Data Processing Agreement (DPA)

1. Introduction

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between you (the “Controller”) and BiteForm (the “Processor”). It sets out the terms on which BiteForm processes personal data on your behalf when you use the BiteForm platform (the “Service”). This DPA is available at biteform.com/dpa.

This DPA is designed to meet the requirements of the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and other applicable data protection laws. Where there is any conflict between this DPA and the Terms of Service on matters relating to data protection, this DPA shall take precedence.

2. Roles of the Parties

• You (the Controller) — You determine the purposes and means of processing personal data collected through forms you create on the Service. You are responsible for complying with data protection laws as they apply to controllers.
• BiteForm (the Processor) — We process personal data on your behalf solely to provide the Service. We do not determine the purposes of processing your clients' data.

For personal data relating to your own account (such as your name, email, and payment details), BiteForm acts as a data controller. This DPA applies specifically to the data we process on your behalf as a processor.

3. Subject Matter and Duration

This DPA applies for the duration of your use of the Service. Processing begins when personal data is first submitted through your forms and continues until the data is deleted in accordance with this DPA and our Privacy Policy.

Following termination of your account, we retain your data for a limited period as described in Section 14 (Data Retention and Deletion) before permanent deletion.

4. Nature and Purpose of Processing

We process personal data for the following purposes:

• Hosting and storing form submissions and associated files
• Storing customer records and contact information you create
• Sending transactional emails on your behalf (form invitations, reminders, notifications)
• Providing reporting, analytics, and email engagement tracking
• Maintaining, securing, and supporting the platform

Processing is carried out:

• On the Controller's documented instructions
• As necessary to provide, maintain, and secure the Service
• Where required by applicable law (in which case we will inform you, unless legally prohibited)

5. Types of Personal Data

The personal data processed may include, but is not limited to:

• Names and contact details (email addresses, phone numbers, postal addresses)
• Form inputs and responses provided by data subjects
• Uploaded files submitted through forms
• Email engagement data (delivery status, opens, clicks, bounces)

The specific types of data processed depend on the form fields you create. You are responsible for ensuring the data you collect is appropriate and proportionate.

6. Categories of Data Subjects

The data subjects whose personal data may be processed include:

• Your customers and clients
• Your prospects and leads
• Form respondents and any other individuals who submit data through your forms

7. Controller Obligations

As the Controller, you are responsible for:

• Ensuring you have a lawful basis for collecting and processing personal data through the Service
• Providing appropriate privacy notices to data subjects before or at the point of data collection
• Obtaining any required consents from data subjects
• Handling data subject access requests and other rights requests
• Complying with your obligations under applicable data protection laws (including the UK GDPR and EU GDPR)
• Ensuring that any instructions you give us regarding processing are lawful

8. Processor Obligations

As the Processor, BiteForm shall:

• Process personal data only in accordance with your documented instructions and as necessary to provide the Service, unless required by law
• Not use personal data for our own marketing, profiling, or commercial purposes
• Ensure that persons authorised to process the data are bound by appropriate confidentiality obligations
• Implement appropriate technical and organisational security measures (see Section 9)
• Assist you, where reasonably possible, in fulfilling your obligations to respond to data subject requests
• Assist you in meeting your obligations regarding data protection impact assessments and prior consultations with supervisory authorities, where applicable
• Notify you without undue delay upon becoming aware of a personal data breach (see Section 13)
• Delete or return personal data upon termination in accordance with Section 14

9. Security Measures

We implement appropriate technical and organisational measures to protect personal data, including:

• Encrypted data transmission using TLS/SSL
• Secure user authentication via Clerk with session management
• Role-based access controls within the platform
• Webhook signature verification for third-party integrations
• Email rate limiting and abuse detection systems
• Regular security reviews and monitoring
• Infrastructure-level protections provided by our hosting and storage providers

We regularly review these measures and update them as appropriate to maintain a level of security suitable for the risk involved.

10. Subprocessors

You authorise us to engage the following subprocessors to assist in providing the Service:

We may update or replace subprocessors from time to time as needed to operate the Service. When engaging a new subprocessor, we ensure appropriate data protection agreements and safeguards are in place. We will make reasonable efforts to inform you of any changes to our subprocessors.

11. International Data Transfers

Some of our subprocessors are located outside the UK and EEA. Where personal data is transferred internationally, we ensure appropriate safeguards are in place:

• UK transfers — We rely on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, as applicable.
• EEA transfers — We rely on Standard Contractual Clauses (SCCs) approved by the European Commission, adequacy decisions, or other lawful transfer mechanisms.

These safeguards ensure that personal data is protected to a standard consistent with the UK GDPR and EU GDPR, regardless of where it is processed.

12. Data Subject Rights

As the Controller, you are responsible for responding to requests from data subjects exercising their rights under data protection law (such as access, rectification, erasure, restriction, portability, and objection).

Where we receive a request directly from a data subject relating to data you control, we will promptly redirect them to you. We will assist you in fulfilling such requests where reasonably possible, taking into account the nature of the processing.

13. Data Breach Notification

In the event of a personal data breach affecting data processed on your behalf, we will notify you without undue delay after becoming aware of the breach. Our notification will include, to the extent available:

• A description of the nature of the breach, including the categories and approximate number of data subjects affected
• The likely consequences of the breach
• The measures taken or proposed to address the breach and mitigate its effects

We will cooperate with you and take reasonable steps to assist in the investigation and remediation of the breach. You remain responsible for any notifications required to supervisory authorities or data subjects under applicable law.

14. Data Retention and Deletion

We retain personal data processed on your behalf for as long as your account is active and you require access to the data.

Upon termination or deletion of your account, we retain your data for a 30-day grace period to allow for account recovery. After this period, we permanently delete all associated personal data, including customer records, form submissions, uploaded files, and email records. Where full deletion is not technically feasible, we will anonymise the data so that it can no longer be linked to identifiable individuals.

Certain data may be retained for longer where required by law (for example, payment records retained for tax and financial compliance purposes).

15. Audit and Compliance

We will make available to you, upon reasonable request, the information necessary to demonstrate compliance with this DPA and our obligations under applicable data protection law.

This may include providing summaries of our security practices, data protection policies, or relevant certifications. We are not obligated to permit on-site inspections or provide access to our systems, but we will respond to reasonable written enquiries in a timely manner.

16. Liability

Each party's liability under this DPA is subject to the limitations and exclusions set out in our Terms of Service. Nothing in this DPA limits either party's liability for obligations that cannot be excluded or limited under applicable data protection law.

17. General

• This DPA is governed by the laws of England and Wales, consistent with our Terms of Service.
• Where there is any conflict between this DPA and the Terms of Service on matters relating to data protection, this DPA shall take precedence.
• If any provision of this DPA is found to be unenforceable, the remaining provisions continue in full force and effect.
• This DPA may be updated from time to time. We will notify you of material changes in accordance with the notice provisions in our Terms of Service.

18. Contact

If you have any questions about this DPA or wish to request a separately executed copy, please contact us: