This Data Processing Agreement (“DPA”) forms part of the agreement for Services between the entity identified below as Customer (the “Controller”) and Formflow Solutions LLC (DBA “Formflow”) (the “Processor”), together, the “Parties.”

Formflow Solutions LLC (DBA “Formflow”)

EIN: 39-3117060

100 E Linton Blvd, Suite 403B, Delray Beach, FL 33483, United States

Contact: Jason K Williamson, CEO — [email protected] — +61 467 670 379

Website: https://www.getformflow.io

[Insert full legal name, address, contact email]

Effective Date: [Date]

Principal Agreement: [e.g., Master Subscription Agreement / Terms of Service] (the “Principal Agreement”). In case of conflict, this DPA prevails over the Principal Agreement as to Personal Data processing.

Capitalized terms not defined here have the meanings in the GDPR or the SCCs.

• “Applicable Data Protection Laws” means (as applicable) the EU GDPR (Regulation (EU) 2016/679), the UK GDPR and Data Protection Act 2018, and the Swiss FADP.

• “Personal Data”, “Processing”, “Controller”, “Processor”, “Data Subject”, “Supervisory Authority” have the meanings in the GDPR.

• “Customer Data” means Personal Data that Controller submits to or collects via the Services for Processing by Processor on behalf of Controller.

• “Services” means the Formflow SaaS (app.getformflow.io) and related support and integrations described in the Principal Agreement.

• “Sub-processor” means a processor engaged by Processor to Process Personal Data on behalf of Controller.

• “SCCs” means the European Commission Standard Contractual Clauses (EU Commission Implementing Decision (EU) 2021/914) for international transfers, including applicable Modules and Annexes incorporated by reference into this DPA.

• “UK Addendum / UK IDTA” means the UK International Data Transfer Addendum (issued by the UK ICO) that amends the SCCs for UK transfers.

• “Swiss Addendum” means adjustments required under Swiss FADP when SCCs are used for transfers from Switzerland.

2.1 Roles. Controller is the data controller; Processor is the data processor. Processor will Process Customer Data only on documented instructions from Controller, including via Controller’s configuration and use of the Services.

2.2 Purpose. Processing is for provision of the Services (form creation/hosting, submission handling, notifications, analytics integrations expressly enabled by Controller).

2.3 Details. Subject matter, duration, nature/purpose, categories of Data Subjects and Personal Data are in Annex I.

3.1 Processor will Process Customer Data only on Controller’s documented instructions, including (i) this DPA, (ii) the Principal Agreement, (iii) Controller’s in-product settings and API calls, and (iv) written instructions from authorized contacts.

3.2 Processor shall promptly inform Controller if, in its opinion, an instruction infringes Applicable Data Protection Laws (without assessing Controller’s compliance obligations).

4.1 Processor ensures that persons authorized to Process Customer Data are bound by confidentiality obligations and receive appropriate data protection and security training.

4.2 Processor restricts access to Customer Data to personnel with a legitimate operational need.

5.1 Processor implements appropriate technical and organizational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. A description of measures is in Annex II (TOMs).

5.2 Processor will maintain policies covering access control, encryption in transit and at rest, vulnerability management, business continuity/disaster recovery, logging/monitoring, and secure software development practices.

6.1 Authorization. Controller authorizes Processor to engage Sub-processors listed in Annex III and any replacements/additions under this Section.

6.2 Flow-down. Processor will enter into written agreements with Sub-processors imposing data protection obligations no less protective than those in this DPA (including SCCs where required) and remains liable for Sub-processors’ performance.

6.3 Changes. Processor will provide advance notice of new or replaced Sub-processors (e.g., via a public page or email). Controller may object on reasonable data protection grounds within 30 days of notice. If the Parties cannot agree on an alternative, Controller may suspend the affected Service(s) or terminate the relevant order for convenience with a pro-rated refund of prepaid fees for the terminated portion.

7.1 Data Subject Requests. Taking into account the nature of Processing, Processor will assist Controller by appropriate technical and organizational measures to respond to Data Subject requests under Chapter III GDPR. If Processor receives a request directly, it will notify Controller and not respond except on Controller’s written instruction.

7.2 Security / DPIAs. Processor will provide Controller with information reasonably necessary to demonstrate compliance (including security overviews and third-party attestations where available) and will assist with data protection impact assessments and prior consultations with Supervisory Authorities, to the extent required by law and related to the Services.

7.3 Records. Processor will maintain records required under Art. 30(2) GDPR for the categories of Processing it performs on behalf of Controller.

Processor will notify Controller without undue delay (aiming for initial notice within 48 hours) after becoming aware of a Personal Data Breach affecting Customer Data and will provide information reasonably available to assist Controller in meeting breach reporting obligations. Processor will take reasonable steps to contain, investigate, and remediate the Breach.

9.1 Primary mechanism. To the extent Processing involves transfers of Customer Data to a country without an adequacy decision, the SCCs are incorporated by reference and apply as follows:

• Module Two (Controller→Processor) applies to transfers from Controller to Processor.

• Module Three (Processor→Processor) applies to onward transfers from Processor to Sub-processors.

• The Parties complete the SCCs’ Annexes using the information in Annex I–III of this DPA.

• Clause 7 (Docking Clause) is enabled.

• Clause 9(a) (Use of sub-processors): Option 2 (General authorization) applies; advance notice per Section 6.3.

• Clause 11(a) (Independent dispute resolution): Not applicable unless required by law.

• Clause 17 (Governing law): The law of [Ireland] (or another EU/EEA Member State specified by Controller) governs the SCCs.

• Clause 18 (Forum and jurisdiction): [Ireland] (or the specified Member State).

9.2 UK and Switzerland. For transfers subject to UK law, the UK Addendum to the SCCs is incorporated; for transfers subject to Swiss FADP, references to “Member State” and “EU law” are construed to refer to Switzerland and Swiss law, and the Federal Data Protection and Information Commissioner (FDPIC) is the competent authority.

9.3 Supplementary measures. Processor implements technical and organizational measures designed to address the Schrems II requirements (e.g., encryption in transit and at rest; access controls; challenge to disproportionate government access requests) and will promptly notify Controller (unless legally prohibited) of government data access requests relating to Customer Data.

9.4 Other transfer tools. Where a Sub-processor participates in the EU–US Data Privacy Framework (DPF) or equivalent, that may serve as an additional lawful transfer mechanism; however, Processor treats the SCCs as the primary mechanism for international transfers.

(Cloudflare, AWS, Twilio, Resend and Clerk publish DPAs and SCC commitments; see Annex III references.) 

Upon termination or expiry of the Services, Controller may export Customer Data via available tools. Upon Controller’s written instruction, Processor will delete or return all Customer Data (at Controller’s choice) and delete existing copies within 30 days, unless retention is required by law (in which case Processor will protect the retained data and delete it when the retention period ends).

11.1 Documentation. Processor will make available information necessary to demonstrate compliance with this DPA, including security documentation and third-party compliance reports where available.

11.2 Audits. Where such information is insufficient, Controller may conduct a reasonable audit (including inspections) no more than once annually, on 30 days’ notice, during business hours, without disrupting operations, and subject to confidentiality and conflict-of-interest safeguards. If a third-party auditor is used, it must be mutually agreed and bound by confidentiality. Controller bears audit costs unless a material breach is found.

Controller is responsible for (i) the legality of Customer Data and the means by which it acquired Customer Data, (ii) providing required privacy notices and obtaining any necessary consents, (iii) configuring the Services to meet Controller’s compliance requirements (including retention and deletion settings and optional integrations), and (iv) ensuring that its instructions comply with Applicable Data Protection Laws.

Liability is governed by the Principal Agreement. Nothing in this DPA limits either Party’s liability where such limitation is not permitted by Applicable Data Protection Laws, including under the SCCs where they apply.

If there is any conflict between this DPA and other terms in the Principal Agreement regarding Processing of Personal Data, this DPA controls. If the SCCs conflict with this DPA or the Principal Agreement, the SCCs control for the relevant transfer.

Notices under this DPA (including Sub-processor updates) may be provided by email to the contacts above or via an online page designated by Processor for Sub-processor listings and updates.

This DPA is effective on the Effective Date and remains in force for so long as Processor Processes Customer Data on behalf of Controller under the Principal Agreement.

Signed for and on behalf of Controller:

Name: __________________  Title: __________________  Date: ______

Signature: ________________________________________

Signed for and on behalf of Processor — Formflow Solutions LLC:

Name: Jason K Williamson  Title: CEO  Date: ______

Signature: ________________________________________

Annex I – Description of Processing (Art. 28(3), SCC Annex I)

• Data Exporter (Controller): [Customer legal name, address, contact email].

• Data Importer (Processor): Formflow Solutions LLC, details as above.

• Subject matter: Provision of the Formflow SaaS (form building/hosting, submission capture, notifications, optional integrations specifically enabled by Controller).

• Duration: Term of the Principal Agreement plus data return/deletion period.

• Nature and Purpose: Collect, store, transmit and otherwise Process form submissions; provide application functionality; send email/SMS notifications if configured; forward server-side events to Controller-selected destinations if configured; authenticate users.

• Categories of Data Subjects: Individuals submitting forms created by Controller; Controller’s administrative users/end-users invited to app.getformflow.io.

• Types of Personal Data: Form fields defined by Controller (which may include identifiers, contact details, free-text fields); technical data (IP address, user agent, timestamps); account identifiers; authentication identifiers. Special categories are not intended unless Controller explicitly collects them and has a lawful basis.

• Frequency of Transfer: Continuous as determined by Controller’s use of the Services.

• Retention: As configured by Controller; otherwise for the duration of the Service and the return/deletion period.

• Subject Rights: Supported per Section 7.

Where the data exporter is established in the EEA: the authority of the Member State where the exporter is established. If multiple, the lead authority identified by the exporter. For exporters outside the EEA subject to GDPR via Art. 3(2), the authority where the EU representative is established (if applicable).

[Ireland] (unless Controller designates another EEA Member State).

(General SCC guidance and modules reference: EU Commission materials on 2021/914.) 

Annex II – Technical and Organisational Measures (TOMs)

The Processor (Formflow) maintains a comprehensive information security and privacy program designed to protect Customer Data. Measures are reviewed and updated periodically in line with industry standards.

• Documented Information Security Policy, Privacy Policy, and Acceptable Use Policy reviewed at least annually.

• Security program overseen by executive management; accountability assigned to Formflow’s CEO and CTO.

• Employees and contractors undergo background checks (where legally permissible) prior to engagement.

• Role-based access control (RBAC) applied across systems; access limited to least privilege required for job function.

• Multi-factor authentication (MFA) enforced for all administrative access (infrastructure, source code, SaaS consoles).

• Onboarding/offboarding process ensures prompt granting/revocation of access; reviews performed at least quarterly.

• All staff with data access trained annually on GDPR, data handling, phishing awareness, and incident response.

• All Customer Data is hosted on Amazon Web Services (AWS) data centers with industry-standard certifications (ISO 27001, SOC 1/2/3, PCI-DSS).

• Physical access to servers is restricted by AWS and controlled via badge access, biometrics, and CCTV.

• TLS 1.2+ (HTTPS) enforced for all data in transit; HSTS enabled.

• AES-256 encryption at rest for databases, object storage, and backups.

• Cloudflare WAF/DDoS protection and CDN used for edge-layer defense.

• Network segmentation and security groups restrict lateral movement.

• Regular vulnerability scans; critical patches applied within 14 days.

• Secure Software Development Lifecycle (SSDLC) with code reviews, dependency scanning, and CI/CD checks.

• Dependencies monitored for CVEs; automated updates and patching pipeline in place.

• API endpoints require authentication (JWT/Clerk) and authorization checks.

• Data minimization: only data defined by Controller is collected; Formflow does not enrich Customer Data.

• Data segregation: multi-tenant architecture with logical separation per customer.

• Configurable retention: Controller may delete submissions or accounts at any time.

• Metadata logs retained only as long as necessary for security/operations.

• Centralized logging of infrastructure and application events.

• Security events monitored via automated alerts (unauthorized access, privilege escalation, anomaly detection).

• Logs protected against tampering and retained for a defined period for forensic investigation.

• Automated daily backups of databases; tested restore procedures quarterly.

• Disaster recovery RTO (Recovery Time Objective): 24 hours.

• RPO (Recovery Point Objective): 24 hours.

• Services hosted in redundant AWS availability zones for resilience.

• Documented Incident Response Plan (IRP) covering detection, containment, eradication, recovery, and lessons learned.

• Security incidents classified by severity; breach notifications to Controllers issued without undue delay (target <48h).

• Post-incident reviews conducted and corrective measures tracked.

• Records of Processing maintained as required by Art. 30(2) GDPR.

• Regular internal audits of access rights and security configurations.

• Third-party attestations leveraged from AWS, Cloudflare, and other Sub-processors.

Annex III – List of Sub-processors

As of the Effective Date, Formflow engages the following Sub-processors to support the provision of the Services. The Processor shall notify the Controller of any intended changes concerning the addition or replacement of Sub-processors in accordance with Section [Sub-processor Clause] of this DPA.

• Address: 101 Townsend Street, San Francisco, CA 94107, USA

• Purpose of Processing: Content delivery network (CDN), DDoS protection, TLS/SSL termination, edge caching, WAF services.

• Data Processed: IP addresses, DNS queries, HTTP(S) request metadata, TLS certificates, limited personal data contained in traffic.

• Transfer Safeguards: Standard Contractual Clauses (SCCs) incorporated in Cloudflare’s DPA. Cloudflare is certified under ISO/IEC 27001, SOC 2 Type II.

• More Info: https://www.cloudflare.com/gdpr/

• Address: 410 Terry Avenue North, Seattle, WA 98109, USA

• Purpose of Processing: Primary infrastructure provider for compute, storage, networking, databases, and backups.

• Data Processed: Customer Data stored within AWS-hosted databases, file storage (S3), and logs.

• Location: Currently hosted in US regions. (Formflow is evaluating EU hosting expansion).

• Transfer Safeguards: AWS incorporates SCCs into its DPA and maintains certifications (ISO 27001, SOC 1/2/3).

• More Info: https://aws.amazon.com/compliance/gdpr-center/

• Address: San Francisco, CA, USA

• Purpose of Processing: Transactional email delivery if Customer uses the “Email Node” functionality.

• Data Processed: Email addresses of recipients, email message content (as provided by Controller).

• Transfer Safeguards: Resend provides a GDPR Data Processing Addendum with SCCs.

• More Info: https://resend.com/legal/dpa

• Address: 101 Spear Street, Suite 500, San Francisco, CA 94105, USA

• Purpose of Processing: SMS delivery if Customer uses the “SMS Node” functionality.

• Data Processed: Phone numbers of recipients, message content (as provided by Controller), delivery metadata.

• Transfer Safeguards: Twilio provides SCCs as part of its DPA; certified under ISO 27001 and SOC 2.

• More Info: https://www.twilio.com/legal/data-protection-addendum

• Address: 1601 Willow Road, Menlo Park, CA 94025, USA

• Purpose of Processing: Server-side event forwarding to Customer’s own Facebook Pixel/Meta Ads account (optional integration).

• Data Processed: Event metadata (as configured by Controller), pseudonymous identifiers, HTTP request information.

• Transfer Safeguards: Meta incorporates SCCs into its Data Transfer Addendum.

• More Info: https://www.facebook.com/legal/terms/dataprocessing

• Address: 548 Market St, PMB 77519, San Francisco, CA 94104, USA

• Purpose of Processing: Authentication and user management for end-users of the SaaS (login, session handling, account linking).

• Data Processed: Usernames, email addresses, authentication tokens, and metadata required for authentication.

• Transfer Safeguards: Clerk provides a GDPR DPA with SCCs.

• More Info: https://clerk.dev/legal/dpa