Formflow | Fully Interactive Forms In Minutes, Not Days.

Sub-processors register

Last updated: September 23, 2025

Annex III – List of Sub-processors

As of the Effective Date, Formflow engages the following Sub-processors to support the provision of the Services. The Processor shall notify the Controller of any intended changes concerning the addition or replacement of Sub-processors in accordance with Section [Sub-processor Clause] of this DPA.

1. Cloudflare, Inc.

• Address: 101 Townsend Street, San Francisco, CA 94107, USA

• Purpose of Processing: Content delivery network (CDN), DDoS protection, TLS/SSL termination, edge caching, WAF services.

• Data Processed: IP addresses, DNS queries, HTTP(S) request metadata, TLS certificates, limited personal data contained in traffic.

• Transfer Safeguards: Standard Contractual Clauses (SCCs) incorporated in Cloudflare’s DPA. Cloudflare is certified under ISO/IEC 27001, SOC 2 Type II.

• More Info: https://www.cloudflare.com/gdpr/

2. Amazon Web Services, Inc. (AWS)

• Address: 410 Terry Avenue North, Seattle, WA 98109, USA

• Purpose of Processing: Primary infrastructure provider for compute, storage, networking, databases, and backups.

• Data Processed: Customer Data stored within AWS-hosted databases, file storage (S3), and logs.

• Location: Currently hosted in US regions. (Formflow is evaluating EU hosting expansion).

• Transfer Safeguards: AWS incorporates SCCs into its DPA and maintains certifications (ISO 27001, SOC 1/2/3).

• More Info: https://aws.amazon.com/compliance/gdpr-center/

3. Resend, Inc.

• Address: San Francisco, CA, USA

• Purpose of Processing: Transactional email delivery if Customer uses the “Email Node” functionality.

• Data Processed: Email addresses of recipients, email message content (as provided by Controller).

• Transfer Safeguards: Resend provides a GDPR Data Processing Addendum with SCCs.

• More Info: https://resend.com/legal/dpa

4. Twilio Inc.

• Address: 101 Spear Street, Suite 500, San Francisco, CA 94105, USA

• Purpose of Processing: SMS delivery if Customer uses the “SMS Node” functionality.

• Data Processed: Phone numbers of recipients, message content (as provided by Controller), delivery metadata.

• Transfer Safeguards: Twilio provides SCCs as part of its DPA; certified under ISO 27001 and SOC 2.

• More Info: https://www.twilio.com/legal/data-protection-addendum

5. Meta Platforms, Inc.

• Address: 1601 Willow Road, Menlo Park, CA 94025, USA

• Purpose of Processing: Server-side event forwarding to Customer’s own Facebook Pixel/Meta Ads account (optional integration).

• Data Processed: Event metadata (as configured by Controller), pseudonymous identifiers, HTTP request information.

• Transfer Safeguards: Meta incorporates SCCs into its Data Transfer Addendum.

• More Info: https://www.facebook.com/legal/terms/dataprocessing

6. Clerk, Inc.

• Address: 548 Market St, PMB 77519, San Francisco, CA 94104, USA

• Purpose of Processing: Authentication and user management for end-users of the SaaS (login, session handling, account linking).

• Data Processed: Usernames, email addresses, authentication tokens, and metadata required for authentication.

• Transfer Safeguards: Clerk provides a GDPR DPA with SCCs.

• More Info: https://clerk.dev/legal/dpa