Sub-processors register

Last updated: September 23, 2025
Annex III – List of Sub-processors

As of the Effective Date, Formflow engages the following Sub-processors to support the provision of the Services. The Processor shall notify the Controller of any intended changes concerning the addition or replacement of Sub-processors in accordance with Section [Sub-processor Clause] of this DPA.


1. Cloudflare, Inc.

Address: 101 Townsend Street, San Francisco, CA 94107, USA

Purpose of Processing: Content delivery network (CDN), DDoS protection, TLS/SSL termination, edge caching, WAF services.

Data Processed: IP addresses, DNS queries, HTTP(S) request metadata, TLS certificates, limited personal data contained in traffic.

Transfer Safeguards: Standard Contractual Clauses (SCCs) incorporated in Cloudflare’s DPA. Cloudflare is certified under ISO/IEC 27001, SOC 2 Type II.

More Info: https://www.cloudflare.com/gdpr/


2. Amazon Web Services, Inc. (AWS)

Address: 410 Terry Avenue North, Seattle, WA 98109, USA

Purpose of Processing: Primary infrastructure provider for compute, storage, networking, databases, and backups.

Data Processed: Customer Data stored within AWS-hosted databases, file storage (S3), and logs.

Location: Currently hosted in US regions. (Formflow is evaluating EU hosting expansion).

Transfer Safeguards: AWS incorporates SCCs into its DPA and maintains certifications (ISO 27001, SOC 1/2/3).

More Info: https://aws.amazon.com/compliance/gdpr-center/


3. Resend, Inc.

Address: San Francisco, CA, USA

Purpose of Processing: Transactional email delivery if Customer uses the “Email Node” functionality.

Data Processed: Email addresses of recipients, email message content (as provided by Controller).

Transfer Safeguards: Resend provides a GDPR Data Processing Addendum with SCCs.

More Info: https://resend.com/legal/dpa


4. Twilio Inc.

Address: 101 Spear Street, Suite 500, San Francisco, CA 94105, USA

Purpose of Processing: SMS delivery if Customer uses the “SMS Node” functionality.

Data Processed: Phone numbers of recipients, message content (as provided by Controller), delivery metadata.

Transfer Safeguards: Twilio provides SCCs as part of its DPA; certified under ISO 27001 and SOC 2.

More Info: https://www.twilio.com/legal/data-protection-addendum


5. Meta Platforms, Inc.

Address: 1601 Willow Road, Menlo Park, CA 94025, USA

Purpose of Processing: Server-side event forwarding to Customer’s own Facebook Pixel/Meta Ads account (optional integration).

Data Processed: Event metadata (as configured by Controller), pseudonymous identifiers, HTTP request information.

Transfer Safeguards: Meta incorporates SCCs into its Data Transfer Addendum.

More Info: https://www.facebook.com/legal/terms/dataprocessing


6. Clerk, Inc.

Address: 548 Market St, PMB 77519, San Francisco, CA 94104, USA

Purpose of Processing: Authentication and user management for end-users of the SaaS (login, session handling, account linking).

Data Processed: Usernames, email addresses, authentication tokens, and metadata required for authentication.

Transfer Safeguards: Clerk provides a GDPR DPA with SCCs.

More Info: https://clerk.dev/legal/dpa