A GDPR form backend, hosted in the EU

What makes it GDPR-clean

• Hosted in the EU. The application and PostgreSQL database run in Sweden on infrastructure operated by Hostup AB. There is no US-based or non-EU cloud for personal data.
• EU-only sub-processors for submission data. Notification email goes through Mailjet (Sinch) from an EU data centre in France; optional AI enrichment runs on Mistral AI in France. Every processor that touches submission content is in the EU/EEA. The full list is in our sub-processor register.
• Keyed-hash submitter IPs. Submitter IP addresses are protected with a keyed hash (HMAC-SHA-256 using a secret server-side salt) on receipt. Raw IPs are never written to disk.
• Export and erasure, self-serve. Data-subject rights — access, export, and erasure — are handled from your account settings, so you can satisfy requests from the people who fill in your forms.
• Processor terms and records. Formward acts as your processor with a Data Processing Agreement available, and our Article 30 record of processing is published in the compliance pack.
• No third-party tracking. We do not run advertising or profiling trackers on your visitors.

Compared with US form backends

Many popular form backends are US companies running on US infrastructure. They are capable products, but for an EU business the form data itself then sits outside the EU, which turns a simple contact form into an EU–US data-transfer question under Chapter V of the GDPR.

For the detail on the two minor US touchpoints we do have — optional Cloudflare Turnstile and Stripe for billing of paying customers, neither of which receives form-submission content — see our transfer-impact statement.

It is still just an HTML form endpoint

GDPR-clean hosting does not mean a heavier integration. You point your existing form at a Formward endpoint and submit over a standard POST. There is no SDK to install and it is framework-agnostic. Send the Accept: application/json header or use fetch() for a JSON response. See the docs to wire one up.

Frequently asked questions

What makes Formward a GDPR form backend?

Formward is hosted in Sweden, every sub-processor that touches form-submission data is in the EU/EEA, submitter IP addresses are protected with a keyed hash on receipt, data-subject export and erasure are self-serve, and a Data Processing Agreement is available. The Service is built to act as your processor under the GDPR.

Where is form-submission data stored?

Submissions, account data, file attachments, and backups are stored in Sweden on infrastructure operated by Hostup AB. Notification email is delivered via Mailjet (Sinch) from an EU (French) data centre, and optional AI enrichment runs on Mistral AI within the EU. By design, form-submission data does not leave the EU/EEA.

How are submitter IP addresses handled?

Submitter IP addresses are protected with a keyed hash (HMAC-SHA-256 using a secret server-side salt) immediately on receipt. Raw IP values are never written to disk, and the stored value cannot be linked back to an IP without the secret salt. They are used for abuse protection, not tracking.

Do you act as a controller or a processor?

Formward acts as a processor on your behalf for form-submission data. You remain the controller. A Data Processing Agreement is available on request from privacy@formward.eu, and our Article 30 record of processing is published in the compliance pack.

Can the people who fill in my forms exercise their GDPR rights?

Yes. You can export submission data and erase it from your account settings, which lets you satisfy access and erasure requests. Pseudonymised IP values share the lifetime of the submission they belong to.

Do you hold a SOC 2 or ISO 27001 certification?

Not currently. We do not claim certifications we do not hold. Our security and data-protection posture is documented openly across our Security, Privacy, and compliance pages, and a formal SOC 2 programme is on the roadmap.