Data Processing Agreement
Last updated: April 6, 2026
This Data Processing Agreement (“Agreement” or “DPA”) forms part of the Contract for Services under Formtress’s Terms of Service (the “Principal Agreement”) between Formtress (“we,” “us,” or “our,” referred to as the “Processor”) and the business or organisation using the Formtress Services (the “Company,” referred to as the “Controller”).
By accepting the Terms of Service, or by otherwise accessing or using the Services, the Company agrees to be bound by this Agreement. This Agreement applies wherever the Company’s use of the Formtress Services involves the processing of Personal Data belonging to the Company’s own end users or customers.
This Agreement is complementary to our Privacy Policy, which governs how Formtress processes personal data it receives directly from our own customers (account holders) in its capacity as a data controller.
WHEREAS
(A) The Company acts as a Data Controller.
(B) The Company wishes to use the Services provided by Formtress, which imply the processing of Personal Data on behalf of the Company, and appoints Formtress as a Data Processor for that purpose.
(C) The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation).
(D) The Parties wish to lay down their rights and obligations.
IT IS AGREED AS FOLLOWS:
1. Definitions and Interpretation
Section titled “1. Definitions and Interpretation”Unless otherwise defined herein, capitalised terms and expressions used in this Agreement shall have the following meaning:
1.1 “Agreement” means this Data Processing Agreement and all Schedules;
1.2 “Company Personal Data” means any Personal Data relating to the Company’s end users or customers that is processed by Formtress on behalf of the Company in connection with the Services under the Principal Agreement;
1.3 “Contracted Processor” means a Sub-processor;
1.4 “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;
1.5 “EEA” means the European Economic Area;
1.6 “EU Data Protection Laws” means the GDPR and all national legislation implementing, supplementing, or made pursuant to it;
1.7 “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council;
1.8 “Data Transfer” means:
- a transfer of Company Personal Data from the Controller to the Processor or a Contracted Processor; or
- an onward transfer of Company Personal Data from the Processor to a Sub-processor, or between two establishments of a Contracted Processor, where such transfer would be subject to Data Protection Laws;
1.9 “Services” means the form collection, security, and analytics services provided by Formtress as described on the Formtress website and in the Principal Agreement;
1.10 “Sub-processor” means any person appointed by or on behalf of Formtress to process Company Personal Data in connection with the Services.
The terms “Commission,” “Controller,” “Data Subject,” “Member State,” “Personal Data,” “Personal Data Breach,” “Processing,” and “Supervisory Authority” shall have the same meaning as in the GDPR.
2. Processing of Company Personal Data
Section titled “2. Processing of Company Personal Data”2.1 Formtress shall:
- comply with all applicable Data Protection Laws in the Processing of Company Personal Data; and
- not Process Company Personal Data other than on the Company’s documented instructions, except where required to do so by applicable law.
2.2 The Company instructs Formtress to process Company Personal Data for the following purposes:
- providing the Services and related technical support;
- fulfilling legal obligations or resolving disputes;
- exercising internal tasks aimed at optimising the security, privacy, and functionality of the Services; and
- producing anonymous, aggregate analytics that cannot be linked back to individual Data Subjects.
2.3 The subject matter, duration, nature, and purpose of processing, and the categories of Data Subjects and Personal Data covered by this Agreement, are described in Schedule A — Processing Details below.
3. Processor Personnel
Section titled “3. Processor Personnel”Formtress shall take reasonable steps to ensure the reliability of any employee, agent, or contractor who may have access to Company Personal Data, ensuring in each case that access is strictly limited to those individuals who need to access the relevant Company Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Data Protection Laws. All such individuals shall be subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
4. Security
Section titled “4. Security”In accordance with Article 32(1) of the GDPR, Formtress shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing. These measures shall be designed to protect the rights and freedoms of natural persons, considering the risks of varying likelihood and severity, including the risk of a Personal Data Breach.
5. Sub-processing
Section titled “5. Sub-processing”5.1 By accepting this Agreement, the Company grants general authorisation to Formtress to engage Sub-processors for the purposes of providing the Services. The Company acknowledges and approves the current list of Sub-processors set out in Schedule B — Sub-processors.
5.2 Formtress shall inform the Company of any intended changes to its Sub-processors (additions or replacements) by updating Schedule B and providing notification in accordance with its Privacy Policy. If the Company reasonably objects to a new Sub-processor on legitimate data protection grounds, the Company may notify Formtress at support@formtress.com within 30 days of notification.
5.3 Formtress shall ensure that Sub-processors are subject to data processing agreements no less restrictive or protective than this Agreement with respect to the protection of Company Personal Data.
6. Data Subject Rights
Section titled “6. Data Subject Rights”6.1 Taking into account the nature of the processing, Formtress shall reasonably assist the Company with its obligations to respond to requests to exercise Data Subject rights under Data Protection Laws.
6.2 Formtress shall:
- promptly notify the Company if it receives a request from a Data Subject under any Data Protection Law in respect of Company Personal Data; and
- not respond to any such request except on the documented instructions of the Company, or as required by applicable law, in which case Formtress shall, to the extent permitted by law, inform the Company before responding.
7. Personal Data Breach
Section titled “7. Personal Data Breach”7.1 Formtress shall notify the Company without undue delay upon becoming aware of a Personal Data Breach affecting Company Personal Data, providing the Company with sufficient information to allow it to meet any obligations to report to a Supervisory Authority or inform Data Subjects under Data Protection Laws.
7.2 Formtress shall co-operate with the Company and take reasonable steps as directed by the Company to assist in the investigation, mitigation, and remediation of each such breach.
7.3 Each party shall bear the costs of investigation, remediation, and mitigation, and any fines, penalties, or damages imposed by a regulatory authority or court, to the extent arising from that party’s breach of its obligations under this Agreement.
8. Data Protection Impact Assessments
Section titled “8. Data Protection Impact Assessments”Formtress shall provide reasonable assistance to the Company with any data protection impact assessments and prior consultations with Supervisory Authorities which the Company reasonably considers to be required by Articles 35 or 36 of the GDPR, in each case solely in relation to the processing of Company Personal Data by Formtress and taking into account the nature of the processing and the information available to Formtress.
9. Deletion or Return of Company Personal Data
Section titled “9. Deletion or Return of Company Personal Data”Upon cessation of the Services involving the processing of Company Personal Data, or upon written request from the Company, Formtress shall delete all Company Personal Data to the extent permitted by applicable law and in accordance with its Terms of Service and Privacy Policy. Should the Company require a copy of its data, it must request it before deletion. Requests made after deletion can no longer be fulfilled.
10. Audit Rights
Section titled “10. Audit Rights”10.1 Formtress shall make available to the Company, on reasonable written request, all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by the Company or an auditor mandated by the Company.
10.2 The Company shall not exercise its audit rights more than once per calendar year, except following a Personal Data Breach or an instruction from a regulatory authority. The Company shall give Formtress at least 60 days’ prior written notice of its intention to audit. Audits shall be conducted during business hours, shall not disrupt Formtress’s operations, and shall ensure the protection of all parties’ Personal Data. The scope, duration, and applicable confidentiality controls shall be agreed in advance.
11. Data Transfers
Section titled “11. Data Transfers”11.1 Formtress is incorporated and operates in Cyprus, a European Union member state, and processes data in its capacity as a GDPR-established controller and processor within the EEA.
11.2 Where Formtress transfers Company Personal Data to Sub-processors located outside the EEA (including those in the United States), it shall ensure such transfers are subject to appropriate safeguards, including Standard Contractual Clauses as adopted by the European Commission, or another transfer mechanism recognised under applicable Data Protection Laws.
11.3 Sub-processors that store data within the EEA (see Schedule B) do not require an additional transfer mechanism for that data.
12. General Terms
Section titled “12. General Terms”Compliance with applicable laws. Formtress will process Company Personal Data in accordance with this Agreement and applicable Data Protection Laws. Formtress is not responsible for complying with Data Protection Laws applicable solely to the Company by virtue of the Company’s business or industry.
Confidentiality. Each party must keep information it receives about the other party in connection with this Agreement confidential and must not use or disclose it without the prior written consent of the other party, except to the extent that (a) disclosure is required by law, or (b) the information is already in the public domain through no fault of the parties.
Notices. All notices under this Agreement must be in writing and sent by email. The Company shall be contacted at the email address associated with its Formtress account. Formtress shall be contacted at legal@formtress.com.
Governing law and jurisdiction. This Agreement is governed by the laws of the Republic of Cyprus. Any disputes arising in connection with this Agreement shall be subject to the exclusive jurisdiction of the courts of Cyprus, without regard to conflicts of law provisions.
Precedence. In the event of any conflict between this Agreement and the Principal Agreement with respect to the subject matter of data protection, this Agreement shall prevail.
Enterprise counter-signing. Enterprise customers who require a counter-signed copy of this Agreement for their own compliance records may request one by contacting legal@formtress.com.
Schedule A — Processing Details
Section titled “Schedule A — Processing Details”| Field | Details |
|---|---|
| Subject matter | Processing of Personal Data submitted through forms and other data collection mechanisms deployed by the Company using the Formtress Services |
| Duration | For the term of the Principal Agreement, and then as required for deletion in accordance with Section 9 |
| Nature of processing | Collection, storage, retrieval, analysis, transmission, and deletion of form submission data and associated metadata |
| Purpose of processing | Providing form collection, security, and analytics features to the Company; spam prevention; service improvement |
| Categories of Data Subjects | End users and customers of the Company who submit data through forms powered by Formtress |
| Categories of Personal Data | As determined by the Company. Typically includes: names, email addresses, and any other fields the Company includes in its forms. Formtress also collects submission metadata: IP address (for spam prevention), page URL, browser language, and user agent string. |
Schedule B — Sub-processors
Section titled “Schedule B — Sub-processors”The following Sub-processors are authorised to process Company Personal Data on behalf of Formtress for the purposes set out in this Agreement:
| Sub-Processor | Purpose | Data Location | Privacy Notice |
|---|---|---|---|
| Vercel Inc. | Hosting and infrastructure | United States | vercel.com/legal/privacy-policy |
| Neon Inc. | Database (PostgreSQL) | Germany (EU) — Frankfurt | neon.com/privacy-policy |
| Upstash Inc. | Caching (Redis) | United States | upstash.com/trust/privacy.pdf |
| Resend Inc. | Transactional email | United States | resend.com/legal/privacy-policy |
| Polar.sh | Payment processing | United States | polar.sh/legal/privacy |
| PostHog Inc. | Product analytics and logging | Germany (EU) — Frankfurt | posthog.com/privacy |
| UploadThing | File storage (profile pictures and user uploads) | United States | uploadthing.com/info/privacy-policy |
Formtress will provide the Company with reasonable notice of any additions or replacements to this list.