Data Processing Agreement

Last updated: 2026-05-31

This Data Processing Agreement (“DPA”) forms part of the agreement between Skymakers Digital Limited (“FormX,” “Processor”) and the customer entity that has accepted the FormX Terms of Service (“Controller”), collectively “the Parties.”

Where a Controller requires a signed copy of this DPA for compliance purposes, please contact support@formx.ai.

1. Definitions

In this DPA:

• “Applicable Data Protection Laws” means all laws, regulations, and binding regulatory guidance applicable to the Processing of Personal Data under this DPA, including without limitation: (a) Regulation (EU) 2016/679 (the “EU GDPR”); (b) the UK General Data Protection Regulation as incorporated by the Data Protection Act 2018 (the “UK GDPR”); (c) the Swiss Federal Act on Data Protection (the “FADP”); (d) the California Consumer Privacy Act as amended by the California Privacy Rights Act (the “CCPA”); (e) other applicable U.S. state privacy laws (including the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act, and successor laws); and (f) any other applicable data protection or privacy law in any jurisdiction where Personal Data is Processed under this DPA, including without limitation the Hong Kong Personal Data (Privacy) Ordinance (Cap. 486) (the “PDPO”), the Singapore Personal Data Protection Act, the Japan Act on the Protection of Personal Information (“APPI”), the Brazil Lei Geral de Proteção de Dados (“LGPD”), the Canada Personal Information Protection and Electronic Documents Act (“PIPEDA”), the Australia Privacy Act, and the India Digital Personal Data Protection Act (“DPDPA”).
• “Controller” means the entity that determines the purposes and means of Processing Personal Data; references to “Controller” include “Business” under the CCPA where applicable.
• “Processor” means Skymakers Digital Limited, trading as FormX.ai, which Processes Personal Data on behalf of the Controller; references to “Processor” include “Service Provider” under the CCPA where applicable.
• “Personal Data”, “Processing”, and “Data Subject” have the meanings given in the EU GDPR, with equivalent meanings under the UK GDPR, FADP, CCPA, and other Applicable Data Protection Laws as the context requires; “Personal Data” includes “Personal Information” under the CCPA where applicable.
• “Personal Data Breach” has the meaning given in the EU GDPR (and equivalent meanings under the UK GDPR and other Applicable Data Protection Laws).
• “Security Incident” means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed.
• “Services” means the document data extraction services provided by FormX under the Terms of Service.
• “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of Personal Data to third countries pursuant to the EU GDPR, adopted by the European Commission (Implementing Decision (EU) 2021/914), and any successor instrument.
• “UK IDTA” means the UK International Data Transfer Agreement and the UK International Data Transfer Addendum to the SCCs, in each case issued by the UK Information Commissioner.
• “Sub-processor” means any processor engaged by FormX to carry out Processing activities on behalf of the Controller.
• “Annex” means the annexes attached to this DPA.

2. Scope and Roles

2.1 Scope and roles. The Parties acknowledge that, with respect to Personal Data processed under this DPA, FormX acts solely as a Processor and the Controller acts solely as a Controller. Nothing in this DPA shall be construed as establishing a joint controllership relationship between the Parties for the purposes of EU GDPR or UK GDPR Article 26.

2.2 Details of Processing. The subject matter, nature, purpose, duration, types of Personal Data, and categories of Data Subjects covered by this DPA are set out in Annex A.

3. Processing Instructions

3.1 Processing on Instructions. FormX shall Process Personal Data only on documented instructions from the Controller, including with regard to international transfers of Personal Data, as set out in this DPA and the Terms of Service, unless required to do so by applicable law to which FormX is subject. In such a case, FormX shall inform the Controller of that legal requirement before Processing, unless that law prohibits such notification on grounds of public interest. The Controller’s use of the Services via the standard interfaces provided by FormX (API, portal, configuration settings) constitutes documented instructions for the purposes of this DPA. Any instructions outside the standard interfaces must be agreed in writing and may be subject to additional fees.

3.2 Notice of unlawful instructions. FormX will inform the Controller without undue delay if, in FormX’s opinion, an instruction infringes Applicable Data Protection Laws.

4. Confidentiality of Personnel

4.1 Confidentiality undertaking. FormX shall ensure that persons authorised to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and that access to Personal Data is limited to personnel who need such access to perform FormX’s obligations.

5. Security Measures

5.1 Technical and organisational measures. FormX shall implement and maintain appropriate technical and organisational measures designed to ensure a level of security appropriate to the risk of the Processing, taking into account the state of the art, costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risks to the rights and freedoms of Data Subjects. A description of FormX’s current security measures is set out in Annex C. FormX is ISO/IEC 27001 certified and SOC 2 Type II attested.

5.2 Review and updates. FormX will regularly test, assess, and evaluate the effectiveness of its security measures and may update them, provided that any update does not materially diminish the overall level of security.

6. Sub-Processors

6.1 General authorisation. The Controller grants general authorisation for FormX to engage Sub-processors to Process Personal Data in connection with the Services, subject to this Section 6.

6.2 Current Sub-processors. A current list of FormX-operated Sub-processors is maintained at the FormX Sub-Processors page, which is the canonical record. Categories of Sub-processor activity currently used include cloud hosting and infrastructure, AI model inference (where enabled), transactional email delivery, payment processing, application error monitoring, and product analytics.

6.3 New Sub-processors. FormX shall notify the Controller of any intended changes to the Sub-processor list (additions or replacements) by updating the FormX Sub-Processors page at least thirty (30) days before the change takes effect, unless an earlier engagement is required for security or business-continuity reasons. Publication of the updated page constitutes sufficient notice. The Controller may subscribe to receive email notifications of Sub-processor changes by contacting support@formx.ai with the subject line “Subscribe to sub-processor updates”.

6.4 Right to object. The Controller may object to a proposed new or replacement Sub-processor on reasonable data-protection grounds within the notice period set out in Section 6.3 by notifying FormX in writing. If the Parties cannot resolve the objection in good faith within a further fourteen (14) days, the Controller may, as its sole remedy, terminate the affected portion of the Services on written notice. No refund of any prepaid Fees is available on the basis of such an objection.

6.5 Flow-down obligations. FormX shall impose on each Sub-processor data-protection obligations substantially equivalent to those set out in this DPA, by way of a written contract, and shall remain liable to the Controller for the acts and omissions of its Sub-processors with respect to Personal Data.

6.6 Customer-configured integrations. The Services may be configured by the Controller to interact with third-party providers using credentials and accounts that the Controller owns and controls, including (a) cloud-storage and document services used to fetch source documents into the Services for processing (currently Google Drive), and (b) third-party endpoints, cloud-storage buckets, or APIs to which FormX sends Parsed Content or other Service output (the “External APIs”). FormX is not a Sub-processor with respect to such Customer-configured integrations; the Controller is responsible for selecting these providers, controlling the resulting data flows, and entering into appropriate data-protection arrangements directly with them. The current categorical list is published on the FormX Sub-Processors page.

7. International Transfers

7.1 EU GDPR transfers. Where Personal Data subject to the EU GDPR is transferred from the European Economic Area to a country not benefiting from an adequacy decision of the European Commission, the parties incorporate by reference the SCCs, with Module Two (Controller to Processor) applying where the Controller is itself a controller and Module Three (Processor to Processor) applying where the Controller is acting as a processor on behalf of a downstream controller. For the purposes of the SCCs: (a) the docking clause applies; (b) Clause 7 (optional) does not apply; (c) Clause 9, Option 2 (general written authorisation) applies, with the time period set out in Section 6.3 of this DPA; (d) Clause 11 (optional language) does not apply; (e) Clause 17, Option 1 applies, with the SCCs governed by the law of Ireland; (f) Clause 18(b) designates the courts of Ireland; and (g) Annexes I, II, and III of the SCCs are completed by reference to Annexes A, C, and B of this DPA respectively.

7.2 UK GDPR transfers. Where Personal Data subject to the UK GDPR is transferred outside the United Kingdom to a country not benefiting from a UK adequacy regulation, the parties incorporate by reference the UK IDTA (or the UK International Data Transfer Addendum to the SCCs, at the parties’ election), completed by reference to the Annexes of this DPA.

7.3 Swiss FADP transfers. Where Personal Data subject to the FADP is transferred, the SCCs apply with the contextual amendments necessary to reflect the FADP: references to the EU GDPR shall be read as references to the FADP, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner, and references to “EU Member State” shall include Switzerland.

7.4 Conflict. In the event of any conflict between this DPA and the SCCs or UK IDTA in respect of an international transfer, the SCCs or UK IDTA (as applicable) shall prevail to the extent of the conflict.

8. Data Subject Rights

8.1 Processor assistance. Taking into account the nature of the Processing and the information available to it, FormX shall assist the Controller by appropriate technical and organisational measures, insofar as this is possible, to fulfil the Controller’s obligations to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Laws, including rights of access, rectification, erasure, restriction, portability, and objection. The Controller acknowledges that the self-service tools available through the FormX portal and API (including data export, deletion, and activity logs) constitute FormX’s primary mechanism for fulfilling this assistance obligation. Any assistance beyond what is reasonably available through such standard product features shall be provided at the Controller’s reasonable cost, charged at FormX’s then-current professional services rates. FormX’s obligation to provide such additional assistance is limited to eight (8) hours per calendar year per Controller account without charge; time beyond that threshold will be invoiced at FormX’s standard rates.

8.2 Forwarding requests. If FormX receives a request from a Data Subject relating to Personal Data, FormX shall, unless legally prohibited, promptly forward that request to the Controller and shall not respond to it directly (other than to acknowledge receipt and redirect to the Controller) unless authorised by the Controller or unless the Controller has provided a documented self-service mechanism.

9. Personal Data Breach Notification

9.1 Notification timing and content. FormX shall notify the Controller without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Personal Data Processed under this DPA. Where complete information is not available at the time of initial notification, FormX shall provide the available information promptly and supplement the notification as further information becomes available. Notification shall include, to the extent available at the time of notification:

• a description of the nature of the Personal Data Breach;
• the categories and approximate number of Data Subjects and Personal Data records concerned;
• the likely consequences of the Personal Data Breach; and
• measures taken or proposed to address the breach and mitigate its effects.

Notifications shall be sent to the contact email address registered on the Controller’s FormX account.

9.2 Cooperation with downstream notifications. FormX shall provide the Controller with reasonable cooperation and assistance in connection with the Controller’s obligations to notify supervisory authorities and Data Subjects under Applicable Data Protection Laws.

10. Data Protection Impact Assessments and Prior Consultation

10.1 DPIA assistance. Taking into account the nature of the Processing and the information available to FormX, FormX shall provide reasonable assistance to the Controller in carrying out data protection impact assessments and prior consultations with the competent supervisory authority, to the extent that such assessments or consultations relate to the Processing of Personal Data by FormX under this DPA. Such assistance is limited to providing information about FormX’s Processing activities and security measures that is not already publicly available or covered by FormX’s ISO/IEC 27001 certificate and SOC 2 Type II report. Assistance beyond this scope shall be provided at the Controller’s reasonable cost at FormX’s then-current professional services rates.

11. Audits

11.1 Attestations as default. FormX shall make available to the Controller, upon written request and subject to a customary non-disclosure agreement, information necessary to demonstrate compliance with this DPA, no more than once per twelve (12) month period. FormX’s primary and default mechanism for satisfying this obligation is to provide its most recent ISO/IEC 27001 certificate and SOC 2 Type II report (and any successor or equivalent third-party security attestations). The Controller agrees that delivery of those documents satisfies the audit obligation under this DPA, except as set out in Section 11.2.

11.2 On-site audits. On-site audits or inspections are permitted only where: (a) the Controller’s competent supervisory authority specifically requires an on-site inspection and provides a written demand to that effect, or (b) a Security Incident has occurred that materially affected the Controller’s Personal Data and remains unresolved. Any on-site audit is subject to the following conditions: (i) the Controller shall give at least thirty (30) days’ prior written notice; (ii) the audit shall be conducted during normal business hours in a manner that minimises disruption to FormX; (iii) the auditor must not be a competitor of FormX and must execute FormX’s standard non-disclosure agreement before accessing any information; (iv) the Controller bears its own costs and expenses, and reimburses FormX’s reasonable internal cooperation costs (personnel time at standard rates, not to exceed FormX’s reasonable estimate provided in advance); and (v) audit findings constitute FormX Confidential Information and may not be disclosed to third parties without FormX’s prior written consent, except as required by law or the Controller’s regulator.

12. Return and Deletion of Personal Data

12.1 Return or deletion. Upon termination or expiry of the Services, or upon the Controller’s written request, FormX shall, at the Controller’s election, either delete or return all Personal Data processed under this DPA, and delete existing copies, unless applicable law requires retention of the Personal Data. FormX shall confirm completion of deletion in writing within sixty (60) days of the request or termination.

12.2 Carve-outs. The following carve-outs apply: (a) backup copies of Personal Data will be deleted in the ordinary course of FormX’s standard backup rotation, which shall not exceed ninety (90) days, during which period such backup copies shall remain encrypted and shall not be actively processed; (b) FormX may retain data that it is required to retain under applicable law; (c) FormX may retain anonymised or aggregated data that no longer constitutes Personal Data; and (d) FormX may retain billing and account records necessary for tax and audit compliance.

13. Controller Indemnity

13.1 Indemnity for unlawful processing. The Controller will indemnify and hold FormX harmless from and against any third-party claim brought against FormX arising directly from: (a) the Controller’s failure to have a valid lawful basis for Processing or transferring Personal Data to FormX; (b) the Controller’s failure to provide required notices to, or obtain required consents from, Data Subjects as required by Applicable Data Protection Laws; (c) Personal Data submitted to FormX in breach of Applicable Data Protection Laws; or (d) any Controller instruction that infringes Applicable Data Protection Laws. The Controller represents and warrants that it has a valid lawful basis for Processing and transferring Personal Data to FormX, that the Personal Data has been collected and is provided to FormX in compliance with Applicable Data Protection Laws, that it has provided all necessary notices and obtained all necessary consents from Data Subjects to the extent required by applicable law, and that it shall promptly inform FormX of any instruction that, in the Controller’s reasonable opinion, infringes Applicable Data Protection Laws. The Controller’s obligations under this Section 13 are conditioned on FormX providing prompt written notice of the claim, granting the Controller sole control of the defence and settlement (provided that any settlement imposing liability or admission of fault on FormX requires FormX’s prior written consent, not to be unreasonably withheld), and providing reasonable cooperation at the Controller’s expense.

14. Liability

14.1 Cap under the underlying agreement. Each Party’s liability arising out of or in connection with this DPA, whether in contract, tort (including negligence), or under any other theory of liability, is subject to and counts toward the limitations and exclusions of liability set out in the FormX Terms of Service. No separate, additional, or uncapped liability is created by this DPA.

14.2 Apportionment. Where both Parties are responsible for damage caused by Processing in breach of Applicable Data Protection Laws, each Party shall be held liable for the damage attributable to it.

15. Governing Law and Precedence

15.1 Governing law. This DPA is governed by, and construed in accordance with, the governing-law provisions of the FormX Terms of Service (the laws of England and Wales), except that the SCCs (and the UK IDTA, where applicable) are governed by the laws specified in those instruments themselves.

15.2 Precedence. In the event of any conflict between this DPA and the FormX Terms of Service, this DPA shall prevail to the extent of the conflict, with respect to the Processing of Personal Data only.

15.3 Survival. Sections 9 (Personal Data Breach Notification), 12 (Return and Deletion of Personal Data), 13 (Controller Indemnity), 14 (Liability), 15 (Governing Law and Precedence), and 16 (Regional Provisions) shall continue to be effective after termination of this DPA to the extent reasonably necessary to give effect to their terms.

16. Regional Provisions

16.1 European Economic Area, United Kingdom, and Switzerland. FormX’s obligations under the EU GDPR, UK GDPR, and FADP are addressed throughout Sections 3 to 11 of this DPA. International transfers of Personal Data subject to those laws are governed by Section 7.

16.2 United States — CCPA. To the extent FormX Processes Personal Information (as defined under the CCPA) on behalf of the Controller, FormX acts as a “Service Provider” (as defined under the CCPA). FormX shall not: (a) sell or share Personal Information; (b) retain, use, or disclose Personal Information for any purpose other than for the specific business purpose of performing the Services for the Controller, or for a permitted business purpose under the CCPA; (c) retain, use, or disclose Personal Information outside the direct business relationship between the parties; or (d) combine Personal Information received from or on behalf of the Controller with personal information received from or on behalf of any other person, except as expressly permitted by the CCPA. FormX shall reasonably cooperate with the Controller to enable the Controller to respond to verifiable consumer requests under the CCPA, including requests to know, delete, correct, or limit use of sensitive personal information. The assistance limitations in Section 8 of this DPA apply.

16.3 United States — other state privacy laws. For Personal Information governed by other U.S. state privacy laws (including the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act, and successor laws), FormX acts as a “Processor” (or equivalent role) and will comply with substantially equivalent obligations to those set out in Section 16.2.

16.4 Hong Kong — PDPO. To the extent FormX Processes Personal Data subject to the Hong Kong Personal Data (Privacy) Ordinance (Cap. 486) (the “PDPO”) on behalf of the Controller, FormX will Process such Personal Data in a manner consistent with the Data Protection Principles set out in Schedule 1 to the PDPO, including without limitation Data Protection Principle 4 (security of personal data) and Data Protection Principle 5 (information to be generally available), as applicable to its role as a data processor under the PDPO. FormX will provide the Controller, as data user under the PDPO, with reasonable cooperation to enable the Controller to comply with its obligations under the PDPO in respect of such Personal Data.

16.5 Other jurisdictions — substantially equivalent obligations. For Personal Data governed by other Applicable Data Protection Laws not specifically addressed above (including without limitation the Singapore Personal Data Protection Act, the Japan Act on the Protection of Personal Information, the Brazil Lei Geral de Proteção de Dados, the Canada Personal Information Protection and Electronic Documents Act, the Australia Privacy Act, the India Digital Personal Data Protection Act, and any successor or equivalent law in any jurisdiction where Personal Data is Processed under this DPA), FormX will comply with obligations substantially equivalent to those set out in Sections 3 to 11 and this Section 16, taking into account the role of FormX as a processor (or equivalent role) under such laws.

Annex A: Details of Processing

Subject matter	Document data extraction services provided via the FormX API and portal
Nature of processing	Receipt, analysis, and extraction of structured data from documents submitted by the Controller; temporary storage as needed to deliver results
Purpose of processing	To provide the FormX document extraction Services as instructed by the Controller
Duration	For the term of the Controller’s subscription to FormX Services
Type of Personal Data	May include names, addresses, identification numbers, financial data, signatures, and other personal information appearing in documents submitted by the Controller (determined by the Controller)
Categories of Data Subjects	Individuals whose personal data appears in documents submitted by the Controller (e.g., customers, employees, counterparties of the Controller)

Annex B: Approved Sub-processors

FormX maintains the current list of approved Sub-processors at the FormX Sub-Processors page. Controllers may subscribe to notifications of Sub-processor changes by contacting support@formx.ai with the subject line “Subscribe to sub-processor updates”.

Annex C: Technical and Organisational Security Measures

FormX implements the following measures to protect Personal Data:

Access Controls

• Role-based access control with three permission levels (Admin, Editor, Read-Only) and granular sub-permissions per resource type
• Multi-factor authentication (MFA) enforced via Authgear identity platform for all user accounts
• Account lockout after 5 consecutive failed login attempts
• Password policy: minimum 8 characters, requiring uppercase, lowercase, digit, and special character; last 5 passwords may not be reused
• Kubernetes RBAC with dedicated service accounts per component (API, Worker, Inferencer); principle of least privilege applied
• GCP Workload Identity for keyless, credential-free service-to-service authentication; no long-lived credentials stored on disk

Encryption

• Data encrypted in transit using industry-standard protocols (currently TLS via automated Let’s Encrypt certificate management on Kubernetes Ingress)
• Data encrypted at rest using industry-standard encryption (currently AES-256) via cloud provider key management services
• Passwords hashed using bcrypt
• Temporary asset access via pre-signed URLs with configurable expiry (default 24 hours)
• Secrets managed via Kubernetes Secrets and GCP Workload Identity

Infrastructure Security

• Hosted on Google Kubernetes Engine (GKE) on ISO 27001-certified Google Cloud Platform infrastructure
• Database connection pooling via PgBouncer with controlled client connection limits
• Redis access protected by authentication
• Container-level CPU and memory resource limits to prevent resource exhaustion
• Pod disruption budgets to maintain availability during updates and upgrades

Data Minimisation and Retention

• Documents submitted via the synchronous API are not stored in permanent storage
• Documents submitted via the asynchronous API are stored temporarily with encryption and deleted upon result retrieval or job expiry
• Configurable retention periods with automated soft-delete (logical removal) followed by scheduled hard-delete (physical removal from storage)
• Explicit customer deletion requests tracked and fulfilled with expiry management
• No Personal Data is used to train AI models without explicit customer consent

Audit Logging

• All API requests logged (endpoint, method, user identity, workspace, timestamp)
• Monthly audit logs generated per workspace and made available to account administrators
• Authentication events tracked (failed login attempts, last login, last password change, token invalidation)
• Centralised log aggregation via Grafana Loki
• Application error and exception monitoring via Sentry

Incident Management

• Security incident response procedures in place
• Breach notification without undue delay upon confirmed Security Incident in accordance with Section 9

Compliance

• ISO 27001 certified
• SOC 2 Type II attested
• Annual third-party security audits

Certifications and audit reports are available to Controllers upon request under NDA.

Authorised Testing Only

The Controller shall not conduct, and shall not authorise any third party to conduct, penetration testing, vulnerability scanning, load testing, or other intrusive security or performance testing against the Services or FormX’s infrastructure without FormX’s prior written consent.