Sub-processors register
Annex III – List of Sub-processors
As of the Effective Date, Formflow engages the following Sub-processors to support the provision of the Services. The Processor shall notify the Controller of any intended changes concerning the addition or replacement of Sub-processors in accordance with Section [Sub-processor Clause] of this DPA.
1. Cloudflare, Inc.
• Address: 101 Townsend Street, San Francisco, CA 94107, USA
• Purpose of Processing: Content delivery network (CDN), DDoS protection, TLS/SSL termination, edge caching, WAF services.
• Data Processed: IP addresses, DNS queries, HTTP(S) request metadata, TLS certificates, limited personal data contained in traffic.
• Transfer Safeguards: Standard Contractual Clauses (SCCs) incorporated in Cloudflare’s DPA. Cloudflare is certified under ISO/IEC 27001, SOC 2 Type II.
• More Info: https://www.cloudflare.com/gdpr/
2. Amazon Web Services, Inc. (AWS)
• Address: 410 Terry Avenue North, Seattle, WA 98109, USA
• Purpose of Processing: Primary infrastructure provider for compute, storage, networking, databases, and backups.
• Data Processed: Customer Data stored within AWS-hosted databases, file storage (S3), and logs.
• Location: Currently hosted in US regions. (Formflow is evaluating EU hosting expansion).
• Transfer Safeguards: AWS incorporates SCCs into its DPA and maintains certifications (ISO 27001, SOC 1/2/3).
• More Info: https://aws.amazon.com/compliance/gdpr-center/
3. Resend, Inc.
• Address: San Francisco, CA, USA
• Purpose of Processing: Transactional email delivery if Customer uses the “Email Node” functionality.
• Data Processed: Email addresses of recipients, email message content (as provided by Controller).
• Transfer Safeguards: Resend provides a GDPR Data Processing Addendum with SCCs.
• More Info: https://resend.com/legal/dpa
4. Twilio Inc.
• Address: 101 Spear Street, Suite 500, San Francisco, CA 94105, USA
• Purpose of Processing: SMS delivery if Customer uses the “SMS Node” functionality.
• Data Processed: Phone numbers of recipients, message content (as provided by Controller), delivery metadata.
• Transfer Safeguards: Twilio provides SCCs as part of its DPA; certified under ISO 27001 and SOC 2.
• More Info: https://www.twilio.com/legal/data-protection-addendum
5. Meta Platforms, Inc.
• Address: 1601 Willow Road, Menlo Park, CA 94025, USA
• Purpose of Processing: Server-side event forwarding to Customer’s own Facebook Pixel/Meta Ads account (optional integration).
• Data Processed: Event metadata (as configured by Controller), pseudonymous identifiers, HTTP request information.
• Transfer Safeguards: Meta incorporates SCCs into its Data Transfer Addendum.
• More Info: https://www.facebook.com/legal/terms/dataprocessing
6. Clerk, Inc.
• Address: 548 Market St, PMB 77519, San Francisco, CA 94104, USA
• Purpose of Processing: Authentication and user management for end-users of the SaaS (login, session handling, account linking).
• Data Processed: Usernames, email addresses, authentication tokens, and metadata required for authentication.
• Transfer Safeguards: Clerk provides a GDPR DPA with SCCs.
• More Info: https://clerk.dev/legal/dpa