SecForm

Legal

Data Processing Addendum

Version v1.0 · Last updated: 17 May 2026

Quick summary

  • SecForm acts as a data processor on behalf of the customer (the controller).
  • This DPA satisfies Article 28 GDPR and incorporates the EU Standard Contractual Clauses (2021/914) where relevant.
  • All production data is stored and processed in the EU/EEA.
  • A countersigned PDF copy is available on request — see section 10.

1. Parties and scope

This Data Processing Addendum ("DPA") forms part of, and is governed by, the SecForm Terms of Service entered into between SecForm ("Processor", "we") and the customer identified in the applicable order or account ("Controller", "Customer"). It applies to all Personal Data that the Processor processes on behalf of the Controller in connection with the SecForm service.

In the event of a conflict between this DPA and the Terms of Service, this DPA prevails for matters relating to the processing of Personal Data.

2. Definitions

"GDPR" means Regulation (EU) 2016/679. "Personal Data", "Processing", "Controller", "Processor", "Sub-processor", and "Data Subject" have the meanings given in the GDPR. "SCCs" means the Standard Contractual Clauses approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

3. Subject matter and details of processing

  • Subject matter: provision of the SecForm form-building, hosting and submission-management service.
  • Duration: for the term of the Terms of Service plus any retention period set out in section 9.
  • Nature and purpose: collection, storage, structuring, retrieval, transmission and erasure of form responses on the Controller's behalf.
  • Categories of data subjects: the Controller's end users, applicants, customers, employees, or other respondents who submit a SecForm form.
  • Categories of Personal Data: identifiers (name, email, phone), contact details, free-text answers and uploaded documents — as configured by the Controller in each form.
  • Special categories: only where the Controller chooses to collect them; the Controller is responsible for having a valid Article 9 GDPR basis.

4. Processor obligations (Article 28 GDPR)

SecForm shall:

  • process Personal Data only on documented instructions from the Controller, including via the SecForm dashboard, API, or written request;
  • ensure that personnel authorised to process Personal Data are bound by confidentiality;
  • implement appropriate technical and organisational measures (see section 7);
  • engage sub-processors only under the conditions of section 5;
  • assist the Controller, taking into account the nature of processing, in responding to Data Subject requests (Articles 15–22 GDPR);
  • assist the Controller with security, breach notification, DPIAs and prior consultations (Articles 32–36 GDPR);
  • at the Controller's choice, delete or return all Personal Data at the end of the service (see section 9);
  • make available all information necessary to demonstrate compliance and allow for audits (see section 8).

5. Sub-processors

The Controller grants general authorisation to engage the sub-processors listed below. SecForm remains liable for the acts and omissions of its sub-processors as if they were its own.

We will notify the Controller of any intended addition or replacement of a sub-processor at least 30 days in advance by email to the account's billing or DPO contact. The Controller may object on reasonable data-protection grounds; if the parties cannot agree, the Controller may terminate the affected service for convenience.

Sub-processorPurposeLocationTransfer mechanism
Supabase (managed Postgres, Auth, Storage)Primary application database, authentication, and encrypted file storage for form submissions.Frankfurt, Germany (eu-central-1)EU/EEA — no transfer outside the EU
Cloudflare, Inc.CDN, DDoS protection, WAF, and Turnstile CAPTCHA on public form endpoints.EU edge (traffic terminated in EU PoPs)EU/EEA processing; SCCs in place for any incidental US transfers
OVHcloud SASObject storage backups and disaster-recovery snapshots of form definitions and submissions.Gravelines / Roubaix, FranceEU/EEA — no transfer outside the EU
Resend / Postmark (transactional email)Delivery of transactional emails (form receipts, admin notifications, password resets).EU region endpointsEU/EEA processing; SCCs in place for any incidental US transfers
Sentry (self-hosted EU instance)Application error monitoring with PII scrubbing enabled at the SDK level.Frankfurt, GermanyEU/EEA — no transfer outside the EU

A live list is maintained at secform.fr/dpa (this page). To subscribe to sub-processor change notifications, email dpo@secform.fr.

6. International transfers

SecForm stores and processes Personal Data exclusively within the EU/EEA. Where a sub-processor's parent entity is established outside the EU/EEA (e.g. Cloudflare, Inc., Resend, Inc.), any incidental transfer is governed by the EU Standard Contractual Clauses (Module 3: processor-to-processor) and supplementary measures including encryption in transit and at rest, strict role-based access, and transfer-impact assessments. The Controller authorises SecForm to enter into the SCCs with sub-processors on the Controller's behalf.

7. Security measures (Annex II to the SCCs)

SecForm implements appropriate technical and organisational measures, including:

  • Encryption: AES-256 at rest, TLS 1.2+ in transit, signed time-limited URLs for file downloads.
  • Access control: role-based access, mandatory SSO + MFA for SecForm staff, principle of least privilege, quarterly access reviews.
  • Network security: WAF and DDoS protection at the edge, IP allow-lists for admin endpoints, isolated production VPC.
  • Application security: dependency scanning, secret scanning, mandatory code review, automated SAST on every merge.
  • Logging & monitoring: centralised audit logs, anomaly detection, 24/7 on-call rotation.
  • Resilience: daily encrypted backups, point-in-time recovery, documented RTO ≤ 4h / RPO ≤ 1h.
  • Personnel: background checks, confidentiality agreements, annual security and GDPR training.
  • Incident response: documented playbooks; the Controller is notified within 72 hours of confirming a personal data breach affecting their data.

8. Audits and information rights

SecForm makes available, on request, its most recent security documentation, including architecture overview, sub-processor list, penetration-test summary, and (where applicable) ISO 27001 / SOC 2 reports. Controllers subject to a specific regulatory audit obligation may request an on-site audit with 30 days' notice, no more than once per 12 months, subject to a confidentiality agreement and reasonable scoping.

9. Return and deletion of data

On termination of the service, SecForm will, at the Controller's choice, return or delete all Personal Data within 30 days, and delete existing copies within 90 days (including from encrypted backups, as rotation completes), unless EU or Member-State law requires further storage.

10. How to obtain a countersigned DPA

This page constitutes SecForm's standard DPA and is binding on both parties as of the "Last updated" date for all active customers, by reference from the Terms of Service. Customers, infosec teams and DPOs who require a countersigned PDF for their records can obtain one in two ways:

  1. Self-serve (recommended): download the latest PDF at secform.fr/legal/secform-dpa.pdf, sign, and return to dpo@secform.fr. We will return a countersigned copy within 5 business days.
  2. Custom DPA / SCC review: if your organisation requires a custom-redlined DPA, contact legal@secform.fr with your draft. Custom DPAs are available on plans at the Business tier and above.

For any data-protection enquiry, you can reach our Data Protection Officer at dpo@secform.fr.

11. Governing law

This DPA is governed by French law. The courts of Paris have exclusive jurisdiction, without prejudice to the rights of Data Subjects under Article 79 GDPR to bring proceedings before the courts of their habitual residence.

12. Changes

We may update this DPA to reflect changes in law, sub-processors, or our security practices. Material changes will be notified at least 30 days in advance. Previous versions are available on request.