Legal
Privacy & Data Protection Policy
Last updated: 17 May 2026
1. Who we are
SecForm ("we", "us", "our") provides a form-building and submission-routing platform hosted in the European Union. For the purposes of the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), SecForm acts as:
- Data controller for personal data we collect directly (e.g. customer account information, billing data, website analytics).
- Data processor for personal data submitted by End Users into forms operated by our customers ("Customer Data"). The customer is the data controller for that data.
2. Contact & Data Protection Officer
For any question relating to this policy or your personal data, please contact:
- General: privacy@secform.fr
- Data Protection Officer: dpo@secform.fr
3. Personal data we process
When you use SecForm as a customer, we process:
- Account data: name, professional email, password hash, organisation, role.
- Billing data: company name, VAT number, billing address, invoice history. Payment-card data is processed by our payment provider; we do not store full card numbers.
- Usage data: log records (IP address, timestamp, user agent, requested URL) used for security, debugging, and abuse prevention.
- Support data: any information you share with us when contacting support.
When you submit a form as an End User, the customer determines which fields are collected. Typical data includes contact details, identification information, and any files you upload. SecForm processes this data only on the customer's instructions.
4. Purposes & legal bases
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Providing the Service to customers | Performance of a contract (Art. 6(1)(b)) |
| Billing & accounting | Legal obligation (Art. 6(1)(c)) |
| Security, fraud, and abuse prevention | Legitimate interests (Art. 6(1)(f)) |
| Product analytics (aggregated, privacy-preserving) | Legitimate interests (Art. 6(1)(f)) |
| Marketing emails to existing customers | Legitimate interests, with opt-out (Art. 6(1)(f)) |
| Processing End-User form submissions | On behalf of the customer (Art. 28) |
5. Hosting & data residency
All personal data is hosted in the European Union, on infrastructure operated by providers certified under ISO/IEC 27001 and SOC 2 Type II. Backups are stored in the EU. We do not transfer Customer Data outside the European Economic Area for primary processing.
6. Sub-processors
We rely on a limited number of sub-processors to operate the Service (hosting, email delivery, error monitoring, payment processing). All sub-processors are bound by written agreements that meet GDPR Article 28 requirements. Where a sub-processor is located outside the EEA, transfers are covered by the European Commission's Standard Contractual Clauses and supplementary measures where applicable. The current list of sub-processors is available on request at dpo@secform.fr; customers are notified of material changes at least thirty (30) days in advance.
7. Retention
- Customer account data: kept for the duration of the contract and deleted within 90 days of termination.
- Billing records: retained for 10 years to meet French accounting and tax obligations.
- Form submissions: retained according to the retention policy configured by the customer in their workspace. Default retention can be customised per form.
- Server logs: 30 days.
- Backups: 35 days on a rolling basis.
8. Security measures
- Encryption in transit (TLS 1.2+).
- Encryption at rest (AES-256) for the database and file storage.
- Signed, time-limited URLs for file downloads.
- Role-based access control with the principle of least privilege.
- Full audit trail of administrative actions and submission access.
- Automated dependency scanning and regular security reviews.
- Mandatory security training for all staff with production access.
- Documented incident-response process with notification to controllers within 72 hours of becoming aware of a personal data breach (Art. 33 GDPR).
9. Your rights under the GDPR
Where SecForm acts as data controller, you have the right to:
- Access your personal data (Art. 15);
- Rectify inaccurate or incomplete data (Art. 16);
- Request erasure ("right to be forgotten") in the circumstances set out in Art. 17;
- Restrict processing (Art. 18);
- Data portability (Art. 20);
- Object to processing based on legitimate interests, including direct marketing (Art. 21);
- Withdraw consent at any time where processing is based on consent (Art. 7);
- Lodge a complaint with a supervisory authority — in France, the CNIL (cnil.fr).
To exercise these rights, write to privacy@secform.fr. We respond within one month and may extend this period by two months for complex requests, as permitted by Art. 12(3) GDPR.
Where data was submitted into a customer's form, please direct your request to that customer (the data controller). We will assist them in responding to you.
10. Cookies
We use strictly necessary cookies for authentication and security. We do not use advertising or cross-site tracking cookies. Product analytics, if enabled, are aggregated and do not rely on cookies that require consent under Article 82 of the French Data Protection Act.
11. Automated decision-making
SecForm does not make decisions based solely on automated processing that produce legal or similarly significant effects on individuals.
12. Changes to this policy
We may update this policy from time to time. The "Last updated" date at the top reflects the latest revision. Material changes will be notified by email or in-product notice.