Static Forms - Secure form backend and form endpoint for contact forms

Transfer Impact Assessment

Version 1.1 · Effective date: June 11, 2026 · Next scheduled review: June 2027

This Transfer Impact Assessment ("TIA") documents our assessment of transfers of EU/EEA and UK Personal Data to third countries, following the structure recommended by the European Data Protection Board (Recommendations 01/2020) and the requirements of the Schrems II ruling (C-311/18). It supplements our Data Processing Agreement and the SCC Annexes. Customers (and, under the Processor-to-Processor configuration, their clients) may rely on this document for their own transfer assessments.

1. Mapping of Transfers

  • United States (primary): form submissions, file attachments, and account data are stored in AWS us-east-1 (DynamoDB, S3); outbound email is sent primarily from AWS SES in the United States; the application runs on Vercel (USA); operational request logs are stored with Axiom (USA); error diagnostics with Rollbar (USA); billing data with Stripe (USA); AI reply content, where enabled, with Google (Gemini, USA).
  • Singapore: AWS SES in ap-southeast-1 is configured as the regional failover for outbound email delivery. Email content transits this region only when failover is active, for delivery, and is not retained as stored submission data there.
  • European Union: product analytics (PostHog EU Cloud) — account data only, no form submission content; and spam/abuse moderation (CleanTalk, EU data region) — which receives form content but stores and processes it within the EU. No third-country transfer of this data, save for any incidental access by the US-incorporated providers, which is covered by the DPF/SCCs noted in Annex III.
  • United Arab Emirates (data importer's place of establishment): Static Forms is established in the United Arab Emirates. No Personal Data is stored at rest in the UAE; however, authorized personnel access stored submissions and account data remotely from the UAE for support, security, and operational purposes, over authenticated and TLS-encrypted channels. This remote access constitutes a transfer to the UAE, a third country for which no EU adequacy decision exists, and is covered by the same SCCs and supplementary measures as the transfers above.

The data transferred is described in Annex I.B: form field contents (typically contact details and message content), reply-to addresses, file attachments where enabled, and technical metadata (IP address, user agent, referer). The full sub-processor list with transfer mechanisms is published in Annex III.

2. Transfer Tools Relied Upon

  • EU Standard Contractual Clauses (Implementing Decision (EU) 2021/914) — Module 2 (Controller to Processor) or Module 3 (Processor to Processor), incorporated into the DPA by reference, with the UK International Data Transfer Addendum for UK data
  • The EU-U.S. Data Privacy Framework adequacy decision, for sub-processors that hold an active DPF certification
  • Back-to-back data processing agreements with each sub-processor incorporating the same or equivalent transfer mechanisms

3. Assessment of Third-Country Law

3.1 United States

  • FISA Section 702: permits targeted directives to "electronic communication service providers". Our infrastructure providers (AWS, Vercel) fall within the potential scope of this definition. However, FISA 702 targeting is directed at non-U.S. persons of foreign-intelligence interest; the data processed by Static Forms — website contact-form submissions for small businesses and agencies — is of negligible foreign-intelligence value, and we are not aware of any request ever having been received concerning data we process.
  • Executive Order 12333: concerns collection outside U.S. compelled-disclosure mechanisms, primarily in transit. All our traffic is encrypted in transit with TLS, which the EDPB recognizes as an effective measure against in-transit collection.
  • CLOUD Act: permits U.S. law enforcement to compel disclosure from providers subject to U.S. jurisdiction pursuant to a warrant or court order based on probable cause of a specific criminal offence. This is a targeted instrument, not bulk collection; our Government and Law Enforcement Requests policy (DPA Section 9) governs how we handle any such order.
  • Redress: Executive Order 14086 introduced binding safeguards (necessity and proportionality limits on signals intelligence) and a two-level redress mechanism, including the Data Protection Review Court, available to EU data subjects. These safeguards underpin the European Commission's adequacy decision for the EU-U.S. Data Privacy Framework and apply to U.S. intelligence collection generally, not only to DPF-certified recipients.

3.2 Singapore

  • Singapore has a comprehensive data protection law (the Personal Data Protection Act 2012). Government access to data held by private providers requires specific legal process (e.g. under the Criminal Procedure Code).
  • Exposure is limited: only outbound email delivery transits Singapore (AWS SES). Submission data is not stored at rest in Singapore as dashboard records; SES processes message content transiently for delivery.

3.3 United Arab Emirates

  • Data protection framework: the UAE has a comprehensive federal data protection law (Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data), which establishes lawful-basis, purpose-limitation, security, and data-subject-rights obligations broadly comparable to the GDPR.
  • Government access: UAE authorities can compel disclosure of data held by a private entity only through specific legal process — principally the Criminal Procedure Law and the Cybercrimes Law (Federal Decree-Law No. 34 of 2021) — pursuant to a targeted order in connection with a defined investigation. These are targeted, case-by-case instruments, not bulk or indiscriminate collection mechanisms.
  • Exposure is limited: no submission data or account data is stored at rest in the UAE. Static Forms personnel access data remotely from the UAE under strict, authenticated, role-based access controls; the underlying records remain in AWS (US) and, for the EU-region sub-processors, in the EU. The data concerned — routine website contact-form submissions for small businesses and agencies — is of negligible state-security or intelligence value.
  • Handling of orders: any UAE government or law-enforcement request is handled under our Government and Law Enforcement Requests policy (DPA Section 9), which applies to requests from any jurisdiction — disclosing only under a valid binding order, challenging overbroad requests, and notifying the customer before disclosure where legally permitted.

3.4 Practical Experience

As of the effective date of this TIA, Static Forms has never received a government or law-enforcement request for customer data, from any jurisdiction. We will update this section if that changes, to the extent we are legally permitted to do so.

4. Supplementary Measures

  • Technical: TLS encryption in transit for all traffic; encryption at rest for all stored data (AWS-managed); application-layer AES-256-GCM encryption for stored credentials and integration secrets; exclusion of form field values from operational request logs, so that the longer-lived operational logs contain only request metadata and field names rather than submission content; automatically enforced time-to-live expiry of stored submissions and attachments (DPA Section 3.5); per-account data segregation and access controls.
  • Organizational: a published government-request policy committing to disclose only under valid binding orders, to challenge overbroad requests, and to notify customers before disclosure where legally permitted (DPA Section 9); restriction of production access to authorized personnel; documented incident response with 72-hour breach notification.
  • Contractual: SCCs with all customers (Modules 2 and 3); sub-processor DPAs with equivalent obligations; a 14-day advance-notification and objection procedure for sub-processor changes (DPA Section 5.1).

5. Conclusion

Taking into account (a) the nature of the data transferred (routine website contact-form submissions of negligible foreign-intelligence value), (b) the legal safeguards now applicable to U.S. intelligence collection under Executive Order 14086 and the EU-U.S. Data Privacy Framework adequacy decision, (c) the targeted and judicially supervised character of the compelled-disclosure instruments that could theoretically reach this data in the United States, Singapore, and the United Arab Emirates, (d) the absence of any government request in our operating history, from any jurisdiction, and (e) the supplementary measures described above — including that no submission data is stored at rest in the UAE and remote access is access-controlled and encrypted — we assess that the SCCs as implemented provide an essentially equivalent level of protection for the transfers described in Section 1, and that the transfers may proceed.

6. Review

This TIA is reviewed at least annually, and earlier upon any material change: new sub-processors or regions, relevant changes in third-country law or jurisprudence, or receipt of a government request. The version and effective date at the top of this page identify the current revision.

Data Processing Agreement|SCC Annexes|Privacy Policy
← Back to Home