This Data Processing Addendum (“DPA”) applies whenever it is incorporated by reference into the Terms and Conditions (“Agreement”) between you and Creativegenius, LLC which operates the FormBackend service. Capitalized terms used but not defined in this DPA have the meanings given to them in the Agreement.
In the course of providing the Offerings to you under the Agreement, FormBackend will Process Customer Data on your behalf. Customer Data may include Personal Data submitted through your website that uses the services provided by FormBackend. This DPA reflects the parties’ agreement relating to the Processing of Customer Data in accordance with the requirements of Data Protection Laws and Regulations. This DPA will control in the event of any conflict with the Agreement.
2.1 “Data Controller” means the entity that determines the purposes and means of Processing of Personal Data.
2.2 “Data Processor” means the entity that Processes Personal Data on behalf of the Data Controller.
2.3 “Data Protection Laws and Regulations” means any applicable data protection laws and regulations applicable to the Processing of Personal Data under the Agreement, including the applicable laws and regulations of the European Union, the European Economic Area and their member states.
2.4 “Data Subject” means the individual to whom Personal Data relates.
2.5 “Personal Data” means any information relating to an identifiable or identified individual.
2.6 “Processing”, “Processes” or “Process” means any operation or set of operations performed upon Personal Data whether or not by automated means, such as collection, recording, organization, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, erasure, or destruction.
2.7 “Sub-processor” means FormBackend’s Affiliates or other third-party service providers that Process Customer Data for FormBackend.
As between you and FormBackend, you are the Data Controller of Customer Data and FormBackend is the Data Processor. You control the categories of Data Subjects and Personal Data Processed under the Agreement. FormBackend has no knowledge of, or control over, the Personal Data that you provide for Processing. You are solely responsible for the accuracy, quality, and legality of the Customer Data and the means by which you acquired the Customer Data.
This DPA and the Agreement are your complete and final instructions to FormBackend for the Processing of Customer Data. You and FormBackend must agree on any additional or alternate instructions. FormBackend will inform you if, in FormBackend’s opinion, your instructions violate Data Protection Laws and Regulations. FormBackend will process Customer Data: (1) in accordance with the Agreement (including all documents incorporated in the Agreement), and (2) to comply with other reasonable instructions you provide to FormBackend (including by email) where your instructions are consistent with the Agreement. FormBackend will not otherwise disclose Customer Data to third parties unless required to do so by applicable law. FormBackend will not Process Customer Data for any other purpose unless you instruct FormBackend.
If you do not have the ability to amend, block, or delete Customer Data as required by Data Protections Laws and Regulations, you can provide written instructions to FormBackend to act on your behalf. FormBackend will follow your instructions to the extent they are technically feasible and legally permissible. You will pay FormBackend’s costs of providing this assistance if applicable.
If permitted, FormBackend will promptly notify you of any request from a Data Subject for access to, correction, amendment, or deletion of that Data Subject’s Personal Data. FormBackend will not respond to any Data Subject request without your prior written consent, except to confirm that the request relates to you.
FormBackend will assist you to address any request, complaint, notice, or communication you receive relating to FormBackend’s Processing of Customer Data received from (A) a Data Subject whose Personal Data is contained within the Customer Data, or (B) any applicable data protection authority. FormBackend will also assist you with your reasonable requests for information to confirm compliance with this DPA or to conduct a privacy impact assessment. You will pay FormBackend’s costs of providing assistance if the assistance exceeds the services provided under the Agreement.
FormBackend informs its personnel engaged in the Processing of Customer Data about the confidential nature of such Customer Data. These personnel receive appropriate training on their responsibilities and are subject to written agreements with confidentiality obligations that survive the termination of their relationship with FormBackend.
FormBackend ensures that access to Customer Data is limited to those personnel who require access to Process Customer Data under the Agreement.
You expressly authorize FormBackend to use Sub-processors to perform specific services on FormBackend’s behalf to enable FormBackend to perform its obligations under the Agreement. FormBackend has agreements with its Sub-processors that contain obligations substantially similar FormBackend’s obligations under this DPA. FormBackend is responsible to you for FormBackend’s Sub-processor’s compliance with the terms of the Agreement.
FormBackend will notify you of changes to its Sub-processors upon written request. You have a right to reasonably object to FormBackend’s use of a new Sub-processor by notifying FormBackend in writing within 10 business days after receipt of FormBackend’s notice. If you do so, FormBackend will use reasonable efforts to change the affected Software or Cloud Service, or recommend a commercially reasonable change to your configuration or use of the affected Software or Cloud Service, to avoid Processing of Customer Data by the new Sub-processor. If FormBackend is unable to make or recommend such a change within a reasonable period of time, not to exceed 60 days, you may terminate your Subscription Term with FormBackend. You must provide written notice of termination to FormBackend in accordance with the Agreement. FormBackend will promptly refund you the fees applicable to the unused portion of the Subscription Term for the terminated offering.
You have a right to reasonably object to FormBackend’s use of a new Sub-processor by notifying FormBackend in writing within 10 business days after FormBackend publishes notice of a new Sub-processor. If you do so, FormBackend will use reasonable efforts to change the affected Software or Cloud Service, or recommend a commercially reasonable change to your configuration or use of the affected Software or Cloud Service, to avoid Processing of Customer Data by the new Sub-processor. If FormBackend is unable to make or recommend such a change within a reasonable period of time, not to exceed 60 days, you may terminate only the Subscription Term for the Software and Cloud Service that FormBackend cannot provide without using the new Sub-processor. You must provide written notice of termination to FormBackend in accordance with the Agreement. FormBackend will promptly refund you the fees applicable to the unused portion of the Subscription Term for the terminated Software and Cloud Services offering.
7.1 Controls for the Protection of Customer Data. FormBackend maintains appropriate administrative, technical and organizational safeguards to protect Customer Data from unauthorized or unlawful Processing, from accidental loss, destruction, or damage. FormBackend’s obligations are described at https://www.formbackend.com/terms
7.2 "Incident" means a security event that compromises the integrity, confidentiality or availability of an information asset. FormBackend has an incident response plan and team to assess, escalate, and respond to identified physical and cyber security Incidents that impact the organization or customers or result in data loss. FormBackend reviews and updates this plan annually and as needed throughout the year. The incident response team resolves intrusions and vulnerabilities upon discovery and in accordance with the established procedures.
7.3 "Breach" means an Incident that results in the confirmed disclosure, not just potential exposure, of data to an unauthorized party. If FormBackend determines that an Incident has led to a Breach, FormBackend will follow its breach notification process. Incident management and escalation procedures exist to ensure that FormBackend addresses system issues, problems and security-related events, in a timely manner, and that all Incidents are logged, prioritized, and resolved based on established criteria and severity levels.
7.4 If there is a Breach involving your Customer Data, FormBackend will (A) notify you within 72 hours of discovery of the breach, (B) reasonably cooperate with you with respect to any such breach, and (C) take appropriate corrective action to mitigate any risks or damages involved with the breach to protect your Customer Data from further compromise. FormBackend will take any other actions that may be required by applicable law as a result of the Breach.
Under the Agreement, FormBackend will provide you an opportunity to retrieve Customer Data at the end of a Subscription Term and will then delete the Customer Data in accordance with the Documentation.
FormBackend may periodically update this policy. We will notify you about significant changes in the way we treat personal information by sending a notice to the primary email address specified in your FormBackend primary account holder account or by placing a prominent notice on our site.
If you have any questions about this DPA you can email us at [email protected].