Annexes to the Standard Contractual Clauses

These Annexes form part of the Standard Contractual Clauses ("SCCs") adopted by the European Commission in Implementing Decision (EU) 2021/914, which are incorporated by reference into our Data Processing Agreement ("DPA"). Module 2 (Controller to Processor) applies where the Customer acts as Controller; Module 3 (Processor to Processor) applies where the Customer acts as Processor on behalf of its own clients (DPA Section 2.3). For transfers of UK Personal Data, the SCCs apply as amended by the UK International Data Transfer Addendum.

A countersignable PDF of the DPA, SCCs, and these Annexes is available on request from info@staticforms.dev.

Annex I — Description of Processing

A. List of Parties

• Data exporter: the Customer identified by the account registration details held with Static Forms. Role: Controller (Module 2) or Processor acting on behalf of its client, the Controller (Module 3). Activities: operation of websites and web forms that collect Personal Data from data subjects.
• Data importer: Static Forms (contact: info@staticforms.dev). Role: Processor (Module 2) or Sub-processor (Module 3). Activities: provision of form-backend services — receiving form submissions, delivering them by email and configured integrations, optional storage, optional AI reply generation, and related security and operational monitoring.

B. Description of the Transfer

• Categories of data subjects: individuals who submit forms on the Customer's (or, under Module 3, the Controller's) websites — visitors, customers, prospects, applicants, and other contacts.
• Categories of personal data: any data entered into the Customer's form fields, typically contact details (name, email address, phone number) and message content; the submitter's reply-to email address; file attachments where enabled; and technical metadata captured at submission time (IP address, user agent, referer URL).
• Sensitive data: none intended. The DPA (Section 12) prohibits collecting special-category data through forms unless the Customer has an explicit legal basis and consent; Static Forms does not require or solicit such data.
• Frequency of the transfer: continuous, as form submissions occur.
• Nature of the processing: collection (receipt of submissions), transmission (email delivery, customer-configured webhooks and integrations), storage (where form storage is enabled), optional automated reply generation (where AI reply is enabled by the Customer), and security/abuse monitoring.
• Purpose of the transfer and further processing: provision of the form-backend services described in DPA Section 3.1; no processing for Static Forms' own purposes other than service operation, security, and abuse prevention.
• Retention period: as set out in the retention schedule in DPA Section 3.5 (stored submissions: 30 days on the free plan, 365 days by default on paid plans, configurable from 30 days to 5 years; operational request logs: up to 365 days; error diagnostics: up to 30 days; webhook and AI reply logs: up to 14 days; database backups: up to 35 days).
• Onward transfers to sub-processors: as listed in Annex III, for the purposes and durations stated there and in DPA Section 5.

C. Competent Supervisory Authority

In accordance with Clause 13 of the SCCs: where the data exporter is established in an EU Member State, the supervisory authority of that Member State; where the data exporter is not established in the EU but falls within the territorial scope of the GDPR and has appointed a representative, the supervisory authority of the Member State in which the representative is established; otherwise, the supervisory authority of the Member State in which the data subjects whose personal data is transferred are predominantly located.

D. Governing Law and Choice of Forum (Clauses 17 and 18)

For the purposes of Clause 17 of the SCCs, the parties select Option 1: the Clauses are governed by the law of the Republic of Ireland. For the purposes of Clause 18, any dispute arising from the Clauses will be resolved before the courts of Ireland, without prejudice to the right of a data subject to bring proceedings before the courts of the EU/EEA Member State of their habitual residence (Clause 18(c)). This mirrors Section 14.2 of the DPA.

Annex II — Technical and Organizational Measures

Static Forms implements and maintains the following technical and organizational measures to ensure a level of security appropriate to the risk:

• Encryption in transit: all data is transmitted over TLS/HTTPS, including form submissions, dashboard access, API traffic, and traffic to sub-processors.
• Encryption at rest: all stored data (database records and file attachments) is encrypted at rest using AWS-managed encryption (DynamoDB and S3 server-side encryption).
• Application-layer encryption: stored credentials and integration secrets (such as third-party API tokens) are additionally encrypted at the application layer using AES-256-GCM before being written to the database.
• Access control: customer data is segregated per account and accessible only through authenticated sessions (email one-time-passcode or OAuth sign-in) or per-account API keys; administrative access to production infrastructure is restricted to authorized personnel on a need-to-know basis.
• Data minimization in logs: form field values are excluded from operational request logs; logs carry request metadata and field names only.
• Automated retention enforcement: stored submissions and attachments expire automatically at the database level (DynamoDB time-to-live) according to the configured retention period; operational logs expire on rolling windows (DPA Section 3.5).
• Deletion and portability: customers can delete individual submissions, all stored data, or their entire account at any time, and can self-serve export stored submissions as CSV from the dashboard.
• Monitoring and incident response: continuous error and security monitoring with documented incident handling; personal data breaches are notified to customers without undue delay and within 72 hours (DPA Section 7).
• Abuse prevention: automated detection of abusive or fraudulent form usage (including credential-harvesting patterns), operating on field names and request metadata.
• Vendor management: sub-processors are bound by data processing agreements imposing data protection obligations equivalent to those in the DPA, including the transfer mechanisms listed in Annex III.
• Confidentiality: persons authorized to process Personal Data are bound by confidentiality obligations.
• Secure development: changes to the service are version-controlled and reviewed before deployment; dependencies are monitored and updated.

Under Module 3, the data importer will assist the data exporter in fulfilling its obligations to the Controller, including making available the information necessary to demonstrate compliance (DPA Sections 2.3 and 10).

Annex III — List of Sub-processors

The Controller (Module 2) or the Controller via the data exporter (Module 3) authorizes the engagement of the following sub-processors. This list is kept in sync with DPA Section 5; changes follow the advance-notification procedure in DPA Section 5.1.