Data Processing Agreement
This Data Processing Agreement (the "DPA") is incorporated into the agreement pursuant to which the Customer obtains the right to use the Services (the "Terms of Service") (collectively, the "Agreement").
Definitions
- "Data Protection Law" means any and all data protection laws and regulations that apply to the Processing of Personal Data by Form Approvals under the Agreement.
- "Data Subject" means an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- "Personal Data" means any data that: (a) is deemed "personal data" or "personal information" (or other analogous variations of such terms) under Data Protection Law; and (b) that Customer submits using the Services for Form Approvals to Process on Customer's behalf.
- "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
- "Process" or "Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- "Services" means any of the following services provided by Form Approvals pursuant to the Agreement: (a) Form Approvals-branded product offerings made available via the Internet, (b) consulting or training services provided by Form Approvals either remotely via the Internet or in person, and (c) any support services provided by Form Approvals, including access to Form Approvals' help desk.
Processing of Company Personal Data
The Company instructs Processor to process Company Personal Data.
The Processor will comply with applicable laws and process data only for the purpose of providing the service, including troubleshooting, and diagnosing errors.
Data Processing and Protection
This DPA applies when Form Approvals processes Customer's data for which Form Approvals will act as "processor" or "service provider" (or other analogous variations of such terms) under Data Protection Law.
Limitations on Use. Form Approvals will process Personal Data only: (a) in a manner consistent with documented instructions from Customer, including (i) to provide the Services, (ii) as permitted under the Agreement, and (iii) consistent with other reasonable instructions of Customer; and (b) with prior notice (unless notice is legally prohibited), as required by applicable law. Without limiting the foregoing, Form Approvals will not collect, retain, use, or disclose the Personal Data for any purpose other than as necessary for the specific purpose of performing the Services, including not collecting, retaining, using, or disclosing the Personal Data for a commercial purpose other than providing the Services.
Confidentiality. Form Approvals will ensure that persons authorized by Form Approvals to Process any Personal Data are subject to appropriate confidentiality obligations.
Security. Form Approvals will protect Personal Data in accordance with requirements under Data Protection Law, including by implementing appropriate technical and organizational measures designed to protect Personal Data against Personal Data Breach per Form Approvals' Security Overview.
Return or Disposal. At the choice of Customer, delete or return (or will enable Customer to delete or retrieve) all Personal Data after the end of the provision of Services (unless applicable law requires Form Approvals to store any Personal Data). To request the return or disposal of your data refer to our Privacy Policy.
Customer Obligations. Customer will not instruct Form Approvals to perform any Processing of Personal Data that violates any Data Protection Law. Form Approvals may suspend Processing based upon any Customer instructions that Form Approvals reasonably suspects violate Data Protection Law. Subject to the cooperation of Form Approvals as specified in this DPA, Customer will be solely responsible for safeguarding the rights of Data Subjects. Customer will promptly notify Form Approvals about any faults or irregularities in the Processing by Form Approvals discovered by Customer.
Subprocessors
Customer authorizes Form Approvals to use the following third-party subprocessors to Process Personal Data in connection with the provision of Services. Form Approvals will notify Customer of any changes to this list. If Customer objects to any Subprocessor, Form Approvals may terminate the Agreement immediately upon notice to Customer without liability.
| Subprocessor | Purpose | Data Processed | Location |
|---|---|---|---|
| Google Cloud Platform (Firestore, Cloud Tasks, Cloud Storage) | Infrastructure and data storage | All service data | United States |
| Google Vertex AI (Gemini) | AI-powered form and workflow generation | Form structure metadata (question titles, field types, response options) | United States |
| Stripe | Payment processing | Customer email, subscription metadata | United States |
| Amazon Web Services (SES) | Email delivery | Recipient email addresses, email content | United States |
| Google BigQuery | Aggregate product analytics | User ID, activity timestamps, region | United States |
Data Transfers
All service data (configuration, credentials, subscriptions, and metadata) is stored in Google Cloud Firestore in the United States. The region selected by the user during setup determines which application server handles web requests for latency. Form response data and approval records remain in the user's Google Sheet, governed by their Google Workspace administrator's data region policy.
Data Subject Rights
Form Approvals will assist Customer in responding to requests from Data Subjects exercising their rights under Data Protection Law (including rights of access, rectification, erasure, restriction, portability, and objection). Form Approvals will notify Customer of any Personal Data Breach without undue delay and in any event within 72 hours of becoming aware of the breach. Upon termination of the Agreement, Form Approvals will delete or return all Personal Data in accordance with the Privacy Policy.
Types and Categories of Data
The categories of Personal Data processed under this DPA are described in Section 3 of our Privacy Policy. In addition to those categories, Customer controls the types of Personal Data and categories of Data Subjects uploaded via the Services for Processing.
Miscellaneous
If there is a conflict the Terms of Service will prevail over this DPA. Except for the matters covered by this DPA, all terms of the Terms of Service, remain in effect. Capitalized terms not defined in this DPA have the same meaning as in the Terms of Service. Except as otherwise stated in the Terms of Service, this DPA will automatically terminate upon the termination or expiration of the Terms of Service.