Skip to content
MobyformMobyform
  • Pricing
  • Alternatives
  • Blog
  • Docs
MobyformMobyform

Smart forms, connect everything

GitHubGitHubEmail

Product

  • Form Builder
  • Form Components
  • Analytics
  • Integrations
  • Exam & Assessment

Solutions

  • Surveys
  • Online Exams
  • Event Registration
  • Customer Feedback
  • HR & Recruitment

Resources

  • Documentation
  • Blog
  • Alternatives
  • Changelog
  • Roadmap

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service
  • Cookie policy
  • Data Processing Agreement
  • Subprocessors
  • Security overview
  • GDPR
© 2026 Mobyform All Rights Reserved.
Built withLogo of MobyformMobyform

Data Processing Agreement

Default data processing terms for customers that use Mobyform to collect and process personal data through the hosted service.

2026/03/26

Overview

This Data Processing Agreement, or DPA, describes the default data processing terms that apply when a customer uses Mobyform to collect, store, organize, or otherwise process personal data through the service and Mobyform acts as a processor or service provider on the customer's behalf.

This page is intended to provide a public version of our standard processing terms. It supplements our Terms of Service and Privacy Policy. Customers that require a signed procurement copy can contact support@mobyform.com.

Roles

For customer-submitted account, billing, and administrative information, Mobyform may act as a controller or independent business. For form responses and other customer-controlled data processed through the product:

  • the customer is typically the controller or business
  • Mobyform is typically the processor or service provider

The customer remains responsible for determining whether the service is suitable for the intended processing and for complying with its own legal obligations to respondents, employees, applicants, patients, or other data subjects.

Subject Matter, Duration, and Purpose

This DPA covers the processing of customer-controlled personal data for the purpose of providing the Mobyform service, including:

  • form hosting and publishing
  • submission intake and storage
  • submission handling and review operations
  • reporting, exports, and operational tooling
  • customer support and troubleshooting directly tied to the service
  • security, reliability, abuse prevention, billing support, and incident response

Processing continues for the period in which Mobyform provides the service to the customer and for any limited post-termination period reasonably necessary for deletion, export, backup rotation, security, audit, or legal compliance.

Categories of Personal Data

Depending on how the customer configures forms, review settings, and integrations, customer-controlled data may include:

  • names, email addresses, phone numbers, postal information, and other identifiers
  • demographic or employment information
  • responses entered into form fields
  • uploaded files, attachments, images, or documents
  • submission metadata such as IP address, browser, device, timestamp, or routing information
  • comments, status history, assignment data, and audit history

Customers are responsible for deciding whether they will collect special category or sensitive data and whether additional safeguards are required.

Categories of Data Subjects

Depending on the customer's use case, data subjects may include:

  • customers and prospects
  • employees or contractors
  • applicants or candidates
  • event attendees or registrants
  • patients, students, members, or other respondents

Customer Instructions

Mobyform processes customer-controlled data only:

  • on the customer's documented instructions
  • as necessary to provide the service and related support
  • to comply with applicable law
  • to maintain the security, availability, and integrity of the service

The service configuration chosen by the customer, including form structure, permissions, retention settings, routing rules, and enabled integrations, forms part of the customer's documented instructions.

Customer Responsibilities

The customer is responsible for:

  • providing any required notices to data subjects
  • obtaining lawful bases or consents where required
  • ensuring uploaded or collected data is appropriate for the intended use
  • configuring permissions, retention rules, and operational settings in a compliant way
  • responding to data subject requests unless Mobyform is specifically required to assist
  • verifying that connected integrations and downstream systems are suitable

Mobyform Obligations

Mobyform will:

  • process customer-controlled data only for authorized purposes
  • ensure personnel with access to such data are subject to confidentiality duties
  • implement reasonable technical and organizational safeguards
  • assist the customer, taking into account the nature of the processing, with data subject requests and legal compliance obligations where reasonably possible
  • notify the customer of personal data breaches affecting customer-controlled data as required by law and contract
  • make information reasonably available to demonstrate compliance with this DPA

Confidentiality

Personnel authorized to process customer-controlled data are expected to be bound by confidentiality obligations, whether contractual, statutory, or policy-based.

Security Measures

Mobyform uses administrative, technical, and organizational measures designed to protect customer-controlled data. These measures include, where appropriate to the deployment and use case:

  • authenticated access controls
  • workspace, team, and role-based permissions
  • transport encryption for web traffic
  • audit and operational logging
  • rate limiting, abuse prevention, and security monitoring
  • file-integrity, upload-context, and signed-delivery controls where managed file storage is used
  • controlled use of subprocessors and infrastructure providers

For a higher-level public summary, see Security.

Subprocessors

Mobyform may use third-party subprocessors to provide hosting, communications, billing, delivery, and infrastructure services. A current public list is available at Subprocessors.

Core public vendors currently include Cloudflare for network and edge delivery, Resend for transactional and newsletter email, and Stripe or Creem for hosted billing depending on which payment provider is active in the relevant environment. Depending on deployment, uploads and generated assets may also be stored in a configured storage backend such as OSS, S3-compatible storage, Google Cloud Storage, Azure Blob Storage, or local or customer-managed storage.

Mobyform remains responsible for subprocessors to the extent required by applicable law and contractual commitments.

International Transfers

Where customer-controlled data is transferred across borders, Mobyform will use appropriate legal mechanisms and safeguards as required by applicable law, taking into account the location of the customer, data subjects, infrastructure, and subprocessors.

Data Subject Requests

Taking into account the nature of the processing, Mobyform will provide reasonable assistance so the customer can respond to lawful requests involving access, correction, deletion, export, objection, or restriction.

In many cases, the customer can handle these requests directly through product functions, exports, retention settings, or administrative tools. The product stack also supports request tracking aligned with GDPR-style access, erasure, portability, and rectification processes.

Security Incidents

If Mobyform becomes aware of a personal data breach affecting customer-controlled data, Mobyform will take appropriate steps to investigate, contain, and remediate the incident and will notify the customer when required by law or contract. Public references to breach-tracking records, including authority-notification and subject-notification timestamps, describe platform support and do not replace legal analysis of whether a specific notification obligation has been triggered.

Deletion and Return of Data

Upon termination or expiration of the services, customer-controlled data will be deleted, returned, or made available for export in accordance with the service configuration, applicable contract terms, operational backup cycles, and legal obligations.

Some residual copies may remain in backups or logs for a limited time until ordinary deletion cycles complete.

Audits and Information Requests

Mobyform may satisfy reasonable audit or due diligence requests through a combination of public documentation, security materials, questionnaires, and other compliance information, provided that such requests are proportionate and do not compromise the security or confidentiality of other customers or the service.

Annex Summary

Annex A: Subject Matter

Processing of customer-controlled data to provide the hosted form, submission handling, reporting, support, and related operational services.

Annex B: Data Types

Contact data, response data, form content, uploads, device and usage metadata, service records, and related service metadata as configured by the customer.

Annex C: Data Subjects

Respondents, employees, contractors, applicants, customers, prospects, members, students, patients, or other individuals whose data the customer chooses to process through Mobyform.

Annex D: Security

Reasonable technical and organizational measures appropriate to the service and risk profile, further summarized on the Security page.

Contact

If you need a procurement review, signed copy, or additional privacy documentation, contact support@mobyform.com.