Data Processing Agreement - Static Forms

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Static Forms ("Processor", "we", "us", "our") and you ("Controller", "Customer", "you", "your") for the use of our form processing services.

Note: This DPA applies specifically to the processing of personal data submitted through your forms when you enable the optional form submission storage feature. If you do not enable form storage, form submissions are processed transiently and not stored on our servers.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person submitted through your forms.
"Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.
"Data Subject" means the individual whose Personal Data is being processed (your form submitters).
"Sub-processor" means any third party engaged by us to process Personal Data on your behalf.
"Data Protection Laws" means all applicable laws relating to data protection, including GDPR (EU), CCPA (California), and similar regulations.

2. Roles and Responsibilities

2.1 You as the Data Controller

As the Controller, you:

Determine the purposes and means of processing Personal Data
Are responsible for the lawfulness of data collection through your forms
Must obtain appropriate consent from Data Subjects where required
Must inform Data Subjects about data processing in your privacy policy
Are responsible for responding to Data Subject requests

2.2 We as the Data Processor

As the Processor, we:

Process Personal Data only on your documented instructions
Ensure that persons authorized to process Personal Data are bound by confidentiality
Implement appropriate technical and organizational security measures
Assist you in responding to Data Subject requests
Delete or return Personal Data upon termination of services (at your choice)
Make available all information necessary to demonstrate compliance

3. Processing Details

3.1 Subject Matter and Purpose

We process Personal Data to provide our form processing services, specifically:

Receiving form submissions from your website visitors
Delivering form submissions to your email address
Storing form submissions (when enabled by you)
Providing access to stored submissions via dashboard
Enabling export of stored submissions

3.2 Types of Personal Data

The Personal Data processed depends on the fields in your forms, which may include but are not limited to:

Contact information (name, email, phone)
Message content
Any other data fields you include in your forms

3.3 Categories of Data Subjects

Data Subjects are individuals who submit forms on your website, which may include:

Your website visitors
Your customers or potential customers
Any other individuals who interact with your forms

3.4 Duration of Processing

We process Personal Data for the duration of our service agreement and in accordance with your instructions:

Transient processing: If form storage is disabled, submissions are processed and delivered via email, then removed from our systems
Stored submissions: If form storage is enabled, submissions are retained until you delete them or your account is terminated
After termination: Data is deleted within 30 days of account deletion or service termination

4. Security Measures

We implement and maintain appropriate technical and organizational measures to protect Personal Data, including:

Encryption of data in transit using TLS/HTTPS
Encryption of data at rest in our databases
Access controls and authentication mechanisms
Regular security assessments and monitoring
Employee confidentiality agreements and training
Incident response procedures

5. Sub-processors

You authorize us to engage the following sub-processors for the processing of Personal Data:

Sub-processor	Purpose	Location
Amazon Web Services (AWS)	Cloud infrastructure, database hosting (DynamoDB), email delivery (SES)	USA / Global
Vercel	Application hosting and edge network	USA / Global
Stripe	Payment processing (does not process form submission data)	USA / Global

We will notify you of any intended changes to sub-processors by updating this DPA. You have the right to object to changes within 14 days. If we cannot accommodate your objection, you may terminate the affected services.

6. Data Subject Rights

We will assist you in responding to Data Subject requests to the extent technically feasible and required by law. Data Subjects may exercise the following rights:

Access: You can view stored submissions in your dashboard
Rectification: You can correct data manually or delete and re-submit
Erasure: You can delete individual submissions or all data
Portability: You can export submissions in CSV format
Restriction/Objection: You can disable form storage at any time

As the Controller, you are responsible for handling Data Subject requests directly. We recommend including information about how to submit such requests in your privacy policy.

7. Data Breach Notification

In the event of a Personal Data breach, we will:

Notify you without undue delay (and in any event within 72 hours) after becoming aware of the breach
Provide you with sufficient information to meet your notification obligations to supervisory authorities and Data Subjects
Cooperate with you and take reasonable steps to assist in the investigation and mitigation of the breach

8. International Data Transfers

Personal Data may be transferred to and processed in countries outside of your country of residence. We ensure that such transfers are protected by:

Standard Contractual Clauses (SCCs) approved by the European Commission
Adequacy decisions where applicable
Other legally recognized transfer mechanisms

9. Audit Rights

Upon reasonable written request (not more than once per year), we will make available information necessary to demonstrate compliance with this DPA. This may include:

Documentation of security measures
Third-party audit reports or certifications (when available)
Responses to specific compliance questions

10. Term and Termination

This DPA remains in effect for the duration of your use of our services. Upon termination:

You may export your stored data before account deletion
We will delete all Personal Data within 30 days unless legally required to retain it
Certain provisions of this DPA will survive termination (confidentiality, limitation of liability)

11. Your Obligations

By using our form storage feature, you agree to:

Ensure you have a lawful basis for collecting Personal Data through your forms
Provide clear privacy notices to Data Subjects explaining how their data will be used and stored
Obtain appropriate consent where required by applicable law
Not collect sensitive/special category data through forms unless you have explicit consent and legal basis
Promptly notify us of any Data Subject requests you cannot fulfill without our assistance
Comply with all applicable Data Protection Laws

12. Limitation of Liability

Our liability under this DPA is subject to the limitation of liability provisions in our Terms of Service. Neither party excludes or limits liability for death, personal injury, fraud, or any liability that cannot be limited by law.

13. Changes to This DPA

We may update this DPA from time to time. Material changes will be notified to you via email or through our service. Continued use of our services after such notification constitutes acceptance of the updated DPA.

14. Contact Information

For questions about this DPA or to exercise any rights, please contact us:

By visiting our contact page
By email: info@staticforms.dev

Acceptance

By enabling form submission storage in your Static Forms account settings, you acknowledge that you have read, understood, and agree to be bound by this Data Processing Agreement. This DPA, together with our Terms of Service and Privacy Policy, constitutes the complete agreement between the parties regarding the processing of Personal Data.