Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of, and is incorporated by reference into, the Terms of Service between Static Forms ("we", "us", "our") and you ("Customer", "you", "your") for the use of our form processing services. It applies whether you act as a Controller of the Personal Data submitted through your forms or as a Processor on behalf of your own clients (see Section 2.3).

Enterprise and agency customers may request a countersigned PDF copy of this DPA, including the Standard Contractual Clauses and Annexes, by contacting info@staticforms.dev. The Annexes (description of processing, technical and organizational measures, and sub-processor list) and our Transfer Impact Assessment are published online.

Note: This DPA applies to personal data submitted through your forms when we process submissions for delivery, optional storage, optional AI reply generation, optional webhook delivery, and service security/monitoring operations. If you do not enable form storage, submissions are not retained as dashboard submission records.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person submitted through your forms.
"Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.
"Data Subject" means the individual whose Personal Data is being processed (your form submitters).
"Sub-processor" means any third party engaged by us to process Personal Data on your behalf.
"Data Protection Laws" means all applicable laws relating to data protection, including GDPR (EU), CCPA (California), and similar regulations.

2. Roles and Responsibilities

2.1 You as the Data Controller

As the Controller, you:

Determine the purposes and means of processing Personal Data
Are responsible for the lawfulness of data collection through your forms
Must obtain appropriate consent from Data Subjects where required
Must inform Data Subjects about data processing in your privacy policy
Are responsible for responding to Data Subject requests

2.2 We as the Data Processor

As the Processor, we:

Process Personal Data only on your documented instructions
Ensure that persons authorized to process Personal Data are bound by confidentiality
Implement appropriate technical and organizational security measures
Assist you in responding to Data Subject requests
Delete or return Personal Data upon termination of services (at your choice)
Make available all information necessary to demonstrate compliance

2.3 Agency and Processor-to-Processor Configurations

If you use Static Forms on behalf of your own clients (for example, as an agency operating forms on websites you build and manage for third parties), then your client is the Controller, you act as a Processor on the Controller's behalf, and we act as your Sub-processor. In that configuration:

References in this DPA to your obligations as "Controller" apply to you as Processor acting on the documented instructions of your client (the Controller), and you warrant that those instructions permit the processing described in this DPA
You are responsible for ensuring your agreement with the Controller permits the engagement of Static Forms and the sub-processors listed in Section 5
For transfers of EU/EEA Personal Data, the Standard Contractual Clauses apply in Module 3 (Processor to Processor), as described in Section 8; where you act as Controller, Module 2 (Controller to Processor) applies instead
We will assist you, to the extent reasonably possible, in fulfilling your obligations toward the Controller (including Data Subject requests, breach notification, and audit support under Sections 6, 7, and 10)

3. Processing Details

3.1 Subject Matter and Purpose

We process Personal Data to provide our form processing services, specifically:

Receiving form submissions from your website visitors
Delivering form submissions to your email address
Storing form submissions (when enabled by you)
Providing access to stored submissions via dashboard
Enabling export of stored submissions
Delivering submissions to customer-configured webhooks (when enabled by you)
Generating AI-powered responses based on submission data and your configuration (when enabled by you)
Maintaining security, abuse prevention, delivery diagnostics, and operational monitoring logs

3.2 Types of Personal Data

The Personal Data processed depends on the fields in your forms, which may include but are not limited to:

Contact information (name, email, phone)
Message content
Any other data fields you include in your forms

3.3 Categories of Data Subjects

Data Subjects are individuals who submit forms on your website, which may include:

Your website visitors
Your customers or potential customers
Any other individuals who interact with your forms

3.4 Duration of Processing

We process Personal Data for the duration of our service agreement and in accordance with your instructions:

Transient processing: If form storage is disabled, submissions are processed for delivery and are not retained as dashboard submission records
Stored submissions: If form storage is enabled, submissions are retained for the retention period described in Section 3.5, or until you delete them or your account is terminated, whichever comes first
After termination: Personal Data is removed from active account records according to our deletion workflows, and operational log records expire according to the retention windows in Section 3.5

3.5 Retention Schedule

Stored form submissions (including file attachments): Free plan — 30 days. Paid plans — 365 days by default, configurable per account to 30, 180, 365, 730, 1095, 1460, or 1825 days. Expiry is enforced automatically at the database level (DynamoDB time-to-live); you can delete individual submissions or all stored data at any time before expiry
Webhook delivery logs: Retained for up to 14 days
AI reply logs: Retained for up to 14 days
Operational request logs (Vercel, drained to Axiom): Retained for up to 365 days. These logs contain request metadata (IP address, user agent, referer, field names, and delivery status) but not form field values
Error diagnostics (Rollbar): Retained for up to 30 days
Database backups: Point-in-time-recovery backups, where enabled, are retained for a maximum of 35 days and are deleted automatically on a rolling basis

4. Security Measures

We implement and maintain appropriate technical and organizational measures to protect Personal Data, including:

Encryption of data in transit using TLS/HTTPS
Encryption of data at rest in our databases
Access controls and authentication mechanisms
Regular security assessments and monitoring
Employee confidentiality agreements and training
Incident response procedures

5. Sub-processors

You authorize us to engage the following sub-processors for the processing of Personal Data:

Sub-processor	Purpose of processing	Country of operation	Transfer mechanism
Amazon Web Services (AWS)	Cloud infrastructure: database (DynamoDB), file storage (S3), email delivery (SES)	USA (us-east-1; storage and primary email delivery); Singapore (ap-southeast-1; email delivery failover)	EU SCCs (AWS GDPR DPA); EU-U.S. Data Privacy Framework (certified by Amazon.com, Inc.)
Vercel	Application hosting, edge network, request logging	USA	EU SCCs (Vercel DPA); EU-U.S. Data Privacy Framework (Vercel, Inc.)
Axiom	Operational request log storage and monitoring (request metadata and field names; no form field values)	USA	EU SCCs (provider DPA)
Rollbar	Error monitoring and incident diagnostics	USA	EU SCCs (provider DPA)
CleanTalk	Spam and abuse moderation of form submissions; receives submission field values, sender email, and IP address for scoring	European Union (EU data region)	Processed within the EU (EU data region selected); EU-U.S. Data Privacy Framework (CleanTalk Inc.) and EU SCCs cover any access by the US-incorporated provider
Google (Gemini)	AI reply generation for form submissions (only when enabled by you, per form)	USA	EU SCCs (Google Cloud DPA); EU-U.S. Data Privacy Framework (Google LLC)
PostHog	Product analytics — account identifiers, profile information, subscription details, and product usage events; does not process form submission content	European Union (EU Cloud)	Not applicable (processed within the EU)
Stripe	Payment processing — account and billing data only; does not process form submission data	USA	EU SCCs (Stripe DPA); EU-U.S. Data Privacy Framework (Stripe, LLC)

Webhook Recipients: If you configure webhook destinations, form submission data will also be sent to the endpoint(s) you specify under your instructions. You are responsible for your selected webhook recipients and their compliance obligations.

5.1 Changes to Sub-processors

We will give you advance notice of any intended addition or replacement of a sub-processor at least 14 days before the new sub-processor begins processing Personal Data. We publish each such change to our sub-processor change page, updating the dated changelog in Section 15 of this DPA and the sub-processor list in Annex III. That page is the authoritative, dated record of every change. You have the right to object on reasonable data-protection grounds within 14 days of notice. If we cannot accommodate your objection, you may terminate the affected services.

To receive these notices automatically rather than checking the page, subscribe to its RSS feed in any feed reader or monitoring tool. We may also email the address registered on your account, and will do so where we reasonably consider a change to be material.

6. Data Subject Rights

We will assist you in responding to Data Subject requests to the extent technically feasible and required by law. Data Subjects may exercise the following rights:

Access: You can view stored submissions in your dashboard
Rectification: You can correct data manually or delete and re-submit
Erasure: You can delete individual submissions or all data
Portability: You can export submissions in CSV format
Restriction/Objection: You can disable form storage at any time

As the Controller, you are responsible for handling Data Subject requests directly. We recommend including information about how to submit such requests in your privacy policy.

7. Data Breach Notification

In the event of a Personal Data breach, we will:

Notify you without undue delay (and in any event within 72 hours) after becoming aware of the breach
Provide you with sufficient information to meet your notification obligations to supervisory authorities and Data Subjects
Cooperate with you and take reasonable steps to assist in the investigation and mitigation of the breach

8. International Data Transfers

Static Forms stores data in the United States (AWS us-east-1) and sends transactional email primarily from the United States (AWS SES), with Singapore (AWS SES ap-southeast-1) configured as a regional failover. Personal Data submitted through your forms is therefore transferred to and processed outside the EU/EEA and the UK. For such transfers we rely on:

Standard Contractual Clauses (SCCs): the clauses adopted by the European Commission in Implementing Decision (EU) 2021/914, which are incorporated into this DPA by reference — Module 2 (Controller to Processor) where you act as Controller, and Module 3 (Processor to Processor) where you act as Processor on behalf of your own clients (Section 2.3). Annexes I, II, and III of the SCCs are published at /dpa/annexes. For transfers of UK Personal Data, the SCCs apply as amended by the UK International Data Transfer Addendum issued by the UK Information Commissioner
Adequacy decisions where applicable, including the EU-U.S. Data Privacy Framework for certified sub-processors listed in Section 5
Supplementary measures described in our Transfer Impact Assessment: encryption in transit (TLS) and at rest, application-layer encryption of stored credentials, strict access controls, log minimization (form field values are excluded from request logs), and the retention limits in Section 3.5

In the event of any conflict between this DPA and the SCCs, the SCCs prevail to the extent of the conflict.

9. Government and Law Enforcement Requests

If we receive a request from a government authority or law enforcement body to disclose Personal Data processed on your behalf, we will:

Disclose Personal Data only where required by a valid and legally binding order, and never voluntarily
Review each request to assess its legality, scope, and proportionality, and challenge or narrow requests that we consider unlawful or overbroad, using reasonable legal means
Notify you before any disclosure, where legally permitted to do so, so that you may seek a protective order or other remedy; where notification is prohibited, we will request that the prohibition be lifted and notify you as soon as it is
Redirect the requesting authority to seek the data directly from you wherever possible
Disclose only the minimum data necessary to comply with the order

10. Audit Rights

Upon reasonable written request (not more than once per year), we will make available information necessary to demonstrate compliance with this DPA. This may include:

Documentation of security measures
Third-party audit reports or certifications (when available)
Responses to specific compliance questions

11. Term and Termination

This DPA remains in effect for the duration of your use of our services. Upon termination:

You may export your stored data before account deletion
We will execute account and data deletion workflows and apply configured retention schedules for operational logs unless legally required to retain specific records
Certain provisions of this DPA will survive termination (confidentiality, limitation of liability)

12. Your Obligations

By using our form storage feature, you agree to:

Ensure you have a lawful basis for collecting Personal Data through your forms
Provide clear privacy notices to Data Subjects explaining how their data will be used and stored
Obtain appropriate consent where required by applicable law
Not collect sensitive/special category data through forms unless you have explicit consent and legal basis
Promptly notify us of any Data Subject requests you cannot fulfill without our assistance
Comply with all applicable Data Protection Laws

13. Limitation of Liability

Our liability under this DPA is subject to the limitation of liability provisions in our Terms of Service. Neither party excludes or limits liability for death, personal injury, fraud, or any liability that cannot be limited by law.

14. Governing Law and Jurisdiction

14.1 This DPA

Except as set out in Section 14.2, this DPA is governed by, and construed in accordance with, the same law that governs the Terms of Service into which it is incorporated — the laws of the United Arab Emirates, without regard to its conflict of law provisions — and the parties submit to the courts identified in the Terms of Service for any dispute arising out of this DPA.

14.2 Standard Contractual Clauses

Notwithstanding Section 14.1, the Standard Contractual Clauses incorporated under Section 8 are governed by, and disputes arising from them are resolved under, the rules set out in the Clauses themselves. For the purposes of Clause 17 of the Standard Contractual Clauses (Option 1), the Clauses are governed by the law of the Republic of Ireland. For the purposes of Clause 18, any dispute arising from the Clauses will be resolved before the courts of Ireland. This choice does not deprive any Data Subject of the protection of the mandatory provisions of the law of their habitual residence, and Data Subjects may bring proceedings against either party before the courts of the EU/EEA member state in which they are habitually resident, as provided by Clause 18(c).

14.3 Mandatory Rights Preserved

Nothing in this Section limits or excludes any right of a Data Subject, or the jurisdiction of any competent supervisory authority, under applicable Data Protection Laws. Where mandatory Data Protection Laws confer rights or remedies that cannot be varied by agreement, those laws prevail over this Section to the extent of any conflict.

15. Changes to This DPA

We may update this DPA from time to time. Material changes will be notified to you via email or through our service. Continued use of our services after such notification constitutes acceptance of the updated DPA. Each version is identified by the version number and effective date at the top of this page.

15.1 Changelog

Version 2.1 — June 11, 2026: Added a Governing Law and Jurisdiction section (Section 14): UAE law for the DPA generally, with a separate choice of Irish law and Irish courts for the Standard Contractual Clauses (Clauses 17 and 18) and an express reservation of mandatory Data Subject rights; renumbered the subsequent sections
Version 2.0 — June 11, 2026: Added Processor-to-Processor (agency) coverage and SCC Module 3 (Section 2.3, Section 8); incorporated the EU Standard Contractual Clauses by reference and published Annexes I-III; expanded the sub-processor table with countries of operation and transfer mechanisms; replaced the retention schedule with concrete, per-record retention periods (Section 3.5); added the Government and Law Enforcement Requests policy (Section 9); added a sub-processor advance-notification procedure (Section 5.1); published the Transfer Impact Assessment
Version 1.x — December 1, 2025: Initial version covering Controller-to-Processor terms, sub-processor list, 72-hour breach notification, deletion/return on termination, and audit rights

16. Contact Information

For questions about this DPA or to exercise any rights, please contact us:

By visiting our contact page
By email: info@staticforms.dev

Acceptance

By using Static Forms and enabling any optional processing features (including form storage, webhooks, or AI reply), you acknowledge that you have read, understood, and agree to be bound by this Data Processing Agreement. This DPA, together with our Terms of Service and Privacy Policy, constitutes the complete agreement between the parties regarding the processing of Personal Data.