Data Processing Agreement

Personal Data means any information relating to an identified or identifiable natural person submitted through a BizForms form.

Processing means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, and deletion.

Sub-processor means any third party engaged by BizForms to process Personal Data on behalf of the Controller.

BizForms processes Personal Data solely for the purpose of providing the form-building, submission-collection, and analytics services as described in the Terms of Service. Processing includes storing form submissions, delivering email notifications, generating analytics, and processing payments via Stripe.

The categories of data subjects include form respondents and workspace members. The types of Personal Data processed depend on the form fields configured by the Controller.

The Controller shall ensure it has a lawful basis for collecting Personal Data through BizForms forms, provide appropriate privacy notices to data subjects, and comply with all applicable data-protection laws (including GDPR where applicable).

BizForms shall process Personal Data only on documented instructions from the Controller, ensure persons authorised to process the data are bound by confidentiality obligations, implement appropriate technical and organisational security measures, assist the Controller in responding to data-subject requests, and delete or return all Personal Data upon termination of the service.

BizForms uses the following sub-processors: Amazon Web Services (infrastructure hosting, US/EU), Stripe (payment processing, US), and Postmark (transactional email, US). We will notify Controllers at least 30 days before engaging a new sub-processor, and Controllers may object by contacting us at privacy@bizforms.io.

BizForms implements encryption in transit (TLS 1.2+), encryption at rest (AES-256), optional end-to-end encryption (Storage Mode), role-based access controls, audit logging, regular vulnerability scanning, and incident-response procedures. For full details, see our Security page.

Where Personal Data is transferred outside the EEA, BizForms relies on Standard Contractual Clauses (SCCs) as approved by the European Commission, supplemented by the technical measures described in Section 06.

BizForms shall notify the Controller without undue delay (and in any event within 72 hours) upon becoming aware of a personal-data breach, providing sufficient information to enable the Controller to meet its own notification obligations.

This DPA remains in effect for the duration of the Controller's use of BizForms. Upon termination, BizForms will delete all Personal Data within 30 days unless retention is required by law.

For questions about this DPA, contact us at privacy@bizforms.io.