Data Processing Agreement (DPA)

Effective Date: January 2025

This Data Processing Agreement (“DPA”) forms part of the Terms of Service or other written agreement between Formester (“Processor” or “Formester”) and the customer (“Controller” or “Customer”) governing the use of Formester’s form-building and data collection services (the “Services”).

This DPA is designed to meet the requirements of applicable data protection laws, including the GDPR, UK GDPR, and other global privacy regulations, and reflects industry standards followed by companies such as Typeform and Jotform.

1. Definitions

For the purposes of this DPA:

  • Applicable Data Protection Law means all laws and regulations applicable to the processing of Personal Data, including GDPR (EU) 2016/679, UK GDPR, CCPA, and similar laws.
  • Controller means the entity that determines the purposes and means of Processing Personal Data. The Customer acts as the Controller.
  • Processor means the entity that processes Personal Data on behalf of the Controller. Formester acts as the Processor.
  • Customer Data means all data submitted to the Services by or on behalf of Customer, including Personal Data.
  • Personal Data means any information relating to an identified or identifiable natural person that is processed by Formester on behalf of Customer.
  • Processing means any operation performed on Personal Data, including collection, storage, use, transmission, or deletion.
  • Data Subject means an identified or identifiable individual whose Personal Data is processed.
  • Security Incident means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
  • Sub-processor means any third party engaged by Formester to process Personal Data on behalf of Customer.
  • Standard Contractual Clauses (SCCs) means the EU-approved contractual clauses for international data transfers.

2. Scope and Applicability

  1. This DPA applies to all Processing of Personal Data by Formester on behalf of Customer in connection with the Services.
  2. Customer acts as Controller, and Formester acts as Processor.
  3. This DPA remains in effect for the duration of the Services and automatically terminates upon termination of the underlying agreement.

3. Customer Obligations

Customer represents and warrants that:

  • It has obtained all necessary rights, consents, and lawful bases to provide Personal Data to Formester.
  • It complies with all Applicable Data Protection Laws.
  • It is responsible for the accuracy, quality, and legality of Personal Data collected.
  • Data Subjects are informed about the processing of their Personal Data and provided with required privacy notices.

4. Formester’s Processing of Personal Data

  1. Formester processes Personal Data only on documented instructions from Customer.

  2. Processing instructions include:

    • Providing the Services under the Terms of Service
    • Actions initiated by Customer or end users through the Services
    • Written communications between Customer and Formester

  3. Formester will inform Customer if an instruction violates Applicable Data Protection Law.

  4. Formester does not use Customer Data for analytics, advertising, marketing, or product training.

5. Confidentiality

  • All personnel authorized to process Personal Data are bound by confidentiality obligations.
  • Access to Personal Data is limited to personnel who require it to provide the Services.
  • Confidentiality obligations survive termination of employment or contract.

6. Security Measures

Formester implements appropriate technical and organizational measures, including:

  • Encryption of Personal Data at rest and in transit (TLS/HTTPS)
  • Role-based access controls and authentication
  • Encrypted automated backups with a 90-day retention policy
  • Logging and monitoring of access
  • Annual third-party penetration testing
  • Regular testing and evaluation of security controls

Formester will not materially reduce security protections during the term of this DPA.

7. Sub-processors

Customer authorizes Formester to engage Sub-processors.

Sub-processor Purpose Location
Heroku (Salesforce) Application hosting & database storage United States
Amazon Web Services (AWS) File storage (S3), email (SES) United States
  • All Sub-processors are bound by written data protection agreements.
  • Formester remains fully liable for Sub-processor performance.

8. Data Subject Rights

  • Formester will promptly notify Customer of any Data Subject request.
  • Formester will not respond directly to Data Subjects unless legally required.
  • Formester provides reasonable assistance to enable Customer to fulfill requests.

9. Security Incidents

  • Formester will notify Customer without undue delay and within 72 hours of becoming aware of a Security Incident.

  • Notifications will include:

    • Nature of the incident
    • Categories and approximate number of affected Data Subjects
    • Categories and approximate number of affected records
    • Likely consequences
    • Remediation steps taken

  • This section does not apply to incidents caused by Customer or its users.

10. Audits and Compliance

  • Formester will provide information necessary to demonstrate compliance.

  • Audit requests:

    • Limited to once per year
    • Require 30 days’ written notice
    • Must not disrupt operations
    • Are at Customer’s expense

  • Relevant third-party audit reports may be shared under confidentiality.

11. International Data Transfers

  • Personal Data may be processed in the United States.
  • Transfers from the EEA, UK, or Switzerland are governed by SCCs.
  • Appropriate safeguards are implemented to protect transferred data.

12. Return and Deletion of Data

  • Upon termination or written request, Customer may request:

    • Return of Personal Data, or
    • Secure deletion

  • Production data is hard-deleted upon request.

  • Backup data is deleted within 90 days.

  • Written certification of deletion is available upon request.

13. Cooperation and DPIAs

Formester will reasonably assist Customer with:

  • Data protection impact assessments
  • Regulatory consultations

Assistance is limited to information within Formester’s reasonable control.

14. Limitation of Liability

  • Liability under this DPA is subject to the limitation of liability in the Terms of Service.
  • Nothing limits liability where prohibited by law.

15. General Provisions

  • Governing law follows the Terms of Service.
  • In case of conflict, this DPA prevails for data protection matters.
  • Amendments require written agreement.
  • Invalid provisions do not affect remaining terms.

Schedule 1 – Standard Contractual Clauses

EU SCCs (Commission Decision 2021/914) apply to applicable international transfers.

  • Module: Controller → Processor
  • Sub-processor authorization: General
  • Governing law: EU exporter’s country or Ireland
  • Jurisdiction: Exporter’s courts or Ireland

UK and Swiss transfers follow applicable addenda and local adaptations.

Schedule 2 – Details of Processing

Nature & Purpose: Provision of form-building and data collection services.

Duration: For the term of the service agreement and as required by law.

Data Subjects: End users, customers, employees, contractors, and others determined by Customer.

Personal Data Categories: Contact details, professional data, demographics, files, financial data (if collected).

Special Categories: Only if submitted by Customer, who is responsible for lawful basis.

Processing Operations: Collection, storage, transmission, retrieval, display, and deletion.

Processing Location: United States (Heroku & AWS infrastructure).