTCHA v2/v3, hCaptcha, Cloudflare Turnstile, AI spam detection, duplicate filters, country and radius filters, burner-email checks, custom content filters, browser/user-agent blacklists, email and phone validation, and Cloudflare WAF. Webhooks can be signed; failed deliveries retry up to 15 times over 24 to 28 hours with exponential backoff, and you can re-fire them manually or via API.

Security docs mention encryption in transit and at rest, 2FA/MFA, role-based permissions, regenerable API keys, and configurable retention with automatic deletion multiple times per day. I did not find a clearly documented primary hosting region or published SOC/ISO certification in the sources I reviewed.

Basin JS handles AJAX submission, redirects, alerts, and captcha setup. Docs cover Webflow, WordPress, Shopify, and React-adjacent patterns. If your team wires forms into Slack and Sheets without building a backend, Basin is the most complete option here.

Netlify Forms: convenient, host-locked, noisy on spam

Netlify Forms is a platform feature, not a neutral endpoint. Netlify scans deployed HTML when form detection is enabled, then handles submissions inside the platform. Add netlify or data-netlify="true", optionally submit via AJAX, store data in the Forms UI, export CSV, attach notifications or Functions. Elegant on Netlify. Wrong tool if you might move hosts.

File uploads exist but are constrained: one file per field, 8 MB maximum request size, 30-second timeout. Fine for ordinary lead forms. Less attractive than Basin, Formspree, Forminit, or Formcarry if uploads are central.

Spam goes through Akismet by default, with optional honeypot and reCAPTCHA 2. Community feedback is mixed. Forum threads report spam getting through despite precautions and legitimate submissions landing in spam. I do not think Netlify is uniquely bad here, but the operational burden is higher than “it is built in” suggests.

Since April 2026, forms on credit-based plans are free and unlimited. Platform pricing is Free $0 (300 monthly credits), Personal $9 (1,000 credits), Pro $20 (3,000 credits). For orgs already on Netlify, adding forms is much cheaper than it used to be.

Platform security is strong: HTTPS, DDoS protections, SOC 2 Type II, ISO 27001, GDPR/CCPA/PCI-DSS alignment, and a Very Good Security integration for PII-heavy uploads. I did not find a forms-only data-region guarantee; Function regions are configurable on the broader platform, but forms residency is not spelled out in the sources I gathered.

Netlify’s status page showed 99.74% overall uptime at capture time with Forms operational. Broader platform incidents appeared in February and May 2026. For Netlify Forms, setup and debugging friction often matters more than raw uptime.

Formcarry: EU hosting with a clear DPA

Formcarry is a classic host-agnostic endpoint with a strong privacy story. Email notifications, file uploads, spam filtering, autoresponses, custom templates, field validation, Zapier, form and submission APIs, JSON/form-data/x-www-form-urlencoded ingestion, and AJAX on all plans. Paid plans add your own email server. Public docs cover Fetch, Axios, jQuery, React, Vue, and XHR, plus a React library.

Pricing is clear and cheap at entry: Baby free (1 form, 50/mo), Starter $5/month billed annually (unlimited forms, 500/mo), Basic $15 (2,000/mo), Premium $80 (30,000/mo). Custom enterprise arrangements advertise a 99.9% uptime SLA, which is more than most form backends publish.

If you exceed your monthly limit, Formcarry stores excess submissions securely until the first of the next month. You cannot access them without upgrading, but they are not discarded. Spam is marked, not deleted; spam email notifications are suppressed by default. reCAPTCHA v2 and v3 are supported; a hidden _gotcha honeypot is recommended. On paid plans, spam does not count against quotas. On the free Baby plan, it does.

The DPA states core application and database hosting on DigitalOcean in Frankfurt, Germany, with subprocessors including AWS SES/S3 in the US and Akismet under SCCs. EU core storage does not mean zero cross-border transfer; optional subprocessors still involve extra-EU flows.

Operational transparency is thinner than Formspree, Web3Forms, or Netlify. Rate limiting and incident history are less visible in public docs. Usable product, less public evidence.

Forminit: typed headless backend (formerly Getform)

Forminit replaced Getform.io in a January 2026 rebrand. Positioning is more developer-opinionated than older “form pipe” products: typed fields, server-side validation, a small JS SDK, public and protected submission modes, 25 MB uploads, REST API and webhooks on paid plans, workspaces, attribution capture, and AWS Ireland data residency.

Pricing is simple: Free 100 submissions per month with 30-day archive, Pro $19/month (3,000/mo), Business $49/month (10,000/mo). Custom SMTP on Business. CAPTCHA and honeypot support are documented.

If you care about protected submission modes and typed validation semantics, Forminit is technically interesting. I did not gather enough independent community or incident evidence to rank reliability at the same confidence as Basin, Formspree, Web3Forms, or Netlify.

FormKeep: plausible, not fully diligenced

FormKeep looks viable for marketing and lead-routing from the limited official material I collected: webhooks, Zapier, JSON API, email and Slack notifications, collaboration, and anti-spam positioning. I did not complete a comparable pass on pricing, retention, or privacy/security specifics. Treat it as a plausible shortlist entry that needs its own diligence before purchase.

Security, residency, and compliance

AttributeFormspreeWeb3FormsBasinNetlify FormsFormcarryForminit
Hosting regionAWS US (documented)AWS (documented)Not clearly documentedPlatform-wide; no forms-only residency statedDigitalOcean Frankfurt (DPA)AWS Ireland (stated)
Encryption at restAES-256Yes, on AWSYes, per FAQPlatform standardPer privacy docsPer site/legal docs
Encryption in transitTLS 1.2+HTTPSYesHTTPSHTTPSHTTPS
CertificationsSOC 2 Type IINone found publiclyNone found publiclySOC 2 Type II, ISO 27001GDPR/CCPA language; no SOC foundGDPR positioning; no SOC found
GDPR postureProcessor with SCCsRights language in privacy policyConfigurable retention/deletionPlatform GDPR/CCPA alignmentDPA with subprocessors listedEU residency stated
Status page quality100% visible 90-day window100% visible 90-day windowLess prominent99.74% platform uptime at captureThinner public ops detailThinner public ops detail

Netlify recommends extra controls for PII-heavy form uploads and regular export/deletion of sensitive submission data. Formcarry’s DPA is the most concrete about EU core hosting in this set, with honest subprocessors disclosure.

Uptime, spam, and forum noise

Formspree, Web3Forms, and Netlify publish the strongest public uptime transparency in the sources I reviewed. Formspree and Web3Forms both showed 100% over visible 90-day windows for core submission surfaces. Netlify’s broader status page showed 99.74% overall with Forms listed operational.

Community signal is loudest for Netlify Forms and it is mixed on spam. Formspree’s GitHub footprint is smaller but cleaner. Basin, Web3Forms, Formcarry, and Forminit lean more on vendor-hosted testimonials and docs than independent review-aggregator data. I did not run a broad G2 or Capterra pass for every vendor.

For Basin, Web3Forms, Formcarry, Forminit, and FormKeep, limited independent review visibility is a research gap, not necessarily a product quality verdict.

What I would pick

flowchart TD
    start[Need host-agnostic form backend?] -->|No, already on Netlify| netlify[Netlify Forms]
    start -->|Yes| secQ{Need strongest published security controls?}
    secQ -->|Yes| formspree[Formspree]
    secQ -->|No| opsQ{Need advanced routing, overages, agency workflow?}
    opsQ -->|Yes| basin[Basin]
    opsQ -->|No| freeQ{Need best free plan or static-site simplicity?}
    freeQ -->|Yes| web3[Web3Forms]
    freeQ -->|No| euQ{Need EU-centric data residency from public docs?}
    euQ -->|Yes| eu[Formcarry or Forminit]
    euQ -->|No| dx[Formspree or Forminit by DX preference]

Hobby project, indie site, or landing page: Web3Forms first. More free submissions, redirect support, and basic anti-spam without much setup. Formcarry Baby is the backup if EU privacy matters more than free volume.

SMB marketing site or lead funnel: Basin first for spam controls, webhook retries, Sheets/Slack/API wiring, and published overages. Formspree second when compliance documentation beats workflow depth. Netlify Forms only if the company is already committed to Netlify.

Enterprise or regulated environment: Formspree as the default. SOC 2 Type II and published security controls are easier to defend in vendor review. Netlify works if forms sit inside a broader Netlify platform standardization and host lock-in is acceptable.

Privacy-focused EU deployment: Formcarry and Forminit. Formcarry has better DPA transparency in the data I collected; Forminit looks more modern on API semantics. Formspree can work for privacy-conscious teams but is explicitly US-hosted with SCCs, not EU residency.

Web3 or “just give me an endpoint” flow: Web3Forms. Browser-first design, access key model, and static-site docs match that use case.

For net-new picks outside Netlify: Web3Forms for hobby static sites, Basin for lead operations, Formspree when procurement asks for certifications, Formcarry or Forminit when EU residency is non-negotiable.

Gaps in the public docs

Formspree renders pricing client-side. I could verify plan tiers and feature gates, but not reliable dollar amounts from the HTML I could scrape.

I did not fully verify FormKeep on pricing, retention, or security. Treat that row as incomplete until you read their docs yourself.

This post weights GitHub issues, forums, and status pages more than G2 or Capterra scores. Few of these tools have meaningful aggregator ratings anyway.

Status-page uptime figures are transparency signals, not SLAs. Formcarry is the exception where 99.9% shows up on custom enterprise deals.

Sources

Formspree

Formspree homepage
Formspree pricing
Formspree security
Formspree documentation
Formspree status
Formspree JS GitHub

Web3Forms

Web3Forms homepage
Web3Forms pricing
Web3Forms documentation
Web3Forms status

Basin

Basin homepage
Basin pricing
Basin documentation
Basin

Netlify Forms

Netlify Forms setup
Netlify Forms setup
Netlify pricing
Netlify security
Netlify status

Formcarry

Formcarry homepage
Formcarry pricing
Formcarry documentation
Formcarry privacy

Forminit

Forminit homepage
Forminit FAQ
Forminit documentation

FormKeep

FormKeep homepage