FormFlow
ES
Empieza gratis
Legal

Data Processing Agreement

Última actualización: June 10, 2026

Privacy PolicyTerms of ServiceData Processing Agreement
Este documento está disponible actualmente en inglés.

This Data Processing Agreement (“DPA”) forms part of the agreement between FormFlow (“Processor”, “we”) and the customer (“Controller”, “you”) under the Terms of Service. It applies wherever we process personal data contained in your form submissions on your behalf, including where the GDPR or equivalent legislation applies.

1. Roles and scope

For submission data — the form fields, uploaded files and associated metadata (IP address, country, user agent, referrer) received through your forms — you are the controller and FormFlow is the processor. For our own account and billing data we act as an independent controller; that processing is described in the Privacy Policy and is out of this DPA’s scope.

2. Details of processing

  • Subject matter: operation of the FormFlow form-backend service.
  • Nature and purpose: receiving, storing, displaying and forwarding form submissions (email notifications, webhook deliveries, file storage, aggregate analytics) on your instructions.
  • Categories of data: whatever your forms collect — typically contact details and free-text messages — plus technical metadata; uploaded files as submitted.
  • Data subjects: the people who submit your forms.
  • Duration: the retention window you configure (capped by your plan), and in any case no longer than the agreement plus the deletion windows below.

3. Your instructions

We process submission data only on your documented instructions: this DPA, your form and account configuration (retention windows, notification targets, webhook endpoints), and your use of the API and console. We will inform you if, in our opinion, an instruction infringes applicable data protection law.

4. Confidentiality and security

Persons authorized to process submission data are bound by confidentiality. We implement appropriate technical and organizational measures, including: encryption in transit (TLS) and at rest (Cloudflare D1/R2/KV storage encryption), hashed API credentials, scoped key types with one-time display, per-account data isolation, audit logging of management actions, and the anti-abuse controls described in the documentation. We assist you, taking into account the nature of processing, with your obligations regarding security, data subject requests, breach notification and impact assessments (Art. 32–36 GDPR).

5. Subprocessors

You authorize the following subprocessors:

SubprocessorPurposeLocation of processing
Cloudflare, Inc.Edge compute, storage (D1, R2, KV), networkingGlobal edge; primary storage with EU jurisdiction setting
Resend, Inc.Transactional email delivery (notifications, sign-in links)United States

We will give at least 14 days’ notice (changelog and/or email) before adding or replacing a subprocessor, during which you may object on reasonable data protection grounds; if we cannot accommodate the objection you may terminate the affected service. Subprocessors are bound by data protection obligations no less protective than this DPA.

6. International transfers

Where processing involves transfers outside the EU/EEA (or another jurisdiction with transfer restrictions), the parties rely on the EU Standard Contractual Clauses (2021/914) as incorporated in our subprocessors’ data processing terms (including the Cloudflare DPA and Resend DPA), together with supplementary measures where required.

7. Data subject requests and breach notification

We forward to you, without undue delay, any request from a data subject that we can attribute to your forms, and we provide the console and API tooling (search, export, deletion) needed to fulfil such requests yourself. We notify you without undue delay after becoming aware of a personal data breach affecting submission data, with the information reasonably required for your own notifications.

8. Deletion and return

You can export submission data at any time via the console or API and delete it at any time (per submission, per form, or by deleting your account). On termination of the agreement, we delete remaining submission data within 30 days, except minimal records retained where required by law. Configured retention windows delete data automatically during the agreement.

9. Audit

We make available the information reasonably necessary to demonstrate compliance with this DPA (including summaries of third-party audits and certifications of our subprocessors) and, where legally required, allow audits by you or a mandated auditor, at reasonable intervals, on reasonable notice, and without access to other customers’ data.

10. Precedence

If this DPA conflicts with the Terms of Service, this DPA prevails for the processing of personal data. Questions: contact@formflow.cc.