Data Processing Agreement (DPA)

Article 1 – Purpose

This agreement aims to define the conditions under which The Form Company acts as a processor on behalf of the data controller regarding personal data processing in accordance with GDPR.

This agreement constitutes a mandatory amendment governing personal data processing in the context of service execution, supplementing the general terms of service or any other contract between the parties.

Article 2 – Entry into Force and Duration

This agreement takes effect on the service contract start date. It remains applicable throughout the contractual relationship and continues after termination for data deletion, restitution, or archival operations.

Article 3 – Processing Description

Purposes

Enable data controllers to:

  • Collect data via forms
  • Manage digital files with supporting documents
  • Organize validation workflows
  • Export collected information

Operations Performed by The Form Company

  • Provision of infrastructure for data entry, storage, and consultation
  • Secure hosting
  • Notification triggering
  • Automated document processing
  • Technical support

Types of Data Processed

  • Identification data: name, email, phone
  • Supporting documents: ID copies, contracts
  • Technical data: IP addresses, access logs

Data Subjects

Customers, form participants, and potentially employees or partners using the platform.

Processing Duration

Data is processed during the contractual relationship or according to parameters defined by the data controller. It is deleted or returned at contract end.

Article 4 – Processor Commitments

  • Process data only according to documented instructions from the data controller
  • Ensure personnel comply with confidentiality obligations
  • Maintain a record of processing activities
  • Implement appropriate security measures
  • Alert the data controller of manifestly illegal instructions
  • Assist the data controller in demonstrating GDPR compliance

Article 5 – Data Controller Obligations

  • Determine processing purposes and methods
  • Provide clear information to data subjects before collection
  • Ensure a valid legal basis exists
  • Configure the platform with respect for privacy-by-design
  • Enable effective exercise of data subject rights
  • Provide necessary instructions to the processor

Article 6 – Sub-processors

The processor may engage sub-processors. The data controller receives 15 days written notice before any new engagement.

The data controller has 10 business days to object. The processor remains fully responsible for sub-processor compliance through contractual obligations in accordance with this agreement.

Article 7 – Transfers Outside EEA

Transfers are only authorized with adequacy decisions, standard contractual clauses, or derogations provided for in Article 49 of GDPR.

The processor informs the data controller of transfers including destination, legal basis, and additional safeguards, and provides documentation upon request.

Article 8 – Assistance for Data Subject Rights

The processor assists in exercising rights: access, rectification, erasure, processing restriction, objection, and data portability.

Direct requests addressed to the processor are forwarded to the data controller without autonomous response, unless previously instructed otherwise.

Article 9 – Data Breach Notification

The processor notifies the data controller without undue delay, maximum 48 hours after any security incident affecting personal data, including:

  • Nature of the incident
  • Date and time
  • Volume of affected data
  • Consequences
  • Corrective measures
  • Contact information

Article 10 – Security Measures

The processor implements:

  • Data encryption
  • Firewalls
  • Role-based access controls
  • Authentication
  • Logical environment isolation
  • Access logging
  • Backup procedures
  • Anomaly detection
  • Rigorous vendor selection

Article 11 – Data Handling After Contract End

At contract end, the processor returns data in a structured format or securely deletes it within 60 calendar days, unless legal retention obligation applies.

A deletion certificate is provided upon request.

Article 12 – Audits and Documentation

The data controller may conduct compliance audits with reasonable notice, no more than once per year, unless an emergency justifies additional verification.

The processor cooperates while protecting trade secrets and other clients' data.

Article 13 – Responsibilities and Limits

The processor assumes responsibility for contractually defined processing within the limits of received instructions.

The processor is not responsible for data controller breaches, configuration errors, or illegal instructions.

The data controller remains responsible for processing lawfulness, data accuracy, and information obligations.

Article 14 – Applicable Law

This agreement is governed by French law.

Disputes are handled through amicable resolution. Unresolved conflicts are brought before courts within the processor's registered office jurisdiction.