Compliance / Record of processing
Record of processing activities
GDPR Article 30(2) · Last updated: 2026-06-11
This is Formward's record of the categories of processing activities it carries out on behalf of its customers, maintained under Article 30(2) of the GDPR (processor record). For each form, the customer is the controller and Formward is the processor. It is provided so controllers can complete their own Article 30(1) records. It complements our DPA and sub-processor register.
- Processor
- Formward AB, Stockholm, Sweden. Data Protection Officer: privacy@formward.eu.
- Controller
- The customer (the account holder operating the form). The customer determines the purposes and means of processing the submissions it collects.
- Roles
- For submission data, Formward processes only on the customer's documented instructions (its configuration and use of the Service). For the customer's own account/login data, Formward is an independent controller; that processing is described in the Privacy Policy.
- Categories of data subjects
- The customer's website visitors and other end-users who submit the customer's forms.
- Categories of personal data
- Whatever fields the customer chooses to collect, typically contact details (name, email) and free-text message content, and any file attachments the end-user uploads. The Service also stores a keyed-hash pseudonym of the submitter's IP address (HMAC-SHA-256 with a secret server-side salt) for spam detection and rate limiting; the raw IP is never written to disk. Where the form enables consent capture, the agreed consent text and the timestamp of consent are stored as proof. The Service is not intended for special-category (Article 9) or criminal-offence (Article 10) data.
- Purposes of processing
- Receiving form submissions over HTTPS; storing them; delivering notification emails; optional AI enrichment (on plans where enabled); optional customer-configured outbound webhooks; and making forms and submissions available in the dashboard and via the scoped REST API (which can also create, update, and delete forms and manage triage).
- Recipients / sub-processors
- For form-submission data: Hostup AB (hosting/storage, Sweden), Mailjet/Sinch (email, EU), Mistral AI (optional AI, EU), and Cloudflare (optional anti-bot, US). Separately, Stripe (EU contracting entity in Dublin; parent Stripe, Inc. in the US) processes the paying customer's billing data for subscription payments and never receives form-submission data — see the sub-processor register. Notification emails and webhooks are delivered to recipients the customer configures.
- Third-country transfers
- None for form-submission data: all processing of submission data stays in the EU/EEA. Two US touchpoints sit outside the submission-data flow, each covered by an Article 46 safeguard: the optional Cloudflare Turnstile challenge (challenge data, off unless enabled), and Stripe, which processes the paying customer's billing data partly in the US under Standard Contractual Clauses and the EU–US Data Privacy Framework. See the transfer-impact statement.
- Retention
- Submissions are retained for as long as the customer keeps them, subject to any per-form auto-deletion (retention window) the customer configures. Customers can export and delete submissions at any time, and can erase a data subject across all forms via the DSAR console. On account termination, data is deleted or returned at the customer's choice; residual copies in encrypted backups are overwritten on the normal backup-rotation cycle.
- Security measures (Article 32)
- TLS 1.2+ in transit and encryption at rest; immediate keyed-hash pseudonymisation of submitter IPs (raw IPs never persisted); salted, hashed account passwords; least-privilege production access; an EU-only infrastructure footprint; HMAC-signed, timestamped (v1 scheme) outbound webhooks; and regular encrypted backups. See the Security page.
- Data-subject rights support
- The Service lets the controller view, export, and delete submissions, and erase a data subject across all forms (DSAR console with an erasure certificate). Per-form GDPR consent capture stores the exact agreed text and timestamp as proof.
This record reflects how the Service is built and is updated when our processing changes. It is reference documentation, not legal advice.