This Data Processing Addendum (DPA) is an agreement between Form Connector (“Processor”) and its customers (“Controller”), outlining the data processing activities undertaken by Form Connector on behalf of its customers. The purpose of this DPA is to define Form Connector’s commitments regarding the security, minimization, and privacy of all processed data.
‍

1. Definitions

• Controller: The customer using Form Connector to process form data from their Webflow sites.
  
  
• Processor: Form Connector, the platform that enables mapping form data between Webflow and external destinations (e.g., Airtable, Notion, Salesforce, Google Sheets).
  
  
• Data Subject: End users who submit forms on the Controller’s Webflow sites.
  
  
• Subprocessors: Third-party service providers utilized by Form Connector to deliver its services.
  
  
• Personal Data: Any information relating to an identified or identifiable individual processed by Form Connector on behalf of its customers.
  
  

2. Scope of Data Processing

Form Connector processes metadata required to facilitate its integration services between Webflow and third-party platforms. Form Connector does not permanently store the content of submitted form data on its servers. Submitted data is temporarily processed for secure transmission to the designated destination platform and not retained beyond this purpose.

Data Collected by Form Connector:

• Webflow IDs: SiteID, FormID, PageID, FormElementID, FormSubmissionID — used for API calls.
  
  
• OAuth Tokens: AccessToken and RefreshToken — securely stored for destination connections.
  
  
• Submission Metadata: SubmissionID and destination API responses for error handling and retry options. Failed and successful submission metadata is accessible via a log interface for user visibility.
  
  
• Onboarding Data: Email address and optionally a name, collected to personalize the experience and enable notifications. No sensitive data or passwords are collected.
  
  

Processing Activities:

Data submitted via Webflow forms is transmitted securely through API calls to designated destinations. Form Connector does not store form submission content in its database. A temporary in-memory submission log may expose submitted data (both successful and failed) for user review and retry. This data is never persisted and is used solely for operational visibility and troubleshooting.

3. Data Storage and Hosting

Form Connector uses the following platforms:

• Amazon Web Services (AWS) – Cloud hosting (Region: Stockholm - eu-north-1)
  
  
• MongoDB Atlas – Encrypted database service
  
  

All data is protected using industry-standard encryption methods.

4. Subprocessors

Form Connector uses subprocessors for the delivery and operation of its services:

• Amazon Web Services (AWS) – Infrastructure hosting
  
  
• MongoDB Atlas – Encrypted database storage
  
  
• Slack – Internal notifications and support chat
  
  
• ActiveCampaign Postmark – Transactional email delivery
  
  
• Mixpanel – Usage analytics (only non-sensitive identifiers)
  
  
• Microsoft Clarity – UX behavior tracking (anonymized)
  
  
• New Relic – Server monitoring and diagnostics
  
  

Third-Party Destinations:

Platforms such as Airtable, Notion, Salesforce, Google Sheets, and others configured by the Controller are not considered subprocessors. These are customer-defined data recipients. The Controller is responsible for ensuring these connections comply with privacy laws.

Sensitive Data:

OAuth tokens are encrypted at rest and never shared with analytics providers or subprocessors. Form submission content is not permanently stored or shared.

5. Security Measures

Form Connector employs the following security practices:

Encryption:

• In transit via TLS 1.2/1.3
  
  
• At rest using AES-256-CBC for sensitive credentials
  
  

Access Controls:

Operational data is accessible only to authorized personnel, logged and auditable.

Incident Response:

Breach response includes detection, containment, and customer notification within 48 hours of confirmation, followed by remediation and review.

Additional Safeguards:

• Email notifications for failed submissions (includes form name and error, but not data content)
  
  
• Users can revoke integrations anytime from app settings
  
  

Data Retention:

• Submission logs: Metadata retained only for troubleshooting (e.g., SubmissionID)
  
  
• OAuth tokens: Retained only while the integration is active, deleted on revocation
  
  
• Webflow metadata: Retained only while the integration is active
  
  

6. Customer Responsibilities

Customers (Controllers) are responsible for:

• Proper Webflow form and integration setup
  
  
• Obtaining consent for any data tracking or processing
  
  
• Ensuring their practices comply with applicable privacy laws
  
  

Form Connector is not liable for issues resulting from misconfiguration, third-party misuse, or lack of consent collection.

7. Rights of Data Subjects & User Control

Form Connector will support Controllers in addressing requests from Data Subjects to:

• Revoke access: OAuth tokens can be revoked at any time via settings
  
  
• Stop processing: Uninstalling the app ends all processing immediately
  
  
• Delete data: Full removal requests can be submitted to support
  
  

Form submission content remains the responsibility of Webflow and the destination platforms.

8. Data Minimization and Anonymization

Form Connector adheres to strict data minimization:

• Only metadata needed for functionality is collected
  
  
• OAuth tokens are encrypted and access-restricted
  
  
• Analytics tools use anonymized or masked identifiers only
  
  

9. Incident Reporting

Form Connector monitors operations in real-time. In the event of a breach involving metadata (e.g., SubmissionIDs), affected users will be notified within 48 hours, and remediation steps will be taken immediately.

10. Termination and Data Deletion

Upon customer request following termination:

• All operational data (tokens, metadata) will be deleted within 30 days
  
  
• All processing activities for that customer will cease

11. Questions & Requests

For additional information or to raise an objection  customers can contact: hello@formconnector.app‍

Addendum: Platform-Specific Requirements

This DPA is designed to meet the privacy and security standards of partner platforms, including Webflow, and others. OAuth scopes, subprocessors, and processing flows specific to each platform are transparently disclosed in public documentation and app listings.