Transfer-impact statement

Where data lives

Submissions, account data, file attachments, and backups are stored in Sweden on infrastructure operated by Hostup AB. Notification email is delivered via Mailjet (Sinch) from an EU (French) data centre. Optional AI enrichment, where a plan enables it, is processed by Mistral AI within the EU. For all of this submission-data processing there is no third-country transfer and no Chapter V transfer mechanism is required. The full list, including the billing sub-processor, is in the sub-processor register.

US touchpoint 1: Cloudflare Turnstile (optional)

Turnstile is a privacy-friendly bot challenge you can enable per form. It is disabled by default. When you enable it, the visitor's browser loads and solves the Cloudflare Turnstile widget, so Cloudflare, Inc. (United States) processes challenge-related data from the browser. This concerns the people filling in your forms, not your billing relationship.

• What is transferred: challenge-related data exchanged between the visitor's browser and Cloudflare to prove the visitor is not a bot.
• What is not transferred: by default, Formward's server-side verification call does not send the submitter's IP address to Cloudflare, and we never route your submission payloads through Cloudflare. An operator can opt in to forwarding the submitter IP for stronger scoring (the TURNSTILE_SEND_REMOTEIP setting); when that is enabled, the submitter's IP is also sent to Cloudflare.
• When it happens: only on forms where you have explicitly turned Turnstile on.

US touchpoint 2: Stripe (billing of paying customers)

Subscription payments are handled by Stripe Payments Europe, Ltd. (our contracting entity in Dublin, Ireland), whose parent company, Stripe, Inc., is in the United States. To process payments, Stripe handles the paying customer's own personal data — name, email address, billing address, and payment-method details — and some of that billing data is processed in the US. This is an ordinary consequence of accepting card payments and is how most EU SaaS operates.

• Whose data: only the Formward account holder paying for the subscription. It does not involve the people who fill in your forms.
• What is not transferred: Stripe never receives form-submission content or submitter PII. Submission data stays with the EU/EEA sub-processors and is never routed through Stripe.
• When it happens: whenever you hold a paid subscription, for the duration of that billing relationship.

Safeguard posture

Both US touchpoints are covered by applicable Article 46 safeguards — Standard Contractual Clauses (SCCs) and/or the EU–US Data Privacy Framework where the provider is certified. For Cloudflare Turnstile, the data involved is limited to bot-challenge interactions rather than the content of the submission, which lowers the risk profile of the transfer. For Stripe, the transfer is limited to the paying customer's billing data and excludes all form-submission data. We keep these assessments under review and will update this page if either provider's certification status or our use of it changes.