Data Processing Agreement
Last updated: February 14, 2026
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Rowform (“Processor”, “we”, “us”) and the customer agreeing to these terms (“Controller”, “you”, “your”) and governs the processing of personal data by Rowform on your behalf.
1. Definitions
- Personal Data — any information relating to an identified or identifiable natural person, as defined under Article 4(1) of the GDPR.
- Processing — any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, or deletion.
- Data Subject — the identified or identifiable natural person to whom Personal Data relates.
- Sub-processor — a third party engaged by Rowform to process Personal Data on your behalf.
- GDPR — Regulation (EU) 2016/679 of the European Parliament and of the Council.
- Services — the Rowform form builder platform and related features available at app.rowform.io.
2. Scope and Purpose
This DPA applies when you use Rowform to collect, store, or process Personal Data from your form respondents. Rowform processes Personal Data solely to provide the Services to you and does not process data for any other purpose.
2.1 Categories of Data Subjects
- Your form respondents and end users
- Your team members and collaborators
2.2 Types of Personal Data Processed
- Email addresses (respondent and account holder)
- Form responses and answers submitted by respondents
- Names and profile information of account holders
- IP addresses and browser metadata (collected automatically)
- Any other personal data you choose to collect through your forms
2.3 Duration of Processing
Personal Data is processed for the duration of your use of the Services. Upon account deletion or termination, all Personal Data is permanently deleted in accordance with our data retention policy (see Section 8).
3. Controller Obligations
As Controller, you are responsible for:
- Ensuring you have a lawful basis (e.g., consent, legitimate interest) to collect Personal Data through your forms.
- Providing appropriate privacy notices to your respondents before collecting their data.
- Responding to Data Subject requests where required, using the tools Rowform provides (data export, deletion).
- Ensuring that any Personal Data you instruct Rowform to process complies with applicable data protection laws.
4. Processor Obligations
Rowform shall:
- Process Personal Data only on your documented instructions and solely for providing the Services.
- Not sell, share, or use Personal Data for advertising, profiling, or any purpose other than delivering the Services.
- Ensure that all personnel authorized to process Personal Data are bound by confidentiality obligations.
- Implement and maintain appropriate technical and organizational security measures (see Section 6).
- Assist you in fulfilling your obligations to respond to Data Subject rights requests.
- Notify you without undue delay upon becoming aware of a Personal Data breach (see Section 7).
- Delete or return all Personal Data upon termination of the Services, at your choice.
- Make available all information necessary to demonstrate compliance with this DPA and allow for audits (see Section 9).
5. Sub-processors
Rowform uses the following sub-processors to deliver the Services:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database hosting, authentication, file storage | EU (Frankfurt) |
| Vercel | Application hosting and serverless functions | Global (Edge) |
| ZeptoMail (Zoho) | Transactional email delivery | India |
| CookieYes | Cookie consent management | EU |
| OAuth authentication (when used) | USA | |
| DodoPayments | Payment processing and billing | EU |
Rowform will:
- Notify you of any intended changes to sub-processors by updating this page at least 30 days before the change takes effect.
- Ensure each sub-processor is bound by data protection obligations no less protective than those in this DPA.
- Remain fully liable for the acts and omissions of its sub-processors.
You may object to a new sub-processor by contacting us at privacy@rowform.io within 30 days of the notification. If we cannot reasonably accommodate your objection, either party may terminate the affected Services.
6. Security Measures
Rowform implements the following technical and organizational measures to protect Personal Data:
Technical Measures
- Encryption in transit — All data is transmitted over TLS 1.2+.
- Encryption at rest — Database storage is encrypted using AES-256.
- Access control — Row Level Security (RLS) policies enforce workspace-scoped data isolation in the database.
- Authentication — Secure OAuth 2.0 and password-based authentication with enforced password complexity requirements.
- Audit logging — Key operations (data exports, account deletions, consent changes) are logged with timestamps and user attribution.
Organizational Measures
- Access to production systems is restricted to authorized personnel.
- Sub-processors are vetted for security and data protection compliance.
- Regular review of access permissions and security configurations.
7. Data Breach Notification
In the event of a Personal Data breach, Rowform will:
- Notify you without undue delay and no later than 72 hours after becoming aware of the breach.
- Provide the following information:
- Nature of the breach, including categories and approximate number of Data Subjects affected.
- Contact details for further information.
- Likely consequences of the breach.
- Measures taken or proposed to address the breach and mitigate its effects.
- Cooperate with you and provide reasonable assistance in your obligations to notify supervisory authorities and affected Data Subjects.
Contact for breach notifications: privacy@rowform.io
8. Data Retention
Rowform enforces the following automated data retention policies:
| Data Type | Retention Period | Action |
|---|---|---|
| Partial (abandoned) responses | 30 days | Deleted automatically |
| Respondent email addresses | 365 days | Anonymized (set to null) |
| Webhook delivery logs | 90 days | Deleted automatically |
| Audit logs | 2 years (730 days) | Deleted automatically |
These policies align with the GDPR principle of storage limitation (Article 5(1)(e)). You may delete individual responses or your entire account at any time through the Rowform dashboard.
9. Audits
Upon reasonable written request and subject to confidentiality obligations, Rowform will:
- Provide you with relevant information to demonstrate compliance with this DPA.
- Allow and contribute to audits, including inspections, conducted by you or an independent auditor appointed by you.
- Audits shall be limited to once per year unless a data breach has occurred or a supervisory authority requires an additional audit.
10. Data Subject Rights
Rowform provides you with the tools to fulfill Data Subject rights under GDPR:
| Right | How Rowform Supports It |
|---|---|
| Access (Art. 15) | Data export feature in Account Settings |
| Rectification (Art. 16) | Profile editing in Account Settings |
| Erasure (Art. 17) | Account deletion with cascading data removal |
| Portability (Art. 20) | JSON data export of all account data |
| Restriction (Art. 18) | Contact us at privacy@rowform.io |
| Objection (Art. 21) | Marketing consent toggle in Account Settings |
If Rowform receives a request directly from one of your Data Subjects, we will redirect them to you unless legally required to respond directly.
11. International Data Transfers
Where Personal Data is transferred outside the European Economic Area (EEA), Rowform ensures that appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission.
- Verification that sub-processors in third countries maintain adequate data protection measures.
- Compliance with any additional requirements under Chapter V of the GDPR.
12. Term and Termination
- This DPA takes effect when you accept the Rowform Terms of Service and remains in effect for the duration of our processing of Personal Data on your behalf.
- Upon termination, Rowform will delete all Personal Data within 30 days, unless retention is required by law.
- Sections 6, 7, 9, and 11 survive termination.
13. Liability
Each party’s liability under this DPA is subject to the limitations set out in the Rowform Terms of Service. Nothing in this DPA limits either party’s liability for breaches of data protection law that cannot be limited under applicable law.
14. Contact
For questions about this DPA or to exercise any rights under it:
- Email: privacy@rowform.io
- Website: rowform.io
This DPA is designed to comply with the requirements of the GDPR. If you require a signed copy or have specific contractual requirements, please contact us at privacy@rowform.io.