GDPR & FormHug
This page provides information about how FormHug complies with the General Data Protection Regulation (GDPR). This content is for informational purposes only and does not constitute legal advice. Please consult with a qualified legal professional to understand how GDPR applies to your specific situation.
What is GDPR?
The General Data Protection Regulation (GDPR) is a comprehensive data protection law enacted by the European Union (EU) that came into effect on May 25, 2018. It is designed to give individuals greater control over their personal data and to establish a unified framework for data protection across the EU.Key Principles of GDPR
| Principle | Description |
|---|---|
| Lawfulness, Fairness, and Transparency | Personal data must be processed lawfully, fairly, and in a transparent manner. |
| Purpose Limitation | Data must be collected for specified, explicit, and legitimate purposes. |
| Data Minimization | Only data that is necessary for the specified purposes should be collected. |
| Accuracy | Personal data must be accurate and kept up to date. |
| Storage Limitation | Data should be kept only for as long as necessary for the purposes for which it was collected. |
| Integrity and Confidentiality | Data must be processed in a manner that ensures appropriate security. |
| Accountability | The data controller is responsible for demonstrating compliance with these principles. |
Does GDPR Apply to You?
GDPR applies to you if:- Your organization is established in the EU, regardless of where the data processing takes place.
- Your organization is not established in the EU, but you offer goods or services to individuals in the EU, or you monitor the behavior of individuals in the EU.
Is FormHug GDPR Compliant?
Yes. FormHug is committed to full compliance with the GDPR. We have implemented comprehensive measures to ensure that our platform and practices meet the requirements of the regulation.Our GDPR Compliance Measures
Privacy by Design
Our platform is built with privacy and data protection as core principles. We incorporate data protection considerations into every stage of product development.
Data Encryption
All data, including form submissions, is encrypted both in transit (using TLS 1.2+) and at rest (using AES-256 encryption).
EU Data Hosting
We offer the option to host and process form data within the European Union to meet data residency requirements.
Data Processing Agreement
We provide a comprehensive Data Processing Agreement (DPA) that outlines our obligations as a data processor.
Access Controls
We implement strict access controls to ensure that only authorized personnel can access personal data.
Regular Audits
We conduct regular security audits and assessments to identify and address potential vulnerabilities.
Data Processing Agreement (DPA)
Under Article 28 of the GDPR, when a data controller engages a data processor, a written contract (Data Processing Agreement) must be in place. FormHug provides a DPA that governs our processing of personal data on behalf of our customers (Form Creators).Key Provisions of Our DPA
- Scope of Processing: We only process personal data according to your documented instructions.
- Confidentiality: Our personnel who process personal data are subject to confidentiality obligations.
- Security Measures: We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
- Subprocessors: We only engage subprocessors with your authorization and ensure they are bound by equivalent data protection obligations.
- Data Subject Rights: We assist you in responding to requests from data subjects exercising their rights under GDPR.
- Data Breach Notification: We notify you without undue delay upon becoming aware of a personal data breach.
- Deletion and Return: Upon termination of the agreement, we delete or return all personal data at your choice.
By agreeing to our Terms of Service, you also agree to our Data Processing Agreement. A separate signature is not required.
Understanding Your Role: Controller vs. Processor
When using FormHug to collect data, it is essential to understand the roles defined by GDPR:You (The Form Creator) = Data Controller
As the Form Creator, you are the Data Controller. This means:- You determine the purposes and means of processing personal data collected through your Forms.
- You are responsible for ensuring you have a lawful basis (e.g., consent, legitimate interest) for collecting and processing the data.
- You must provide Submitters with clear information about how their data will be used (e.g., through a privacy notice).
- You are responsible for responding to data subject requests (e.g., access, rectification, erasure).
FormHug = Data Processor
FormHug acts as the Data Processor on your behalf. This means:- We process personal data only according to your instructions and the terms of our DPA.
- We implement appropriate security measures to protect the data.
- We assist you in fulfilling your obligations as a data controller.
Managing Form Data
As the Data Controller, you have full control over the data you collect through FormHug.Exporting Data
You can export your form submissions at any time in various formats (CSV, Excel, JSON) through your FormHug dashboard.Deleting Data
You can delete individual submissions or all data associated with a form at any time. When you delete data:- It is immediately removed from our production systems.
- It is permanently deleted from our backups within 90 days.
How to Build a GDPR-Compliant Form
As a Data Controller, you are responsible for ensuring your forms are GDPR-compliant. Here are best practices to follow:1. Obtain Proper Consent
If consent is your legal basis for processing, you must obtain clear and affirmative consent from Submitters.- Add a required checkbox field where users must explicitly agree to your data processing activities.
- Do not use pre-checked boxes.
- Clearly explain what the user is consenting to.
“I agree to the collection and processing of my personal data as described in the [Privacy Policy]. I understand that I can withdraw my consent at any time.”
2. Be Transparent
Clearly inform Submitters about:- Who is collecting their data (your organization).
- What data is being collected.
- Why the data is being collected (the purpose).
- How long the data will be retained.
- Who the data will be shared with (if applicable).
3. Link to Your Privacy Policy
Include a link to your organization’s privacy policy in your form. This ensures Submitters have access to detailed information about your data practices.4. Collect Only Necessary Data
Practice data minimization by only collecting the personal data that is strictly necessary for your stated purpose. Avoid asking for information that you do not need.5. Secure Your Forms
- Use HTTPS (FormHug forms are served over HTTPS by default).
- Consider using password protection for sensitive forms.
- Limit access to form submissions to authorized personnel.
Our Subprocessors
We engage third-party service providers (subprocessors) to help us deliver the FormHug service. Each subprocessor has been vetted to ensure they meet our high standards for security and data protection.| Subprocessor | Purpose | Location | Processes Form Submissions |
|---|---|---|---|
| Amazon Web Services (AWS) | Hosting, Transactional Emails | USA | Yes |
| Vercel | Hosting | USA | Yes |
| Mintlify | Documentation Hosting | USA | No |
| Framer | Website Hosting | USA | No |
| Cloudflare | CDN, Security and Storage | Global | Yes (e.g. file uploads) |
| Stripe | Payment Processing | USA | Yes (payment forms) |
| Google Analytics | Website Analytics | USA | No |
| Sentry | Error Monitoring | USA | No |
| Mixpanel | Product Analytics | USA | No |
| New Relic | Application Performance Monitoring | USA | No |
We will notify you of any changes to our subprocessors that may affect the processing of your data.
Data Subject Rights
Under GDPR, individuals (data subjects) have several rights regarding their personal data. As a Data Controller, you are responsible for facilitating these rights for your Submitters.| Right | Description |
|---|---|
| Right of Access | The right to obtain confirmation of whether personal data is being processed and to access that data. |
| Right to Rectification | The right to have inaccurate personal data corrected. |
| Right to Erasure | The right to have personal data deleted under certain circumstances. |
| Right to Restrict Processing | The right to limit how personal data is used. |
| Right to Data Portability | The right to receive personal data in a structured, commonly used format. |
| Right to Object | The right to object to processing based on legitimate interests or for direct marketing. |
| Rights Related to Automated Decision-Making | The right not to be subject to decisions based solely on automated processing. |
Contact Us
If you have any questions about GDPR compliance or our data protection practices, please contact us at: FormHug- Email: support@formhug.ai