This DPA describes how Flexform processes personal data on your behalf, in compliance with GDPR and applicable data protection laws.
Last Updated: February 19, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Flexform ("Processor," "we," "us") and the customer ("Controller," "you") governing your access to and use of our Services.
This DPA addresses the requirements of Article 28 of the General Data Protection Regulation (GDPR), the UK GDPR, and other applicable data protection laws regarding the processing of personal data.
You (the Customer)
Act as the Data Controller — you determine the purposes and means of processing personal data collected through forms you create on Flexform.
Flexform
Acts as the Data Processor — we process personal data on your behalf solely to provide, secure, and support the Services.
You are responsible for the accuracy, quality, and lawfulness of the personal data you collect and for establishing an appropriate legal basis for processing (e.g., consent, legitimate interest, contractual necessity).
Flexform processes personal data solely to:
Processing continues for the duration of the agreement. Upon termination, data handling follows Section 9 of this DPA.
Flexform shall:
HTTPS/TLS in transit, industry-standard encryption at rest
Role-based access, MFA for admins, least privilege principle
AWS with multi-availability zone deployment
JWT-based with secure token rotation, OAuth 2.0
Continuous security monitoring and anomaly detection
DKIM, SPF, DMARC for Amazon SES; bounce/complaint handling via SNS
Documented procedures for prompt identification and remediation
You provide general authorization for Flexform to engage sub-processors to assist in providing the Services.
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud hosting, email delivery (SES), storage | United States |
| Google Cloud (Gemini API) | AI-assisted form generation | United States |
| Payment Processor | Subscription billing | United States |
We will provide at least 15 days' advance notice before engaging a new sub-processor. You may object on documented data protection grounds. If we cannot reasonably accommodate your objection, you may terminate the affected Services.
Flexform will provide reasonable assistance to you in responding to requests from data subjects exercising their rights under applicable data protection laws, including requests for access, rectification, erasure, restriction, portability, and objection.
If Flexform receives a request directly from a data subject, we will promptly redirect the request to you unless legally required to respond directly.
Flexform will notify you of any confirmed personal data breach within 72 hours of becoming aware of the breach. The notification will include:
Flexform will take reasonable steps to contain and remediate the breach and will cooperate with your investigation and notification obligations.
Upon termination of the agreement:
Data Export Period
Flexform will make your data available for export for 30 days after termination.
Permanent Deletion
After the 30-day period, all personal data will be permanently deleted within 90 days, unless retention is required by applicable law.
Backup copies will be deleted in accordance with our standard backup rotation schedule.
Flexform's Services are hosted in the United States. For personal data originating from the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission to ensure an adequate level of data protection.
In such transfers, you act as the data exporter and Flexform acts as the data importer. The SCCs are incorporated by reference into this DPA.
Upon reasonable written request (no more than once annually), Flexform will provide documentation demonstrating compliance with this DPA. If on-site audits are required, they must be conducted with at least 15 days' advance notice, during business hours, and at your expense.
The liability limitations set forth in the Terms of Service apply to claims arising under this DPA, subject to mandatory provisions of applicable data protection law that cannot be contractually limited.
In the event of a conflict between this DPA and the Terms of Service regarding personal data processing, this DPA shall prevail.
Flexform may update this DPA to comply with changes in applicable data protection laws, with notice to you.
This DPA is governed by the same governing law as the Terms of Service.