This Data Processing Addendum ("DPA") forms part of the Terms of Service between the customer ("Controller") and [Legal Entity Name] ("Processor", "ApiForm") and applies where ApiForm processes personal data on the Controller's behalf in providing the Service.
The Controller determines the purposes and means of processing Customer Content. ApiForm acts as a Processor, processing personal data only on documented instructions from the Controller (including via use of the Service and API).
ApiForm processes the personal data contained in Customer Content (templates, render data, generated documents) solely to render, fill, sign, store, verify, and deliver PDFs as directed by the Controller, and to meter usage.
ApiForm ensures that personnel authorized to process personal data are bound by confidentiality obligations.
ApiForm maintains technical and organizational measures appropriate to the risk, including encryption in transit, access controls, scoped credentials, rate limiting, server-side request filtering to prevent access to internal networks, tamper-evident output hashing, and optional digital signatures.
The Controller authorizes ApiForm to engage sub-processors to provide the Service (cloud hosting/storage, payment processing, and — only if AI field suggestions are enabled — an AI provider). ApiForm imposes data-protection obligations on sub-processors and remains responsible for their performance. ApiForm will give notice of new sub-processors and a reasonable opportunity to object.
Taking into account the nature of processing, ApiForm will provide reasonable assistance to the Controller in responding to data-subject requests (access, deletion, correction, portability) it cannot fulfill itself through the Service.
ApiForm will notify the Controller without undue delay after becoming aware of a personal data breach affecting Customer Content, and will provide information reasonably available to assist the Controller's own notification obligations.
On termination, or on the Controller's request, ApiForm will delete or return Customer Content, subject to retention required by law, within a reasonable period. Provenance hashes (which are not personal data) may be retained.
Where ApiForm transfers personal data across borders, it will rely on a lawful transfer mechanism such as the Standard Contractual Clauses, incorporated by reference where applicable.
ApiForm will make available information reasonably necessary to demonstrate compliance with this DPA and allow for audits to the extent required by applicable law, subject to reasonable confidentiality and security conditions.
Data protection contact: legal@apiform.io.