Last updated: 10/10/2025
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Formsuite (“Processor”, “we”, “us”) and the customer (“Controller”, “you”). It governs the processing of personal data under applicable data protection laws, including the EU General Data Protection Regulation (GDPR).
1. Roles of the Parties
You act as the Data Controller for any personal data collected through your forms. Formsuite acts as the Data Processor, processing personal data only on your instructions.
2. Processing of Personal Data
We process personal data solely to provide and improve the Formsuite service. We implement technical and organizational measures to protect data against accidental or unlawful destruction, loss, alteration, or unauthorized disclosure. Upon termination of your account, you may request deletion of all personal data.
3. Subprocessors
We may use subprocessors to support our service. All subprocessors are contractually required to comply with GDPR standards. An up-to-date list of subprocessors is available here.
4. International Data Transfers
If personal data is transferred outside the EEA, we ensure appropriate safeguards (e.g., Standard Contractual Clauses) are in place.
5. Data Subject Rights
We will provide reasonable assistance to help you respond to data subject requests (e.g., access, correction, deletion).
6. Security and Breach Notification
We maintain security measures appropriate to the sensitivity of the data. In the event of a data breach affecting your personal data, we will notify you without undue delay.
7. Return or Deletion of Data
Upon account termination, you may export or request deletion of all stored personal data. Deleted data is permanently removed from backups within 30 days.
8. Governing Law
This DPA is governed by the laws applicable in Canada. By using Formsuite, you agree to this Data Processing Agreement on behalf of your organization.