Data Processing Agreement

Version 1.0, 2026-06-08

This Data Processing Agreement ("DPA") forms part of the agreement between you, the customer ("Customer"), and Formward AB, a company registered in Sweden with its registered office in Stockholm ("Formward", "we", "us"), governing your use of the Formward form-backend service at formward.eu (the "Service"). It records the parties' obligations under Article 28 of the EU General Data Protection Regulation (GDPR) in respect of personal data processed by Formward on the Customer's behalf.

Where this DPA conflicts with our Terms of Service on the subject of data processing, this DPA prevails. Terms not defined here have the meaning given in the GDPR.

1. Roles of the parties

In relation to the personal data contained in form submissions sent through the Customer's forms ("Customer Personal Data"):

• the Customer is the controller, determining the purposes and means of the processing; and
• Formward is the processor, processing Customer Personal Data only on the Customer's documented instructions.

For the Customer's own account data (the account email and authentication credentials used to operate the Service), Formward acts as an independent controller; that processing is described in our Privacy Policy and is not the subject of this DPA.

2. Subject-matter, duration, nature and purpose

• Subject-matter: Formward's processing of Customer Personal Data in order to provide the Service.
• Duration: for the term of the Customer's use of the Service, plus the deletion/return period described in section 11.
• Nature: receiving form submissions over HTTPS, storing them, delivering notification emails, optional AI enrichment (paid plans only), optional outbound webhooks the Customer configures, and making submissions available in the Customer's dashboard and via the API.
• Purpose: providing the contracted form-backend functionality to the Customer.

3. Categories of data subjects and personal data

Categories of data subjects: the Customer's website visitors and other end-users who submit the Customer's forms.

Categories of personal data: whatever fields the Customer chooses to collect in its forms. This typically includes contact details (such as name and email address) and free-text message content, and may include any file attachments the end-user uploads. The Service also processes a keyed-hash pseudonym of the submitter's IP address (HMAC-SHA-256 with a secret server-side salt) for spam detection and rate limiting; the raw IP address is not written to disk.

The Service is not intended for the collection of special categories of personal data (GDPR Article 9) or data relating to criminal convictions (Article 10). The Customer must not submit such data through the Service without appropriate safeguards and remains solely responsible if it does so.

4. Processing on documented instructions

Formward processes Customer Personal Data only on the Customer's documented instructions, including with regard to transfers, unless required to do otherwise by EU or Swedish law (in which case we will, where legally permitted, inform the Customer before processing). The Customer's instructions are constituted by this DPA, the Terms of Service, and the Customer's configuration and use of the Service (for example the forms it creates, the notification recipients, retention windows, and webhooks it sets up). Formward will inform the Customer if, in its opinion, an instruction infringes the GDPR or other EU/Member-State data protection law.

5. Confidentiality

Formward ensures that persons authorised to process Customer Personal Data are bound by an appropriate duty of confidentiality and process the data only as necessary to provide and support the Service. Access to production systems follows the principle of least privilege and is limited to authorised personnel.

6. Security measures (Article 32)

Formward implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

• encryption of data in transit (TLS 1.2 or higher) and at rest;
• immediate keyed-hash pseudonymisation of submitter IP addresses (HMAC-SHA-256 with a secret salt); raw IP addresses are never persisted;
• salted, hashed storage of account passwords; we never store credentials in plain text;
• least-privilege access controls limiting production access to authorised personnel;
• an EU-only infrastructure footprint, reducing the data-flow surface to be secured;
• regular backups, retained for a limited rotation period.

A fuller description is on our Security page. We do not currently hold a SOC 2 or ISO 27001 certification and do not claim one; we will publish certifications only once independently completed.

7. Sub-processors

The Customer authorises Formward to engage the sub-processors listed below. Except where expressly noted, each is located within the European Union or European Economic Area and is bound by a written contract imposing data-protection obligations no less protective than those in this DPA. Every sub-processor that touches form-submission data is in the EU/EEA. Two sub-processors involve the United States, neither for submission data: Cloudflare (optional Turnstile, engaged only at the Customer's option) and Stripe, whose EU entity contracts with Formward but whose US parent processes the Customer's own billing data under Article 46 safeguards. Both are described in the table and the notes that follow it.

Cloudflare Turnstile (optional anti-bot). Turnstile is off by default and is used only on forms where the Customer explicitly enables it. When enabled, the end-user's browser loads and interacts with the Cloudflare Turnstile widget to prove it is not a bot, which means Cloudflare (a US-based provider) processes challenge-related data from the visitor's browser. Formward's server-side verification call does not transmit the submitter's IP address to Cloudflare. Because Cloudflare is outside the EU/EEA, any transfer is covered by the applicable Article 46 safeguard (e.g. Standard Contractual Clauses and/or the EU–US Data Privacy Framework where Cloudflare is certified). Customers who wish to keep all processing within the EU/EEA can simply leave Turnstile disabled.

Stripe (billing). Subscription billing is handled by Stripe Payments Europe, Ltd. (Dublin, Ireland), whose parent is Stripe, Inc. in the United States. Stripe processes the Customer's own billing data — name, email, billing address, and payment-method details — and some of this billing data is processed in the US under Standard Contractual Clauses and the EU–US Data Privacy Framework, where Stripe is certified. Stripe never receives form-submission content or the personal data of the people who fill in the Customer's forms; this touchpoint concerns only the billing relationship between Formward and its paying customers.

Right to object. We maintain the current list of sub-processors on this page. We will give the Customer prior notice of any intended addition or replacement of a sub-processor, giving the Customer the opportunity to object on reasonable data-protection grounds. If the Customer objects and we cannot reasonably accommodate the objection, the Customer may terminate the affected part of the Service. Formward remains liable to the Customer for the performance of each sub-processor's obligations.

8. Assistance with data-subject rights

Taking into account the nature of the processing, Formward assists the Customer by appropriate technical and organisational measures, insofar as possible, in fulfilling the Customer's obligation to respond to requests from data subjects exercising their rights under Chapter III of the GDPR (access, rectification, erasure, restriction, portability, and objection). The Customer can satisfy many such requests directly through the Service: submissions can be viewed, exported, and deleted from the dashboard, and the Customer's own account data can be exported and erased from the account settings. Where a data subject contacts Formward directly about Customer Personal Data, we will refer them to the Customer.

9. Personal data breach notification

Formward notifies the Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and in any event in time to support the Customer's own notification obligations under GDPR Articles 33 and 34. The notification will describe, to the extent known, the nature of the breach, the likely consequences, and the measures taken or proposed to address it. Formward also assists the Customer in ensuring compliance with its obligations under Articles 32 to 36.

10. Records and audit rights

Formward makes available to the Customer all information reasonably necessary to demonstrate compliance with the obligations in Article 28 and this DPA, and allows for and contributes to audits, including inspections, conducted by the Customer or an auditor it mandates. To protect the confidentiality and security of other customers, audits are subject to reasonable advance notice, confidentiality undertakings, and a frequency and scope proportionate to the risk; where available, Formward may satisfy an audit request by providing relevant documentation or third-party reports in place of an on-site inspection.

11. Deletion or return on termination

On termination of the Service, and at the Customer's choice, Formward deletes or returns the Customer Personal Data and deletes existing copies, unless EU or Swedish law requires continued storage. The Customer may export its data at any time during the term through the dashboard and API. Following account deletion, Customer Personal Data is removed within a reasonable period; residual copies in encrypted backups are overwritten on the normal backup-rotation cycle.

12. International transfers

By default, Formward does not transfer Customer Personal Data outside the European Union or European Economic Area. All processing of form-submission data by Formward and by each EU/EEA sub-processor listed in section 7 takes place within the EU/EEA, so for that data no third-country transfer mechanism is required. There are two third-country touchpoints, both described in section 7 and neither involving form-submission data: (a) the optional Cloudflare Turnstile anti-bot challenge — when the Customer enables it on a form, the end-user's browser interacts with Cloudflare (USA), and that transfer is covered by an appropriate Article 46 safeguard (Standard Contractual Clauses and/or the EU–US Data Privacy Framework where applicable); Turnstile is off unless the Customer turns it on — and (b) Stripe, which processes the Customer's own billing data partly in the US under Standard Contractual Clauses and the EU–US Data Privacy Framework. Should our use of non-EU/EEA processing otherwise change, we would put an appropriate Article 46 transfer mechanism in place and update this DPA and our sub-processor list beforehand.

13. General

This DPA is governed by the laws of Sweden, without prejudice to the GDPR's direct application. If any provision is held invalid, the remainder continues in effect. We may update this DPA to reflect changes in the Service, our sub-processors, or applicable law; material changes will be reflected in an increased version number and date at the top of this page, and, where appropriate, notified to registered customers.

14. Contact

For any matter relating to this DPA or our processing of Customer Personal Data, contact our Data Protection Officer at privacy@formward.eu.

Formward AB
Stockholm, Sweden
Privacy / DPO: privacy@formward.eu