Data Processing Agreement

Processor terms for customer workflow data.

This page describes how FormNode processes Customer Personal Data for customers using FormNode to collect, route, approve, and automate form-driven workflows.

Last updated: May 15, 2026

View subprocessors Request signature copy

This page is public DPA publication text. The binding DPA for a customer is the version executed by the parties or incorporated into the applicable customer agreement. This page is not legal advice and does not certify that a customer's use of FormNode complies with any privacy law.

Customer is the controller for customer-controlled form submissions, approval context, portal data, API data, and workflow automation data unless Customer acts as processor for its own customer.

FormNode is the processor or subprocessor for that Customer Personal Data and processes it only to provide, secure, support, and maintain the service, or as otherwise instructed by Customer.

FormNode acts as controller for account administration, billing, support, security, legal compliance, and first-party product analytics.

Subprocessors are listed in the public subprocessor register and are governed by the notice and objection process described there or in the applicable customer agreement.

Customer is responsible for the lawfulness of its forms, notices, consents, legal bases, webhook destinations, and instructions to FormNode.

Processing details

Customer determines what personal data is collected through configured forms, portals, plan-included APIs, files, and automation workflows.

Subject matter

Provision, operation, security, support, and maintenance of FormNode.

Duration

The customer subscription term plus applicable retention, deletion, backup, security, billing, and legal hold periods.

Nature of processing

Collection, storage, encryption, transmission, routing, retrieval, display, export, deletion, logging, security monitoring, troubleshooting, and support.

Purpose

Form hosting, workflow intake, approvals, webhooks, email notifications, customer portals, APIs, MCP access, billing, support, security, and service reliability.

Data subjects

Workspace users, administrators, form submitters, approvers, notification recipients, customer contacts, and individuals referenced in submissions.

Personal data categories

Account details, workspace membership, form definitions, encrypted submissions, files if enabled, approval details, webhook metadata, operational logs, and integration identifiers.

Processor commitments

Process Customer Personal Data only on documented customer instructions, including the Terms, DPA, customer configuration, support requests, and legal requirements.
Maintain confidentiality obligations for personnel authorized to process Customer Personal Data.
Maintain technical and organizational measures designed to protect Customer Personal Data against unauthorized access, disclosure, alteration, loss, or destruction.
Use subprocessors only under written obligations appropriate to the subprocessor's processing role and materially no less protective than the relevant DPA requirements.
Provide reasonable assistance with data subject requests, personal data breach obligations, security obligations, DPIAs, and prior consultations where required by law.
Delete or return Customer Personal Data at the end of the service relationship according to the Terms, product retention rules, legal obligations, and documented customer instructions.
Make information available to demonstrate compliance and support reasonable audit requests without compromising other customers, service security, or confidential information.

Security measures

TLS in transit and encrypted form submission payloads at rest.
API keys and short-lived tokens are hashed before storage.
Workspace membership, role-based access, and organization scoping are enforced server-side before protected reads and writes.
Security headers, input validation, rate limits, and abuse controls are applied across public and authenticated surfaces.
Customer-visible audit logs capture key administrative actions without exposing secrets or raw submission payloads.
Submission payload, webhook body, webhook metadata, and marketing attribution retention are bounded by documented cleanup rules and operational limitations.

International transfers

FormNode is based in the United States and uses service providers that may process data in the United States and other jurisdictions. Where data protection laws restrict international transfers, FormNode will rely on appropriate transfer safeguards, such as Standard Contractual Clauses, subprocessor transfer commitments, adequacy decisions where available, or another lawful mechanism recognized by applicable law.