Good catch. While the site isn't served over SSL, the actual Wufoo form is. And Stripe (who we're using to process the payments) only allows payments over SSL (https://stripe.com/help/ssl) so your information is safe.
Admirable, but this doesn't really help the scenario where the outer page is intercepted and modified to serve a different iframe. (This is a common attack on pages that e.g. serve login forms over http, even though the form submits to https. Just change the form in-flight.)