Data Processing Agreement
Last updated: March 13, 2026
This Data Processing Agreement ("DPA") forms part of the agreement between the Customer and AgentForms for the use of the AgentForms API service. This DPA automatically applies to all customers using the AgentForms API — no separate signature is required.
1. Introduction and Parties
This DPA is entered into between:
- Customer ("Controller") — the individual or entity that has registered for and uses the AgentForms API to create forms and collect responses.
- AgentForms ("Processor") — the data processing service operated by Adriano Sanges, accessible at agentforms.dev.
The Customer acts as the data controller, determining the purposes and means of processing personal data through forms created via the AgentForms API. AgentForms acts as the data processor, processing personal data on behalf of the Customer in accordance with the Customer's documented instructions.
2. Definitions
- Personal Data — any information relating to an identified or identifiable natural person, as submitted through forms created by the Customer.
- Processing — any operation performed on Personal Data, including collection, storage, retrieval, transmission, and deletion.
- Data Subject — an identifiable natural person whose Personal Data is processed; in this context, the individuals who fill out forms created by the Customer ("form respondents").
- Sub-processor — a third party engaged by AgentForms to process Personal Data on behalf of the Customer.
- Data Breach — a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
- DSAR — a Data Subject Access Request, or any request by a Data Subject to exercise their rights under applicable data protection law.
3. Scope and Purpose of Processing
AgentForms processes Personal Data solely for the purpose of providing the AgentForms API service to the Customer. This includes:
- Receiving and storing form responses submitted by Data Subjects through forms created by the Customer via the API.
- Making form response data available to the Customer through the API (polling or webhook delivery).
- Retaining form response data for the duration specified by the Customer's subscription plan.
- Automatically deleting form response data after the applicable retention period expires.
AgentForms does not process Personal Data for any purpose other than providing the service as instructed by the Customer.
4. Categories of Data and Data Subjects
Data Subjects
The Data Subjects are form respondents — individuals who fill out forms created by the Customer using the AgentForms API. The Customer determines who these individuals are and how they are directed to the forms.
Categories of Personal Data
The categories and types of Personal Data processed are determined entirely by the Customer through their form configuration. AgentForms processes whatever data the Customer defines in their form fields, which may include but is not limited to:
- Names and contact information (e.g., email addresses, phone numbers)
- Demographic information
- Preferences, opinions, and feedback
- Any other data types the Customer chooses to collect through their form fields
The Customer is responsible for ensuring that their forms do not collect sensitive or special category data unless they have a lawful basis for doing so and have implemented appropriate safeguards.
5. Obligations of the Processor
AgentForms shall:
- Process Personal Data only on documented instructions from the Customer, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law.
- Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing.
- Respect the conditions for engaging sub-processors as outlined in this DPA.
- Assist the Customer in responding to Data Subject requests, as described in Section 8.
- Assist the Customer in ensuring compliance with data breach notification obligations.
- Delete or return all Personal Data to the Customer after the end of the provision of services, as described in Section 11.
- Make available to the Customer all information necessary to demonstrate compliance with these obligations.
6. Security Measures
AgentForms implements the following technical and organizational security measures to protect Personal Data:
- Encryption in transit — all data transmitted between customers, form respondents, and AgentForms is encrypted using TLS (Transport Layer Security).
- API key security — API keys are hashed before storage. Plain-text API keys are never stored in the database.
- Database access controls — access to the database is restricted and controlled, with authentication required for all connections.
- Automated data deletion — form response data is automatically deleted according to the Customer's plan-based retention schedule, ensuring data is not retained longer than necessary.
- HMAC-signed webhooks — webhook payloads are signed with HMAC-SHA256 to ensure integrity and authenticity of data delivered to the Customer's endpoints.
- Input validation — all API inputs are validated and sanitized to prevent injection attacks and data corruption.
7. Sub-processor Management
AgentForms uses the following sub-processors to provide the service:
| Sub-processor | Purpose | Data Processed |
|---|---|---|
| Hosting/infrastructure provider | Application hosting, database, and server infrastructure | All form response data as part of service operation |
| Lemon Squeezy | Billing and payment processing | Customer billing information only (no form response data) |
AgentForms shall:
- Notify the Customer before adding or replacing any sub-processor, providing the Customer with an opportunity to object to such changes.
- Ensure that any sub-processor is bound by data protection obligations no less protective than those set out in this DPA.
- Remain fully liable for the acts and omissions of its sub-processors.
8. Data Subject Rights Assistance
AgentForms shall assist the Customer in fulfilling its obligation to respond to requests from Data Subjects exercising their rights under applicable data protection law, including rights of access, rectification, erasure, restriction, portability, and objection.
If AgentForms receives a request directly from a Data Subject, AgentForms shall promptly redirect the Data Subject to the Customer and notify the Customer of the request, unless otherwise required by applicable law.
The Customer may use the AgentForms API to access, export, or delete form response data to fulfill Data Subject requests.
9. Breach Notification
In the event of a Data Breach involving Personal Data processed on behalf of the Customer, AgentForms shall:
- Notify the Customer without undue delay and in any event within 72 hours of becoming aware of the breach.
- Provide the Customer with sufficient information to allow the Customer to meet its obligations under applicable data protection law, including:
- A description of the nature of the breach, including the categories and approximate number of Data Subjects and records concerned.
- The likely consequences of the breach.
- A description of the measures taken or proposed to address the breach and mitigate its effects.
- Cooperate with the Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.
10. Audit Rights
The Customer may request that AgentForms provide evidence of compliance with the obligations set out in this DPA. AgentForms shall make available to the Customer all information reasonably necessary to demonstrate compliance.
Audit requests should be submitted in writing to [email protected]. AgentForms shall respond to audit requests within a reasonable timeframe. The Customer shall bear its own costs associated with any audit.
11. Data Return and Deletion
During the Service
Form response data is available to the Customer via the AgentForms API for the duration of the applicable retention period based on the Customer's subscription plan:
| Plan | Retention Period |
|---|---|
| Free | 7 days |
| Pro | 90 days |
| Team | 365 days |
| Unlimited | Approximately 100 years (effectively indefinite) |
Data is automatically deleted via automated cleanup processes once the retention period for the Customer's plan has elapsed. The Customer is responsible for exporting any data they wish to retain beyond the retention period using the API before deletion occurs.
Upon Account Termination
Upon termination of the Customer's account, AgentForms shall delete all Personal Data associated with the Customer's account within 30 days, unless retention is required by applicable law. The Customer may export their data via the API prior to account termination.
12. International Data Transfers
Where Personal Data is transferred to a country outside the European Economic Area (EEA) or the United Kingdom that has not been deemed to provide an adequate level of data protection, AgentForms shall ensure that appropriate safeguards are in place, including the use of Standard Contractual Clauses (SCCs) as adopted by the European Commission, or other legally recognized transfer mechanisms as applicable.
13. Duration and Termination
This DPA is effective for the duration of the Customer's use of the AgentForms API service. It shall automatically terminate when the Customer's service agreement with AgentForms ends, subject to any obligations that survive termination (including data deletion obligations as described in Section 11).
The obligations of AgentForms under this DPA shall continue for as long as AgentForms processes Personal Data on behalf of the Customer.
14. Contact
For any questions, requests, or concerns regarding this Data Processing Agreement or the processing of Personal Data by AgentForms, please contact:
AgentForms
Operated by Adriano Sanges
Email: [email protected]