The EU's General Data Protection Regulation (GDPR) is a central part of our operations. Since personal data is fundamental to the Formify services, GDPR compliance and the protection of our users' data are integrated into everything we do, from product development to customer support.
This page provides an overview of our approach to data protection, explains the different roles and responsibilities, and describes the measures we have taken to protect your data.
Data Protection Roles & Responsibilities
Depending on what data is being processed, Formify has different roles under the GDPR.
Formify as Data Processor
When you, as a customer, use Formify's services to collect, store, or otherwise process personal data about your own customers or users (what we refer to in our terms as "Client Data"), you are acting as the Data Controller.
By using our services, you appoint Formify as a Data Processor to carry out these processing activities on your behalf. According to Article 28 of the GDPR, this relationship must be governed by a written agreement. Our Terms & Conditions, which you accept as a customer, serve as this legally binding Data Processing Agreement (DPA) between us.
Formify as Data Controller
Formify also acts as a Data Controller for the personal data we collect about our own customers, registered users, and visitors to our website. This includes information such as contact details, billing information, and user data.
Our processing of this data is based on the following legal grounds:
- Contractual Necessity (GDPR Article 6(1)(b)): We process data that is necessary to fulfill our contract with you and deliver the services you have purchased.
- Legal Obligation (GDPR Article 6(1)(c)): We process data to meet our obligations under the law, primarily related to accounting and financial reporting.
- Legitimate Interest (GDPR Article 6(1)(f)): We process data for purposes necessary for our legitimate interests. Examples of this include:
- Analyzing and improving our services.
- Ensuring the security of our platform and your data.
- Responsible marketing of our services and features.
Our Data Protection Measures
We have implemented comprehensive technical and organizational measures to protect the personal data we process.
Security & Internal Processes
- Privacy by Design: We have integrated data protection principles into our development cycle to ensure that new features are developed with privacy in focus.
- Access Control: All access to Client Data is strictly limited to personnel who need it to perform their duties. All access is logged to ensure traceability and compliance.
- Third-Party Vetting: We have an established process for reviewing and approving all external service providers to ensure they meet the high standards for security and data protection that we and our customers expect.
Data Transfers & Sub-processors
To deliver our services, we engage a number of sub-processors. Some of these are based outside the EU/EEA. We ensure that all data transfers are conducted lawfully by using legally recognized mechanisms.
Primarily, this involves entering into the European Commission's Standard Contractual Clauses (SCCs) with the third party. We supplement these clauses with our own risk assessments (Transfer Impact Assessments) and additional security measures. For transfers to certified companies in the United States, we may also rely on the EU-U.S. Data Privacy Framework.
Data Subject Rights
We have robust processes in place to handle and respond to requests from data subjects seeking to exercise their rights under GDPR, such as accessing, correcting, deleting, or exporting their personal data in a machine-readable format.
Documentation & Training
We continuously update our Terms & Conditions and our Privacy Policy to ensure transparency and compliance. We also regularly map all our data processing activities to fulfill GDPR's accountability requirements. All our personnel undergo regular training in data protection and security, tailored to their respective roles.
Contact Us
If you have any questions or concerns about this policy or how we handle your personal data, please do not hesitate to contact our Data Protection Officer by email at dpo@formify.eu.
2025-07-08