Data Processing Agreement
I. Parties
This Data Processing Agreement ("DPA") is entered into between the SimpleApiForm User acting as the data controller of personal data collected through their account ("the Controller") and SimpleApiForm, headquartered in Lima, Republic of Peru, acting as a data processor pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("the Processor").
This DPA forms an integral part of the Terms and Conditions of Use accepted by the Controller upon registration. In case of conflict, the provisions of this DPA prevail with respect to data processing subject to the GDPR.
II. Subject Matter and Scope
The Processor will process the Controller's end users' personal data ("Controller Data") solely to provide the Service described in the Terms and Conditions: the reception, storage, and distribution of HTML form submissions on behalf of the Controller.
III. Nature, Purpose, and Duration
Nature: storage, transmission, and distribution of data submitted via web forms. Purpose: provision of the form backend Service contracted by the Controller. Duration: for as long as the Controller maintains an active account. Upon termination, the Processor will retain data for an additional twenty-four (24) months per the Privacy Policy, unless the Controller requests earlier deletion.
IV. Data Categories and Data Subjects
The Processor handles only the data the Controller chooses to collect through their forms. Specific categories depend on each form's configuration but may include: name, email address, phone number, address, messages, file attachments, and any other field defined by the Controller. Data subjects are the end users who complete forms on the Controller's websites, applications, or platforms.
The Processor does not deliberately collect special category data (Article 9 GDPR). If the Controller configures forms to collect such data, it is the Controller's sole responsibility to have the enhanced legal basis required by the GDPR.
V. Processor Obligations
SimpleApiForm undertakes to:
a) Documented instructions. Process Controller Data solely on the Controller's documented instructions, unless required by law to do otherwise, in which case the Processor will notify the Controller in advance to the extent legally permitted.
b) Confidentiality. Ensure that persons authorized to process the data are subject to appropriate confidentiality obligations.
c) Security. Implement the technical and organizational security measures required by Article 32 GDPR, including encryption at rest and in transit, role-based access controls, and continuous security monitoring.
d) Sub-processors. Not engage unauthorized sub-processors. The Controller's acceptance of the Terms constitutes general authorization for the sub-processors listed in Section VI.
e) Data subject rights assistance. Assist the Controller, to the extent reasonably possible, in responding to requests from data subjects exercising their rights (access, rectification, erasure, portability, restriction, and objection) under Articles 15–22 GDPR.
f) Security obligations assistance. Assist the Controller in fulfilling its obligations under Articles 32–36 GDPR: security of processing, breach notification, and data protection impact assessments.
g) Breach notification. Notify the Controller without undue delay, and in any event within forty-eight (48) hours of detection, of any personal data breach affecting Controller Data, along with the information available at that time.
h) Return or deletion of data. At the Controller's choice, delete or return all Controller Data upon termination of the Service, and destroy existing copies, unless applicable law requires retention.
i) Audit. Make available to the Controller all information necessary to demonstrate compliance with this DPA, and support audits with reasonable prior notice under conditions that do not compromise the security or confidentiality of other customers.
VI. Sub-processors
The Controller authorizes the use of the following sub-processors for the provision of the Service:
| Sub-processor | Service provided | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, storage, email delivery (SES) | USA / EU |
| Cloudflare | CDN, web application firewall, DDoS protection | USA / Global |
The Processor will notify the Controller of any intended changes to sub-processors at least fifteen (15) days in advance, giving the Controller the opportunity to object. All sub-processors are bound by data protection obligations equivalent to those in this DPA.
VII. International Transfers
Transfers to sub-processors located outside the European Economic Area are carried out under the Standard Contractual Clauses adopted by the European Commission (Decision 2021/914), ensuring an adequate level of protection. The relevant agreements are available upon request at [email protected].
VIII. Term and Termination
This DPA remains in effect for as long as the Controller uses the Service. Termination of the service agreement automatically terminates this DPA. Confidentiality and security obligations survive termination for a period of five (5) years.
IX. Contact and Signed DPA Requests
To obtain a signed copy of this DPA, to exercise audit rights, or for any data processing queries, please contact [email protected].