Skip to content
Docs
Docs Log in

Data Processing

This page summarizes Formerie's intended processor/service-provider model, security measures, subprocessor approach, and customer responsibilities for submitted form data.

Purpose

This page summarizes Formerie’s intended data-processing model for customer form submissions and related operational data. It is not a final Data Processing Addendum.

A production Data Processing Addendum should be prepared and attached to customer agreements before paid launch or regulated production processing.

Processing roles

For submitted form data, customers will generally act as the controller, business, or equivalent decision-maker because they decide what their forms collect, why they collect it, who receives it, and how it should be used.

Formerie will generally act as the processor, service provider, or equivalent service operator for submitted form data because it processes that data to provide the configured service.

For account, billing, security, website, product analytics, support, and internal administration data, Formerie may act as an independent controller or business depending on the context.

Processing instructions

Formerie should process customer submission data according to:

  • Customer configuration in the product.
  • Published form versions.
  • Delivery rules and integration settings.
  • Product documentation.
  • Support instructions from authorized customer users.
  • Security, abuse-prevention, and reliability requirements.
  • Applicable customer agreements and legal obligations.

Formerie should not use submitted form data for unrelated advertising, data brokerage, or sale of personal information.

Subject matter and duration

The processing concerns customer forms, public submissions, validation, delivery, storage, support, security, auditability, and related operational workflows.

Processing duration should follow the customer’s subscription term, configured retention settings, deletion requests, legal obligations, backup practices, and any applicable agreement.

Categories of data

Customer submission data may include any field the customer configures in a form. Customers should avoid collecting unnecessary or sensitive information.

Operational data may include form identifiers, organization identifiers, submission IDs, delivery attempts, webhook results, timestamps, locale, IP-derived security signals, user agent, request metadata, queue state, and audit events.

Account and administration data may include user names, emails, roles, authentication identifiers, billing metadata, support messages, and security logs.

Security measures

Appropriate production measures should include:

  • Tenant scoping and authorization checks.
  • Role-based access controls.
  • Encrypted transport.
  • Secure secret handling and provider credential isolation.
  • Server-side delivery configuration.
  • Audit logging for sensitive administrative actions.
  • Queue-based delivery isolation and retry tracking.
  • Monitoring, alerting, and abuse detection.
  • Backup and recovery practices.
  • Access reviews and least-privilege operational access.
  • Secure software development and dependency management.

Specific measures should be confirmed against the production architecture before launch.

Subprocessors

Formerie may use subprocessors for hosting, database, object storage, email delivery, authentication, billing, observability, support, security, and other service operations.

Before production processing, Formerie should publish a subprocessor list that includes each provider’s purpose, relevant location information where known, and notice process for material changes.

Formerie should require subprocessors to protect customer data under appropriate contractual and security obligations.

International transfers

Customer data may be processed in jurisdictions where Formerie or its subprocessors operate. Before production launch, Formerie should document applicable transfer mechanisms and contractual safeguards for regulated data, including cross-border processing where required.

Assistance to customers

Where required by the applicable agreement and law, Formerie should provide reasonable assistance for:

  • Data subject or individual rights requests.
  • Security questionnaires and compliance documentation.
  • Deletion, export, or correction workflows.
  • Security incident assessment and notification support.
  • Subprocessor information.
  • Audit or assessment requests, subject to confidentiality and security limits.

Confidentiality and access

Formerie personnel and contractors should access customer data only when needed for service operation, support, security, legal compliance, or other authorized purposes.

Operational access should be limited, logged where appropriate, and subject to confidentiality obligations.

Return and deletion

At the end of service or upon valid request, Formerie should support deletion or export of customer data according to the applicable agreement, product functionality, retention settings, legal obligations, and backup lifecycle.

Backups and archived logs may persist for a limited period before deletion according to documented retention practices.

Incident handling

Formerie should maintain an incident response process for suspected unauthorized access, disclosure, loss, alteration, or destruction of customer data.

Where required, Formerie should notify affected customers without undue delay after confirming a reportable incident and provide information reasonably needed for the customer to meet its own obligations.

Customer responsibilities

Customers remain responsible for:

  • Their own privacy notices and legal bases.
  • Form field choices and data minimization.
  • User access and role assignments.
  • Recipient and integration configuration.
  • Retention choices.
  • Responding to end-user requests where the customer controls the form.
  • Ensuring their use of Formerie is appropriate for the data they collect.