Form Connector Subprocessor Guidelines

These guidelines define how Form Connector selects, reviews, and discloses subprocessors in compliance with its Data Processing Addendum (DPA) and relevant privacy laws such as GDPR and CCPA.

1. Definition

A subprocessor is any third-party service provider engaged by Form Connector to process data on behalf of its customers in connection with the services provided by Form Connector.

2. Subprocessor Criteria

Before engaging a subprocessor, Form Connector ensures that:

  • The subprocessor provides sufficient guarantees for the implementation of appropriate technical and organizational measures.
  • The subprocessor's infrastructure and practices are reviewed for security, reliability, and compliance.

3. Risk Assessment & Approval

Each subprocessor is evaluated based on:

  • Type of data processed (metadata, tokens, email, identifiers, etc.)
  • Location and data transfer mechanisms.
  • Incident history and operational resilience.

Approved subprocessors are documented in the DPA and monitored periodically.

4. Ongoing Monitoring

  • Subprocessors are reviewed annually.
  • Any security incidents involving a subprocessor must be promptly reported to Form Connector and trigger appropriate remediation.

5. Customer Notification

Form Connector will:

  • Maintain an up-to-date list of subprocessors.

6. Non-Subprocessor Clarification

Third-party platforms connected via customer configuration (e.g., Slack, Airtable, Notion, Salesforce, Google Sheets, Hubspot, etc) are not considered subprocessors. They are data recipients, and the Controller (customer) is responsible for ensuring these platforms comply with applicable privacy laws.

7. Data Categories Handled by Subprocessors

Subprocessors may handle:

  • Metadata (Webflow IDs, SubmissionIDs)
  • Email addresses or user names (if provided by the user during onboarding)
  • OAuth tokens (encrypted and access-controlled)

Subprocessors do not have access to:

  • Full form submission content
  • Sensitive end-user data from forms

8. Revocation & Removal

If a subprocessor is no longer compliant or no longer essential to service delivery:

  • Their access will be revoked immediately.
  • They will be removed from the DPA list and replaced if necessary.

9. Current Subprocessors (as of May 2025)

  • Amazon Web Services (AWS) — Cloud infrastructure
  • MongoDB Atlas — Encrypted database management
  • ActiveCampaign Postmark — Transactional email delivery
  • Mixpanel — App analytics (anonymized)
  • Microsoft Clarity — UX tracking (anonymized)
  • New Relic — Server performance monitoring

10. Questions & Requests

For additional information or to raise an objection to a subprocessor, customers can contact: hello@formconnector.app