Web3Forms, operated by Web3Creative
Version 1.0 · Last Updated: 13 Jul 2026
This Data Processing Agreement (the "DPA") forms part of, and is incorporated by reference into, the agreement between the Customer and Web3Creative governing the Customer's use of the Web3Forms service (the "Principal Agreement", being our Terms and Conditions). It reflects the parties' agreement on the Processing of Personal Data by Web3Creative on behalf of the Customer in connection with the Services.
By accepting this DPA — whether by clicking "I accept", checking a box referencing it, enabling the Services, or continuing to use the Services after being presented with it — the Customer agrees to be bound by its terms. The individual accepting represents that they are authorised to bind the Customer.
In this DPA, "Web3Creative" means Web3Creative, the operator of Web3Forms, acting as Processor; and "Customer" means the entity or person that has entered into the Principal Agreement, acting as Controller. Each is a "party" and together the "parties".
Capitalised terms not defined here have the meaning given in the Principal Agreement. For the purposes of this DPA:
"Data Protection Laws" means all laws and regulations applicable to the Processing of Personal Data under this DPA, including, as applicable, the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR and Data Protection Act 2018, and India's Digital Personal Data Protection Act, 2023.
"Controller, Processor, Data Subject, Personal Data, Processing, Personal Data Breach" have the meanings given in the GDPR, and "Process" and "Processed" are construed accordingly.
"Customer Personal Data" means Personal Data contained within form submissions, uploaded files, and related data that is submitted to, stored in, or otherwise Processed by the Services on the Customer's behalf.
"Sub-processor" means any third party engaged by Web3Creative to Process Customer Personal Data.
"Standard Contractual Clauses (SCCs)" means the clauses annexed to European Commission Implementing Decision (EU) 2021/914 for the transfer of Personal Data to third countries, and, where relevant, the UK International Data Transfer Addendum.
"Services" means the Web3Forms form-backend service and associated email delivery, file storage, and integration features.
The parties acknowledge that, with respect to Customer Personal Data, the Customer is the Controller and Web3Creative is the Processor. Where the Customer is itself a Processor acting on behalf of a third-party Controller, the Customer warrants that its instructions and actions have been authorised by that Controller.
Web3Creative shall Process Customer Personal Data only on documented instructions from the Customer, including as set out in this DPA and the Principal Agreement, and as necessary to provide the Services, unless required to do so by applicable law (in which case Web3Creative shall, where legally permitted, inform the Customer of that legal requirement before Processing).
The subject matter, duration, nature and purpose of the Processing, the types of Personal Data, and the categories of Data Subjects are described in Annex 1 (Details of Processing).
The Customer is solely responsible for the accuracy, quality and legality of Customer Personal Data and for having a valid legal basis to Process it and to authorise Web3Creative's Processing of it under this DPA.
Web3Creative shall ensure that any person authorised to Process Customer Personal Data — including employees and contractors — is subject to an appropriate obligation of confidentiality, whether contractual or statutory, and Processes such data only as instructed.
Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing, Web3Creative shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. A description of these measures is set out in Annex 2 (Technical and Organisational Measures).
The Customer acknowledges that security measures are subject to technical progress and may be updated from time to time, provided that any update does not materially reduce the overall level of security of the Services.
The Customer provides general authorisation for Web3Creative to engage Sub-processors to Process Customer Personal Data, subject to this Section. The Sub-processors engaged as at the effective date are listed in Annex 3.
Web3Creative shall impose data protection obligations on each Sub-processor that are, in substance, no less protective than those in this DPA, and shall remain liable to the Customer for the performance of each Sub-processor's obligations.
Web3Creative shall notify the Customer of any intended addition or replacement of a Sub-processor, giving the Customer a reasonable opportunity (of at least fourteen days) to object on reasonable data-protection grounds. If the Customer objects and the parties cannot resolve the objection, the Customer may terminate the affected Services as its sole remedy.
Taking into account the nature of the Processing, Web3Creative shall assist the Customer by appropriate technical and organisational measures, insofar as possible, to respond to requests from Data Subjects exercising their rights under Data Protection Laws.
If Web3Creative receives a request directly from a Data Subject relating to Customer Personal Data, it shall, unless legally prohibited, promptly forward the request to the Customer and shall not respond to it directly except on the Customer's instructions.
Web3Creative shall provide reasonable assistance to the Customer with data protection impact assessments and prior consultations with supervisory authorities, in each case solely in relation to the Processing under this DPA and taking into account the information available to Web3Creative.
Web3Creative shall notify the Customer without undue delay, and in any event within seventy-two hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data.
Such notification shall include, to the extent then known, the nature of the breach, the categories and approximate number of Data Subjects and records affected, the likely consequences, and the measures taken or proposed to address it. Where full information is not available, it may be provided in phases without undue further delay.
Web3Creative's notification of, or response to, a Personal Data Breach shall not be construed as an acknowledgement of any fault or liability.
Customer Personal Data is retained in accordance with the data retention design of the Services, under which submission data is subject to a physical time-to-live of three years, with dashboard visibility governed by the Customer's plan.
On termination or expiry of the Principal Agreement, Web3Creative shall, at the Customer's choice, delete or return Customer Personal Data, and delete existing copies, unless applicable law requires continued storage. Deletion shall take effect within ninety days of termination, subject to routine backup cycles after which residual copies are overwritten in the ordinary course.
Web3Creative shall make available to the Customer information reasonably necessary to demonstrate compliance with this DPA and Article 28 of the GDPR, which may be satisfied by providing documentation describing its technical and organisational measures and, where available, third-party certifications or audit reports of its infrastructure providers.
Where such information is insufficient, the Customer may, no more than once in any twelve-month period and on at least thirty days' prior written notice, request an audit limited to Web3Creative's Processing under this DPA. Audits shall be conducted during business hours, without unreasonable disruption, subject to confidentiality, and at the Customer's cost. This Section does not extend to the data centres or systems of Sub-processors, whose compliance is evidenced by their own certifications.
The Customer acknowledges that Web3Creative operates from India and that Customer Personal Data may be Processed in, or transferred to, jurisdictions outside the Customer's own, including through the infrastructure regions of its Sub-processors.
Where a transfer of Customer Personal Data from the European Economic Area, the United Kingdom, or Switzerland is subject to Data Protection Laws requiring a transfer mechanism, the Standard Contractual Clauses (together with the UK Addendum where applicable) are incorporated into this DPA by reference and apply to such transfers, with Web3Creative as "data importer" and the Customer as "data exporter". Where the SCCs offer a choice, the parties select the module corresponding to their respective roles under this DPA.
Each party's liability arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the limitations and exclusions of liability set out in the Principal Agreement, and any reference to a party's liability means the aggregate liability of that party under the Principal Agreement and this DPA together.
This DPA is governed by the same law and subject to the same jurisdiction and dispute-resolution provisions as the Principal Agreement, unless the Data Protection Laws require otherwise.
In the event of any conflict between this DPA and the Principal Agreement in relation to the Processing of Personal Data, this DPA prevails. In the event of a conflict between this DPA and the SCCs, the SCCs prevail.
If any provision of this DPA is held invalid or unenforceable, the remainder shall continue in full force and effect.
Web3Creative may update this DPA where required to reflect changes in Data Protection Laws, Sub-processors, or its security measures, provided such updates do not materially reduce the protections afforded to the Customer. The current version is made available through the Services.
The Processing of Customer Personal Data submitted through the Web3Forms Services for the duration of the Principal Agreement, plus the retention period described in Section 8.
Receiving, validating, storing, and forwarding web form submissions; delivering notification and autoresponse emails; storing uploaded file attachments; managing spam filtering, bounce and complaint handling; and enabling integrations selected by the Customer.
Determined by the Customer through the fields it configures in its forms. This may include, without limitation:
The Customer must not configure its forms to collect special categories of Personal Data (e.g., health, biometric, or financial account data) unless it has ensured an appropriate legal basis and additional safeguards; Web3Creative does not require such data to provide the Services.
Web3Creative maintains technical and organisational measures appropriate to the risk, including the following:
Web3Creative engages the following Sub-processors to Process Customer Personal Data as at the effective date of this DPA:
| Sub-processor | Purpose | Location / Region |
|---|---|---|
| Amazon Web Services, Inc. (AWS) | Cloud hosting, compute, email delivery (SES), queuing (SQS), database (DynamoDB), and object storage (S3) for submissions and file attachments | AWS regions as configured for the Services |
| Cloudflare, Inc. | Content delivery network, DNS, edge security, and web application firewall for submission endpoints | Global edge network |
| Hetzner Online GmbH | Self-hosted application infrastructure and supporting services | European Union (Germany / Finland) |
| CleanTalk Inc. | Cloud-based spam and abuse prevention; receives submitter IP address and email address to assess submissions | United States / global |
| Automattic Inc. (Akismet) | Spam filtering of form submissions; receives submitter IP address and email address | United States / global |
| SparrowDesk | Customer support helpdesk; processes personal data of individuals who contact support (name, email, message content) | As configured by the provider |
| Microsoft Corporation (Clarity) | Product analytics and session replay to diagnose usability issues; may capture on-screen interaction data | United States / global |
Self-hosted analytics. Web3Creative operates its own self-hosted analytics (Web3Analytics, powered by Umami) on the infrastructure listed above. No submission or analytics data is shared with an external analytics provider for this purpose.
Payment processing. Payments are handled by Paddle.com Market Limited, which acts as merchant of record and as an independent Controller of billing, tax, and fraud-prevention data, not as a Sub-processor of Web3Creative. Paddle's processing is governed by its own privacy policy and terms.
Customer-enabled integrations. Where the Customer enables optional integrations (for example, Google Sheets, Telegram, Discord, or Slack), Customer Personal Data is transmitted to the Customer's own accounts with those providers. Such providers act as the Customer's own processors or controllers, and are not Sub-processors of Web3Creative under this DPA. The Customer is responsible for its relationship with, and the terms governing, those providers.
An up-to-date list of Sub-processors is maintained by Web3Creative and made available on request or through the Services. Changes are notified in accordance with Section 5.
This DPA becomes binding when the Customer accepts it electronically — by clicking "I accept", checking a box referencing it, enabling the Services, or continuing to use the Services after being presented with it — as described above. Such acceptance has the same legal effect as a handwritten signature and no physical or electronic signature is required for this DPA to take effect. Where the Customer's jurisdiction, internal policy, or procurement process requires a signed counterpart, please contact us at [email protected].
Create your contact form for static website in minutes.
Create your FormGet started for free