Schrems II compliant forms

What Schrems II actually means

In 2020 the Court of Justice of the EU (the Schrems II judgment) invalidated the EU–US Privacy Shield because US surveillance law can compel US providers to hand over personal data, undermining the protection EU data subjects are owed. The practical consequence: if a US provider stores or processes EU personal data in the US, you have to assess that transfer, apply Article 46 safeguards such as Standard Contractual Clauses, and judge whether supplementary measures are needed. For a form backend handling names, emails, and messages, that is a real burden you did not ask for.

How Formward sidesteps it

• No transfer of submission data. Submissions, account data, attachments, and backups stay in Sweden; notification email and optional AI enrichment are processed in the EU (France). There is no Chapter V transfer of submission data to assess.
• EU-only sub-processors for the form data. Hosting (Hostup AB), email (Mailjet / Sinch), and AI (Mistral AI) are all EU. See the sub-processor register.
• Keyed-hash submitter IPs. IPs are protected with a keyed hash (HMAC-SHA-256, secret server-side salt) on receipt; raw IPs are never stored.
• Documented US touchpoints. The two limited US touchpoints — optional Cloudflare Turnstile and Stripe for billing — are set out in full, with their safeguard posture, in our transfer-impact statement.

EU-hosted versus a US form backend

Frequently asked questions

What is the Schrems II problem for forms?

The Schrems II ruling (CJEU, 2020) invalidated the EU–US Privacy Shield because US surveillance law can reach personal data held by US providers. For forms, the risk arises when a US form backend stores or processes EU personal data in the US: you then have to assess and govern that EU–US transfer under Chapter V of the GDPR.

How does Formward address it?

Formward keeps form-submission data in the EU/EEA. The application is self-hosted in Sweden and every sub-processor that touches submission data is in the EU. With no transfer of submission data to a third country, the Schrems II transfer-assessment question does not arise for that data.

Are there any US touchpoints at all?

Two, and neither receives form-submission content. Cloudflare Turnstile is an optional anti-bot challenge that is off unless you enable it per form; when enabled, the visitor's browser interacts with Cloudflare. Stripe processes the paying customer's own billing data to run subscription payments. Both are covered by Article 46 safeguards (SCCs and/or the EU–US Data Privacy Framework).

Can I avoid the US touchpoints entirely for my form data?

For submission data you already do: it never goes to either provider. If you also want zero browser-level US interaction on a form, leave Cloudflare Turnstile disabled and rely on the honeypot, rate limiting, origin allowlists, and EU-hosted AI spam scoring. The Stripe touchpoint only concerns billing of paying customers, never submission data.

Do you claim Schrems II certification?

There is no such certification to hold. Schrems II is a court ruling about international transfers, not a certifiable standard. What we provide is an architecture that keeps submission data in the EU/EEA and open documentation of the two limited US touchpoints, so you can complete your own transfer assessment with the facts in front of you.