splitforms.com
Get free key
GDPR · DATA PROTECTION · TRUST

splitforms GDPR compliance — form backend data protection.

Plain-English coverage of the controller/processor split, the eight data subject rights, our sub-processors, and how to request a Data Processing Agreement. Updated as the platform evolves.

Last reviewed: May 9, 2026

TL;DR

splitforms helps you meet GDPR for the form submissions you collect. You are the data controller (you choose what to ask and why); splitforms is the data processor (we store and deliver what you collect, on your instructions). We support all eight data subject rights, list our sub-processors below, and provide a Data Processing Agreement on request.

Roles — controller vs processor

GDPR splits responsibility for personal data between two roles, and developers building forms often conflate them. Here's how it works on splitforms:

You — Data controller
  • Decide what data your form asks for and why.
  • Establish a lawful basis (consent, legitimate interest, contract...).
  • Communicate with the data subjects when they exercise rights.
  • Maintain your own privacy policy on your site.
splitforms — Data processor
  • Store and deliver submissions on your instructions.
  • Apply the security controls described on /security.
  • Support data subject rights via dashboard tooling.
  • Notify you of any breach within 72 hours.

One practical consequence: if a form submitter emails hello@splitforms.com asking us to delete their data, we can't do that without identifying which form they submitted to — we'll route the request to you, the form owner, who has the context to act.

What data is collected on a submission

When someone POSTs to your form, splitforms persists exactly this set of fields and nothing else:

Form fields
Whatever your form asks
Stored in the JSONB `data` column on the submissions table. We don't open or transform it.
IP address
Submitter's source IP
Used for rate-limiting, spam scoring, and abuse investigation. Stored on the submission row.
User-agent
Submitter's browser string
Helps debug why a particular form is failing and identify scripted attacks.
Referer
Origin URL of the form
Lets you see which page on your site sent the submission, and helps enforce allowed_domains.
Timestamp
Server time at receipt
Used to order submissions in your dashboard and to compute monthly quota windows.

We do not enrich submissions with third-party data, do not run analytics on submission contents, and do not share them with anyone other than you (the form owner) and the sub-processors listed below.

Lawful basis for processing

Under GDPR, every act of processing personal data needs one of six lawful bases (Art. 6). For form submissions handled through splitforms, the relevant ones are usually:

Capturing the basis is your responsibility as controller— usually a short note in your form's privacy text plus, where consent applies, a checkbox the submitter ticks themselves. splitforms doesn't inject consent text on your behalf.

The eight data subject rights — and how to action each

GDPR grants data subjects (the people who fill out your forms) a defined set of rights. Here's how each one maps onto splitforms tooling:

  1. 01Right of access (Art. 15)

    Form owners can view all submissions in the splitforms dashboard and export them as CSV at any time. End-users (form submitters) should request access from the form owner — splitforms doesn't know which submission belongs to which natural person without that context.

  2. 02Right to rectification (Art. 16)

    Form owners can edit submission rows from the dashboard or contact hello@splitforms.com to correct stored data. End-users should contact the site that operates the form.

  3. 03Right to erasure (Art. 17)

    Form owners can delete individual submissions from the dashboard, or delete their entire splitforms account, which cascades and removes every form, submission, webhook, and uploaded file.

  4. 04Right to restriction of processing (Art. 18)

    Form owners can pause a form (`is_active = false`) so it no longer accepts submissions while review is in progress. The existing submission rows stay untouched until you choose what to do with them.

  5. 05Right to data portability (Art. 20)

    Form owners can export any form's submissions as a CSV file from the dashboard. The export contains all original fields, IP, user-agent, referer, and timestamp — a structured, machine-readable format.

  6. 06Right to object (Art. 21)

    Delete the relevant submission(s) from the dashboard. For account-level objections (e.g. you no longer want splitforms processing for any of your forms), delete your account.

  7. 07Rights related to automated decision-making (Art. 22)

    Not applicable. splitforms does not perform automated decision-making or profiling on form submitters. The optional AI spam classifier flags spam vs not-spam for the form owner's review; it does not produce legal effects on the submitter.

  8. 08Right to withdraw consent (Art. 7)

    Consent for the underlying form (e.g. newsletter sign-up) is captured by the form owner, not splitforms. As the data controller, you remain responsible for offering withdrawal mechanisms (e.g. an unsubscribe link). On the splitforms side, deleting the submission removes our copy.

Data Processing Agreement (DPA)

We offer a standard DPA for any splitforms customer that needs one for their own GDPR obligations — typical for agencies handling EU client data, B2B SaaS reselling forms, and anyone whose own privacy programme requires a written processor contract.

The DPA covers: processor obligations under Art. 28, sub-processor list (matching the table below), breach notification timelines, data subject rights flow-through, audit rights, and Standard Contractual Clauses for any transfer outside the EU.

To request: hello@splitforms.com with subject "DPA".

Sub-processors

We use a small set of named sub-processors to operate the service. We update this list when it changes, with notice sent to active accounts before any new sub-processor is engaged.

Sub-processor
Region
Purpose
Vercel
US (with global edge)
Compute, edge, TLS termination. Hosts the Next.js app and /api/submit endpoint.
Supabase / AWS
US (EU available, planned)
Managed Postgres, Auth, and Storage. Holds your submissions, profile, forms, and uploaded files.
AWS SES
US
Outbound email — sends submission notifications, magic-link emails, and auto-responder messages.
Cloudflare
Global
Authoritative DNS for splitforms.com. Does not see submission body content.
Stripe
US / Ireland
Payment processing for Pro and 4-Year plans. PCI DSS Level 1. We don't see card numbers.

Data location

Today the default region is the United States. Submissions, profiles, and uploaded files all live on Supabase Postgres and Storage in AWS US regions. Vercel compute runs at edge and US Lambda regions. AWS SES sends from US infrastructure.

Planned: EU data residency.A Supabase EU-resident project for splitforms is on the roadmap. We'll list the exact region and migration steps on this page the day it goes live. Until then, EU customers can rely on the SCCs documented in our DPA for cross-border transfers.

Data breach notification

If splitforms becomes aware of a personal data breach affecting your data, we will notify you within 72 hours of becoming aware, in line with Art. 33 GDPR. The notice will include: the nature of the breach, the categories and approximate volumes of data affected, the likely consequences, and the measures we have taken or propose to take to address it.

Notification goes to the email on your splitforms account, so please keep that address current.

International transfers

Where personal data is transferred outside the EEA, UK, or Switzerland, splitforms relies on the European Commission's Standard Contractual Clauses (SCCs) as the transfer mechanism, alongside our sub-processors' own adequacy decisions and Data Privacy Framework participation where applicable.

We do not currently rely on Binding Corporate Rules — we don't have the multi-entity structure that BCRs are designed for. SCCs are the right tool for a small, single-entity SaaS.

Retention

Submissions are retained for the lifetime of your account. There is no automated expiry policy — many customers want a permanent CRM of their leads. You stay in control:

For a custom retention policy (e.g. auto-delete submissions older than 90 days), email hello@splitforms.com.

Cookies

splitforms.com uses essential cookies only — an HttpOnly, SameSite=Lax session cookie issued by Supabase Auth so you stay signed into the dashboard. We do not run marketing cookies, advertising pixels, session-replay scripts, or third-party analytics on the dashboard.

Cookies on your site are your responsibility. The splitforms POST endpoint at /api/submit doesn't set cookies in your visitors' browsers — it's a stateless API call.

Frequently asked questions

Are you GDPR compliant?

splitforms supports GDPR for the form submissions you collect through us. You are the data controller (you decide what to ask, why, and on what legal basis); splitforms is the data processor (we store and deliver what you collect). We provide tooling for the eight data subject rights, a Data Processing Agreement on request, and a documented sub-processor list.

Where is my data hosted?

Today, all production data lives in US regions: Supabase Postgres on AWS US, Vercel compute (US edge + Lambda), AWS SES (US), Cloudflare DNS (global). An EU-resident Supabase project is on the roadmap and not yet live — we'll list it on this page the day it ships.

Can I get a Data Processing Agreement (DPA)?

Yes. Email hello@splitforms.com with subject "DPA" and we'll send our standard processor DPA. It covers processor obligations under Art. 28, sub-processor list, breach notification timelines, data subject rights, and Standard Contractual Clauses for international transfers.

Are you CCPA compliant?

Yes for the data we hold about you as a splitforms account holder — you can access, export, or delete it from the dashboard, and we don't sell personal information. CCPA and GDPR overlap heavily on the user-facing controls, so the same dashboard tooling covers both.

Can I use splitforms to collect children's data?

splitforms doesn't impose its own age gate, but you (as the data controller) are responsible for complying with the children's-data rules in your jurisdiction (GDPR-K, COPPA, etc.). If you're collecting from under-13s in the US or under-16s in some EU member states, you must capture verifiable parental consent before submission — splitforms will not do that for you.

Do you pseudonymise or anonymise submissions?

No — submissions are stored as you receive them, because most customers want the original lead data intact. If you need pseudonymisation (e.g. hashing emails before storage) for a particular use case, build that into your form's client-side code before the POST. The optional AI spam classifier processes the submission body but does not produce a stored profile of the submitter.

How long is data kept?

We retain submissions for the lifetime of your account. There is no automated expiry — many customers want a permanent CRM of their leads. Account deletion cascades to remove every related row within Postgres immediately, with backups rotated within 30 days. You can also delete individual submissions from the dashboard at any time.

Do you transfer data outside the EU?

Today, yes — our default region is the US, so EU-originated submissions are transferred to US sub-processors (Vercel, Supabase/AWS, SES). We rely on the European Commission's Standard Contractual Clauses (SCCs) where required, alongside our sub-processors' own SCCs and adequacy mechanisms. An EU-resident option is planned to remove the transfer for customers who need data residency.

A form backend that takes GDPR seriously.

DPA on request, named sub-processors, all eight rights actionable from your dashboard. Free for 1,000 submissions per month — no credit card.

Get started free Read security details