Last updated: February 15, 2026

Data Processing Agreement

This Data Processing Agreement ("DPA") is incorporated into and forms part of the Terms of Servicebetween FormGen ("Processor") and the customer ("Controller"). This DPA governs the processing of personal data by FormGen on behalf of the Controller in connection with the provision of the FormGen platform.

1. Definitions

The following terms have the meanings set out below, aligned with the definitions in Article 4 of the General Data Protection Regulation (EU) 2016/679 ("GDPR"):

  • "Controller" means the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data. In the context of this DPA, the Controller is the customer who uses FormGen to create and manage forms.
  • "Processor" means the natural or legal person which processes personal data on behalf of the Controller. In the context of this DPA, the Processor is FormGen.
  • "Data Subject" means an identified or identifiable natural person whose personal data is processed.
  • "Personal Data" means any information relating to an identified or identifiable natural person, including but not limited to names, email addresses, IP addresses, and form submission content.
  • "Processing" means any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment, combination, restriction, erasure, or destruction.
  • "Sub-processor" means any third party engaged by the Processor to process personal data on behalf of the Controller.

2. Scope and Roles

The Controller determines the purposes and means of processing personal data through the FormGen platform. FormGen acts as the Processor, processing personal data solely on behalf of and in accordance with the documented instructions of the Controller.

Data Subjects include, but are not limited to:

  • Form respondents who submit data through forms created by the Controller
  • Account users who access and manage the Controller's FormGen account

Categories of Personal Data processed under this DPA include:

  • Names and email addresses
  • Form submissions (content determined by the Controller's form configuration)
  • IP addresses
  • Authentication tokens and session data
  • File uploads submitted through form fields (stored in Cloudflare R2)
  • Webhook delivery logs (endpoint URLs, delivery status, timestamps)
  • Team invitation data (email addresses, roles, invitation tokens)
  • Partial submission data (incomplete form responses stored as drafts with HMAC-signed resume tokens, auto-deleted after 7 days)
  • Custom domain configuration data (domain names, DNS verification records)

3. Processor Obligations

FormGen, as the Processor, shall:

  • Process on documented instructions only.Process personal data solely in accordance with the Controller's documented instructions, unless required to do so by applicable law, in which case the Processor shall inform the Controller of that legal requirement before processing (unless prohibited by law).
  • Ensure confidentiality. Ensure that all personnel authorized to process personal data are bound by appropriate obligations of confidentiality, whether contractual or statutory.
  • Implement security measures. Implement and maintain appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction, or damage, as described in Section 6 of this DPA.
  • Assist with data subject requests.Taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures, insofar as possible, in fulfilling the Controller's obligation to respond to data subject access requests (DSARs) and other data subject rights under applicable data protection law.
  • Delete or return data on termination.Upon termination of the agreement, delete or return all personal data to the Controller (at the Controller's election), and delete existing copies unless applicable law requires retention.
  • Support audits and compliance. Make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this DPA, and allow for and contribute to audits conducted by the Controller or an auditor mandated by the Controller, subject to the terms in Section 9.

4. Sub-processors

The Controller grants FormGen general written authorization to engage the following approved sub-processors for the purposes described below:

NamePurposeData ProcessedLocation
VercelHosting and edge networkAll web requests, session dataUnited States
NeonPostgreSQL databaseAccount data, form schemas, form responsesUnited States
StripePayment processingBilling information, subscription dataUnited States
UpstashRate limiting and cachingRate limit counters, cached form dataUnited States
ResendEmail deliveryEmail addresses, notification contentUnited States
OpenAIAI-powered form generation and AI analyticsForm descriptions for AI generation; form response data for AI analytics (opt-in Pro feature, up to 100 responses per analysis)United States
CloudflareDNS, CDN, and file storage (R2)Web requests, uploaded filesGlobal
Google AnalyticsUsage analyticsAnonymized page visit and session dataUnited States
Google AdsAdvertising conversion trackingAd click identifiers, conversion eventsUnited States
Google OAuthAuthenticationName, email, profile imageUnited States
GitHub OAuthAuthenticationName, email, profile imageUnited States

FormGen shall provide the Controller with at least 30 days advance written notice before engaging any new sub-processor or replacing an existing sub-processor. The notice shall include the name and location of the proposed sub-processor and the nature of the processing to be performed.

The Controller may object to the appointment of a new sub-processor within 30 days of receiving notice. If the Controller objects on reasonable grounds related to data protection, FormGen shall either refrain from engaging the sub-processor for the Controller's data or offer the Controller the option to terminate the affected services without penalty.

AI Analytics Data Processing.The AI Analytics feature (available on the Pro plan) involves sending form response data to OpenAI for analysis. This feature is entirely opt-in and is only activated when the Controller explicitly requests an analysis. Response data is sent to OpenAI's gpt-4o-mini model to generate summaries, themes, per-field insights, and recommendations. No form response data is sent to OpenAI unless the Controller initiates an AI analytics request.

5. Technical and Organizational Measures

FormGen implements and maintains the following technical and organizational measures to protect personal data. Additional details are available on our Security page.

  • Encryption. All data in transit is protected using TLS (Transport Layer Security). Data at rest is encrypted using AES-256 encryption at the database and storage layers.
  • Access controls.Strict tenant isolation is enforced at the database level, ensuring that each customer's data is logically separated. Role-based access controls govern internal access to systems and data.
  • Audit logging. All destructive operations (data deletion, account changes) are tracked in an audit log for accountability and forensic purposes.
  • Rate limiting. All endpoints are protected by rate limiting to prevent abuse, denial-of-service attacks, and unauthorized bulk data extraction.
  • Incident response. FormGen maintains incident response procedures to detect, investigate, and remediate security incidents in a timely manner, as further described in Section 8.

6. Data Transfers

FormGen and its sub-processors are primarily based in the United States. Where personal data is transferred from the European Economic Area (EEA), the United Kingdom, or Switzerland to a jurisdiction that has not received an adequacy decision, FormGen relies on Standard Contractual Clauses (SCCs) as approved by the European Commission (Decision 2021/914) to provide appropriate safeguards for such transfers.

Upon request, FormGen shall provide the Controller with copies of the applicable SCCs and information about the safeguards in place for international data transfers.

7. Breach Notification

In the event of a personal data breach, FormGen shall notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach. The notification shall include:

  • The nature of the personal data breach
  • The categories and approximate number of data subjects affected
  • The likely consequences of the breach
  • The measures taken or proposed to be taken to address the breach, including measures to mitigate its possible adverse effects

FormGen shall cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of the breach.

8. Audits

The Controller may request information from FormGen to demonstrate compliance with the obligations set out in this DPA. Such requests shall be made in writing with reasonable advance notice.

Audits shall be conducted during normal business hours, no more than once per calendar year, and at the Controller's expense. FormGen shall provide reasonable cooperation and access to relevant records and personnel. The scope of any audit shall be limited to FormGen's processing of the Controller's personal data.

If a third-party auditor is engaged, the auditor must agree to appropriate confidentiality obligations before the audit commences.

9. Term and Termination

This DPA shall remain in effect for the duration of the Terms of Service between the Controller and FormGen, and shall automatically terminate upon termination of the Terms of Service.

Upon termination, FormGen shall delete all personal data processed on behalf of the Controller within 30 days, unless applicable law requires further retention. The Controller may export their data (including form responses in CSV or JSON format) at any time prior to the deletion period.

10. Governing Law

This DPA is governed by the laws of the State of Delaware, United States, without regard to its conflict of laws provisions. Any disputes arising from this DPA shall be resolved in the courts of Delaware.

Notwithstanding the foregoing, where the processing of personal data is subject to the GDPR or other EU/EEA data protection legislation, the provisions of such legislation shall prevail in the event of any conflict with this DPA with respect to the rights of EU/EEA data subjects.

11. Contact

For questions or requests related to this Data Processing Agreement, please contact us at [email protected].