Compliance
Compliance pack
Formward is an EU form backend: the application is self-hosted in Sweden, and we have designed the Service so that your form-submission data — and the personal data of the people who fill in your forms — never leaves the EU/EEA. The only US touchpoints are optional Cloudflare Turnstile and Stripe, which processes paying customers' billing data (not submission data) to run subscription payments. These documents describe how we process data as a processor on your behalf, so you can complete your own GDPR records as the controller. They sit alongside our Data Processing Agreement and Privacy Policy.
Sub-processor register
The current list of sub-processors Formward engages, their purpose, location, the data they touch, and whether each is always-on or optional. Includes our change-notification commitment.
Read document →Record of processing (Article 30)
Our Article 30 record of processing activities as processor: roles, categories of data subjects and data, purposes, recipients, retention, and security measures.
Read document →Transfer-impact statement
Where data goes. Form-submission data stays in the EU/EEA; the US touchpoints — optional Cloudflare Turnstile and Stripe for billing of paying customers — are documented with their safeguard posture.
Read document →Document, not legal advice
These pages describe how the Service is built and operated in good faith. They are reference documentation, not legal advice. Have your own counsel confirm how they map onto your obligations. For compliance questions, contact our Data Protection Officer at privacy@formward.eu.