GDPR Compliance
Introduction
GDPR compliance requires understanding the nuances of the regulations. Here, we try to summarize our role (as the data processor) and your role (as the data controller) in the context of GDPR.
In large part, the data controller is the one that collects or possesses the data, and the processor is a third-party engaged by the controller to do data processing.
Formcrafts’ role
Formcrafts is committed to implementing robust data protection measures. Here are the key ways we protect our users’ data:
Data processor role
Formcrafts handles data strictly according to our users’ instructions. We ensure that all processing activities are in compliance with GDPR requirements, safeguarding the integrity and confidentiality of personal data.
For all accounts created after June 1, 2024, Formcrafts stores customer and account data in the EU. For accounts created before this date, we store data in the US.
Formcrafts has globally distributed caching servers, which are used to speed up form delivery. These caching servers contain your form schema, but do not store any form submissions.
Security measures
We deploy state-of-the-art technical and organizational measures to secure personal data against unauthorized access, data breaches, and loss. This includes encryption, access controls, and regular security assessments to mitigate risks. Learn more about our security measures ↗.
Cookies and tracking
Formcrafts monitors visitor interactions, such as geoIP location and engagement with fields and steps, without employing cookies and without collecting personalized information. To save form progress and prevent duplicate submissions, Formcrafts may utilize the browser’s local storage.
International data transfers
Formcrafts may transfer data outside the EU to provide services to our users. We use DPAs with service providers to ensure that data is protected to the same standards as within the EU.
DPAs include standard contractual clauses (SCCs) to ensure that data transfers outside the EU are conducted in compliance with GDPR requirements.
Data Processing Agreements (DPAs)
We enter into DPAs with our users, clarifying the scope of processing, the responsibilities of both parties, and the protection measures in place. These agreements are crafted to ensure full GDPR compliance.
Please contact us to request a standard copy of our DPA, which includes all obligations relating to the processing of personal data.
Breach notification
In the unlikely event of a data breach, Formcrafts commits to notifying our users without undue delay, enabling them to take the necessary steps to inform affected individuals and regulatory bodies as required by the GDPR.
Your role
Here are the steps you can take as a data controller to ensure GDPR compliance:
Get explicit permission
Incorporate a checkbox in your forms for users to give their consent explicitly. This checkbox should link to your terms of use and must not be pre-checked.
You can add such a checkbox using the Multiple Choice field in Formcrafts, and marking the field as required.
Honor the Right to be Forgotten
Provide a clear method for users to request the deletion of their data, respecting their Right to Erasure. You could create another form for this purpose, and make it accessible to your customers.
Once you receive a request, you can delete the user’s data from your Formcrafts account. Please note that this action is irreversible.
Collect only what is needed
Design your forms to collect only the essential information, giving respondents the option to opt-out of non-essential fields.
You can achieve this by marking certain fields as required and leaving others as-is. You can also use description to explain why you need certain information.
Disable auto-save form progress
Auto-save form progress periodically saves the form as the user fills it out. This data is stored in the user’s browser, and is not sent to Formcrafts. This approach is GDPR compliant.
However, you can still disabled this feature if you wish.
You can disable this via Settings → General → Auto-save form progress.