Skip to main content

Data Processing Agreement

Last updated: April 27, 2026

This Data Processing Agreement (“DPA”) forms part of our Terms of Service and applies whenever you (the “Controller”) use AntForms (“Processor”, “we”) to process personal data of data subjects in the EU, UK, or EEA.

1. How to accept this DPA

AntForms has pre-signed this DPA. To accept it, your authorised representative should email privacy@antforms.com with your account email and company name. We will send back a counter-signed copy within 2 business days. No additional negotiation is required for standard terms.

2. Roles and scope

For data submitted to AntForms by your respondents (form responses), you are the Controller and AntForms is the Processor. AntForms acts only on documented instructions from you, with the exceptions required by EU or UK law.

For data we collect about you (the Controller's account and billing data), AntForms is the Controller and our Privacy Policy applies.

3. Subject matter and duration

The subject matter is the processing of personal data necessary to provide the AntForms service to the Controller. Processing continues for the duration of the Controller's subscription and for the limited retention windows described below.

4. Nature, purpose, and types of data

  • Nature of processing: hosting, storing, retrieving, displaying, and exporting form responses.
  • Purpose: to operate the AntForms service for the Controller.
  • Categories of data subjects: the Controller's customers, employees, prospects, or any individual who submits a form built with AntForms.
  • Categories of personal data: any data the Controller chooses to collect via forms, typically name, email, message, and any custom fields the Controller defines. Special category data (Article 9 GDPR) should not be collected without separate written agreement.

5. Sub-processors

The Controller authorises AntForms to use sub-processors to provide the service. The current list is published in our Privacy Policy and Security page. We will notify the Controller at least 30 days before adding or replacing a sub-processor; if the Controller has a reasonable objection, the Controller may terminate the affected service for a pro-rated refund.

6. International transfers

Where personal data is transferred outside the EEA or UK, the parties rely on the European Commission's Standard Contractual Clauses (Module Two: Controller-to-Processor, 2021/914) and, for UK transfers, the UK International Data Transfer Addendum, both of which are incorporated into this DPA by reference.

7. Security measures

AntForms implements appropriate technical and organisational measures to protect personal data, including encryption in transit and at rest, access control, segregation of environments, and audit logging. Details are summarised on our Security page and form Annex II of this DPA.

8. Personal data breach notification

AntForms will notify the Controller without undue delay, and in any event within 72 hours of becoming aware, of any confirmed personal data breach affecting the Controller's data. Notifications include a description of the breach, categories and approximate volume of data subjects, likely consequences, and the measures taken or proposed.

9. Assistance with data subject rights

AntForms provides export, delete, and restriction features in-product so the Controller can fulfil data subject rights (access, rectification, erasure, portability, restriction). Where the in-product tools are insufficient, AntForms will provide reasonable assistance on request, taking into account the nature of the processing.

10. Audit

Once per year, the Controller may request a copy of AntForms' most recent third-party audit reports (where available) and a written summary of our security controls. On reasonable notice and at the Controller's expense, the Controller may conduct an audit of compliance with this DPA, subject to confidentiality and to limits required to protect other customers' data.

11. Return and deletion

Within 30 days of termination of the underlying service, AntForms will, at the Controller's choice, return or delete all personal data, except where retention is required by applicable law. Backup copies are deleted on a rolling basis up to 30 days after the primary deletion.

12. Liability and conflict

Liability under this DPA is governed by the limitation of liability in the underlying Terms of Service. In case of conflict between this DPA and the Terms of Service, this DPA prevails for matters of personal data processing.

Annex I: Description of processing

  • Subject matter: as described in Section 3.
  • Duration: as described in Section 3.
  • Nature and purpose: as described in Section 4.
  • Categories of data and data subjects: as described in Section 4.

Annex II: Technical and organisational measures

Annex II is the contents of our published Security page, which is incorporated into this DPA by reference and updated from time to time.

Contact

Questions about this DPA? Email privacy@antforms.com.

This template is provided in good faith and is not legal advice. Customers with bespoke requirements (HIPAA, FedRAMP, sectoral regulators) should contact us before processing regulated data.