formformform is built and hosted in Europe. GDPR compliance is not a feature — it's the foundation.
All formformform infrastructure — application servers, databases, backups, and CDN edge nodes — is hosted within the European Union. Your data and your respondents' data never leaves EU borders. No transatlantic transfers, no Privacy Shield workarounds.
formformform acts as a data processor on behalf of form creators (data controllers). We process personal data only as instructed and only for the purpose of delivering the service. We offer a Data Processing Agreement (DPA) to all customers on request.
We support all GDPR data subject rights: access, rectification, erasure, portability, and restriction of processing. Form creators can export or delete individual responses at any time. Respondents can request data deletion through the form creator or by contacting us directly.
We only collect what we need. Form responses are stored for as long as the form creator needs them and can be deleted at any time. We don't sell data. We don't use form response data for advertising or profiling.
We maintain a minimal list of sub-processors, all EU-based or with adequate EU data protection agreements. We notify customers of any sub-processor changes in advance.
For GDPR-related questions, data subject requests, or to request a copy of our DPA, contact our Data Protection Officer at hello@formformform.com.