1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Principal Agreement") between Polyform ("Processor", "we", "us", or "our") and you ("Controller", "Customer", "you").

This DPA reflects the parties' agreement with respect to the Processing of Personal Data in accordance with the requirements of applicable Data Protection Laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK Data Protection Act 2018.

2. Definitions

Personal Data means any information relating to an identified or identifiable natural person.
Processing means any operation performed on Personal Data, such as collection, storage, use, transfer, or deletion.
Data Controller means the entity that determines the purposes and means of Processing Personal Data.
Data Processor means the entity that processes Personal Data on behalf of the Data Controller.
Subprocessor means any third party appointed by the Processor to assist with Processing activities.
Data Subject means any identified or identifiable natural person whose Personal Data is processed.

3. Scope and Roles

You, as the Customer, are the Data Controller of any Personal Data collected through forms created on Polyform. Polyform acts as the Data Processor, processing Personal Data on your behalf and in accordance with your instructions.

4. Processing of Personal Data

We shall:

Process Personal Data only on your documented instructions, unless required by applicable law to act without such instructions. In such a case, we will inform you of that legal requirement before Processing, unless prohibited by law.
Ensure that persons authorized to process Personal Data are under an appropriate contractual or statutory obligation of confidentiality.
Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption of data in transit and at rest.
Assist you, insofar as possible, in fulfilling your obligations to respond to Data Subject requests exercising their rights under applicable Data Protection Laws.
Provide reasonable assistance in ensuring compliance with obligations relating to security, breach notifications, data protection impact assessments, and consultations with supervisory authorities.
Upon termination of services, at your choice, delete or return all Personal Data within 30 days, unless otherwise required by law to retain it.

5. Subprocessors

Polyform may engage Subprocessors to process Personal Data on your behalf. A current list of Subprocessors is available on our GDPR page.

We will notify Customers of any changes to Subprocessors by updating the list on our website. If you object to a new Subprocessor, you may terminate your account in accordance with the Terms of Service.

6. International Data Transfers

Your primary data is stored in the European Union. When transferring Personal Data outside the European Economic Area (EEA), Polyform ensures such transfers are made in compliance with applicable Data Protection Laws by relying on appropriate safeguards, including the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, as applicable.

7. Data Subject Rights

We shall assist you, to the extent reasonably possible, in fulfilling your obligations to respond to requests by Data Subjects to exercise their rights under the GDPR, including rights of access, rectification, erasure, restriction, data portability, and objection.

8. Security Measures

Polyform has implemented and maintains appropriate technical and organizational security measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include:

Encryption of data in transit (TLS/HTTPS)
Encryption of data at rest
Access controls and authentication requirements
Regular security assessments
Automatic database backups

9. Personal Data Breach

In the event of a Personal Data breach affecting your Personal Data, Polyform will notify you without undue delay (and in any event within 72 hours of becoming aware of the breach) and provide all necessary information to enable you to comply with your breach notification obligations under applicable Data Protection Laws.

10. Audits

Upon reasonable request and subject to appropriate confidentiality obligations, Polyform will make available to you information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by you or an auditor mandated by you.

11. Termination

Upon termination of the Principal Agreement, you may request deletion or return of your Personal Data processed by Polyform. We shall comply with such a request within 30 days unless otherwise required to retain the data under applicable law.

12. Governing Law

This DPA shall be governed by and construed in accordance with the laws of Sweden, consistent with the Principal Agreement.

13. Contact

For questions about this DPA, please contact us at hello@polyform.to.

By creating a Polyform account and accepting our Terms of Service, you also agree to the terms of this Data Processing Agreement.