Data Processing Agreement in accordance with Art. 28 GDPR
"You" or "customer" refers to the company or organization that signs up to use the RenderForm.io
In this Data Processing Agreement ("DPA"), "Data Protection Legislation" means the General Data Protection Regulation (Regulation (EU) 2016/279), and all other applicable laws relating to processing of data and privacy that may exist in any relevant jurisdiction.
"data controller", "data processor", "data subject", "personal data" and "processing" shall be interpreted in accordance with applicable Data Protection Legislation.
The parties agree that customer is the data controller and that RenderForm.io is its data processor in relation to data that is processed in the course of providing the service.
We as humans can access your data to help you with support requests you make and to maintain and safeguard RenderForm.io to ensure the security of your data and the service as a whole. RenderForm.io shall ensure that all RenderForm personnel required to access the data are trained in GDPR and data privacy, informed of the confidential nature of the data and comply with the obligations sets out in this agreement.
RenderForm.io shall implement and maintain appropriate technical and organisational security measures designed to protect the data against unauthorised or unlawful processing and against accidental loss, damage, theft, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction, damage or theft of the data and having regard to the nature of the data which is to be protected.
We do work with sub-processors. Any such sub-processors will be permitted to process data only to deliver the services RenderForm.io has retained them to provide, and they shall be prohibited from using data for any other purpose. RenderForm.io shall notify the controller when modifying the list of sub-processors using our in-app notifications, email and/or blog. The controller is able to legitimately object and may terminate the agreement.
All of your site data is stored in the EU, and it never leaves the EU. You can find the list of other cloud services and third party services that we use in our privacy policy.
If RenderForm.io becomes aware of any accidental, unauthorised or unlawful security breach, destruction, loss, alteration, or disclosure of the personal data that is processed by RenderForm.io in the course of providing the service, it shall without undue delay (not later than 48 hours after having become aware of it), notify customer by email and provide customer with a description of the incident as well as periodic updates to information about the incident, including its impact on customer content. RenderForm.io shall additionally take action to investigate the incident and reasonably prevent or mitigate the effects of the incident.
RenderForm.io shall not on its own authority rectify, erase or restrict the processing of data that is being processed on behalf of the controller (unless this is required by law or the Processor Terms of Service), but shall only do so on documented instructions from the controller and in accordance to the data retention rules associated to the controller subscription plan.
RenderForm.io shall notify customer without undue delay if, in RenderForm.io’s opinion, an instruction for the processing of data given by customer infringes applicable Data Protection Legislation.
RenderForm.io shall assist the controller in complying with the obligations concerning the security of personal data. RenderForm.io will also provide assistance to the controller for DPAs. Where a data subject asserts their rights as a data subject, this request will be forwarded to the controller without delay.
You can choose to delete your account and delete your projects at any time by e-mailing us at [email protected]. In the event that it is our duty to keep a record of some of your personal information, for example for accounting purposes, this information is retained. We will irrevocably remove all other information within 30 days of your request.
Once all your data will be permanently deleted, we cannot recover them.
In order to use our products and services, you need to accept our DPA. By using our product you are agreeing to our terms of service, and you are automatically accepting our DPA and do not need to sign a separate document. We provide the same privacy rights and protection to all customers.
Yes. The DPA is a publicly available document and customers who wish to share it with their customers to confirm our security measures and other terms may feel free to do so.
No. You are not required to notify us or any third party upon accepting our DPA though, as mentioned above, you are free to do so.
If you have any questions or concerns regarding your information and personal data, please contact us at: [email protected].