Data Processing Agreement (DPA)

Version 1.0 · Effective: May 23, 2026

The Czech version is the controlling version. This English translation is for convenience.

Parties

Controller: the SimplyForms Customer registered in the dashboard (the "Controller" or "Customer").

Processor: Adam Todt, IČO 19197438, DIČ CZ8909294592, Drahy 1625, 696 42 Vracov, Czech Republic (the "Processor" or "Operator").

Contact: privacy@simplyforms.app.

Preamble

This Data Processing Agreement (the "DPA") is entered into under Art. 28 GDPR and forms an integral part of the SimplyForms Terms of Service (the "Main Agreement").

The DPA is automatically accepted at Account registration via a separate "I accept the Data Processing Agreement (DPA)" checkbox. The acceptance record (timestamp, IP, user-agent, DPA version) is retained by the Processor as evidence.

1. Subject matter

Processor processes personal data contained in form Submissions received via the SimplyForms API on Controller's instruction and relays them by email to Controller's inbox.

2. Duration

For the term of the Main Agreement.

3. Nature and purpose

Nature: HTTP request acceptance, validation (rate-limit, CAPTCHA, plan limits), email relay to Controller, discard of payload from memory.

Purpose: to relay Controller's form submissions to Controller's email inbox.

Stateless: Processor does not store Submission content in any database or log. After delivery, payload is discarded.

4. Categories of data subjects

Visitors of Controller's websites who submit forms connected to SimplyForms (the "Submitters").

5. Categories of personal data

Depends on Controller's form. Typically: name, email, phone, address, company ID, message, uploaded files.

Optional (if Controller enables opt-in metadata): IP address, user-agent, referrer of the Submitter.

Controller shall NOT send Art. 9 GDPR special categories (health, racial/ethnic origin, political opinions, religious beliefs, sexual orientation, biometric, genetic) or Art. 10 criminal-conviction data, without explicit Submitter consent and a documented DPIA.

6. Processor obligations (Art. 28(3) GDPR)

6.1 Process only on documented Controller instructions

Instructions are given by Account configuration in the dashboard and active API requests. Processor may process without Controller instruction only as required by law, for Service security (rate-limit, anti-abuse), or to inform Controller of relevant matters.

6.2 Confidentiality

Persons with access to personal data are bound by confidentiality.

6.3 Security measures (Art. 32 GDPR)

TLS 1.3; API keys SHA-256-hashed; bcrypt password hashing; short-lived JWT + refresh-token rotation; least-privilege principles; stateless relay — no Submission content storage; regular code review; ISO 27001 hosting.

6.4 Sub-processors (Art. 28(2)+(4))

Processor uses sub-processors listed at simplyforms.app/legal/sub-processors. Controller hereby gives general prior authorisation.

Intended changes (addition or replacement) are notified by email at least 30 days in advance. Controller may, within that period, object in writing to privacy@simplyforms.app and, if no agreement is reached, terminate the Main Agreement as of the effective date with pro-rata refund of prepaid Fees.

Current sub-processors: see Annex 1.

6.5 Assistance with Submitter rights (Art. 28(3)(e))

Processor assists Controller in handling Submitter requests (access, rectification, erasure, restriction, portability, objection), within Processor's capabilities given the nature of processing (stateless model — Submission content is not stored; assistance focuses on metadata and configuration).

6.6 Assistance with security, breach notification, DPIA (Art. 28(3)(f))

Processor assists with Art. 32–36 obligations.

6.7 Breach notification to Controller (Art. 33(2))

Processor notifies Controller without undue delay (typically within 48 hours of awareness) of any security breach affecting personal data processed for Controller, including: nature, categories and approximate number of affected subjects and records, likely consequences, measures taken or proposed.

6.8 Records of processing activities (Art. 30(2))

Processor maintains internal records of all processing activities performed on behalf of Controller.

6.9 Audit (Art. 28(3)(h))

Processor allows Controller and an independent third-party auditor to perform audits of DPA compliance: at least 30 days' advance notice; no more than once per year (except on reasonable suspicion of breach); no disruption of normal operations or other Controllers; auditor bound by NDA; Controller bears the cost. Processor may alternatively offer third-party certifications (ISO 27001, SOC 2) covering the scope.

6.10 Erasure or return after termination

Upon termination Processor deletes or returns all personal data processed on Controller's behalf, unless law requires retention:

• Submissions: not stored, no erasure needed,
• Anonymous metrics: deleted after 90-day retention,
• Configuration data: exportable for 30 days, then deleted,
• Accounting documents: retained 10 years (§31 Czech Accounting Act).

7. Controller obligations

7.1 Lawful basis under Art. 6 (and 9 where applicable) for every form field.

7.2 Art. 13 notice to Submitters in own privacy policy, including disclosure of SimplyForms / Adam Todt, IČO 19197438 as processor.

7.3 No special categories without explicit Submitter consent and DPIA.

7.4 API key safeguarding — confidential, not in public repos or client-side JavaScript.

7.5 Cooperation on Submitter rights; use Processor assistance per §6.5.

7.6 Children: if targeting under-16, ensure legal-guardian consent (Art. 8).

8. International transfers

Sub-processors are primarily in the EU. The Stripe US transfer is based on EU-US Data Privacy Framework (Commission Decision (EU) 2023/1795) and SCCs (Commission Decision (EU) 2021/914, Module 2).

If Controller resides outside EU/EEA, Processor's transfer of data to Controller is covered by SCCs Module 4 (processor-to-controller), incorporated by reference.

9. Liability and limitation

9.1 Parties are liable under Art. 82 GDPR and Czech law.

9.2 Processor's liability under the DPA follows Main Agreement §12: aggregate cap = 12 months of Fees vis-à-vis Business Customers; CZK 1,000 floor for FREE.

9.3 Limitations do not apply to intent / gross negligence (§2898 Czech Civil Code) or to the extent inconsistent with mandatory Art. 82 GDPR.

9.4 Indemnification. If a claim is asserted against Processor due to Controller's breach of §7, Controller compensates Processor per Main Agreement §14.

10. Term and termination

DPA runs for the term of the Main Agreement and terminates with it. Surviving clauses: §6.10 (erasure/return), §8 (transfers for any pending data), §9 (liability).

11. Miscellaneous

11.1 Governing law: Czech law (GDPR, Act 110/2019, Civil Code). 11.2 Jurisdiction: as per Main Agreement. 11.3 Amendments: Processor may amend per Main Agreement §3; material changes notified 30 days in advance; objection allows free termination. 11.4 Severability. 11.5 Incorporation: DPA is integral to the Main Agreement; in case of conflict on data-protection matters, DPA prevails. 11.6 Versioning: archived versions at simplyforms.app/legal/dpa/archive; acceptance recorded on the Controller's Account.

Annex 1 — Current sub-processors

SMTP relay is operated by Processor on own infrastructure in the EU (Hetzner Nürnberg) — no third-party email provider.

Updated list: simplyforms.app/legal/sub-processors.

Annex 2 — Standard Contractual Clauses (SCCs)

If Controller resides outside EU/EEA, the Standard Contractual Clauses under Commission Decision (EU) 2021/914, Module 4 (processor-to-controller), are incorporated into this DPA.

For sub-processors outside EU/EEA, Module 3 (processor-to-processor) applies and is signed by Processor with the respective sub-processor.

In case of conflict between this DPA and the SCCs, the SCCs prevail.

Version 1.0 · Effective: May 23, 2026

Document hash (SHA-256): 7d426becc2bad5ffb507d62cfce6998f698d58948c3e80205df491ad1b9770cc