Schedule B — Data Processing Addendum (v2.0)

Effective Date: September 26, 2025

1. Roles & Scope

For processing to deliver the Service, Customer = Controller and Formwatch = Processor/Service Provider. For improvement activities described in Terms §5.3–5.4, Formwatch acts as an independent Controller for internal product improvement using de‑identified/aggregated data where feasible.

2. Customer Instructions

We process Customer Personal Data ("CPD") only per Customer's documented instructions: ingest, classify, store, display, deliver outcomes, provide support, secure/maintain the Service, and meet legal obligations.

3. Service Provider (CPRA) Restrictions

For Processor activities, we: (a) will not sell or share CPD; (b) will not use CPD for cross‑context behavioral advertising; (c) will not retain, use, or disclose CPD outside the direct business relationship, except as permitted by law (e.g., security, debugging, short‑term transient use). We certify our compliance with these restrictions.

4. Subprocessing

We may use subprocessors listed in Schedule D and will impose data protection obligations no less protective than this DPA. We remain responsible for subprocessors.

5. Security Measures

We implement the technical/organizational measures in Schedule C (see below).

6. Data Subject Requests; Assistance

We will provide reasonable assistance with data subject requests, security incidents, and DPIAs as required by law.

7. International Transfers

Where CPD is transferred outside the EEA/UK/CH, the parties incorporate the EU Standard Contractual Clauses (Controller→Processor, Module 2) and the UK Addendum. Annexes below contain details.

8. Audits

Upon reasonable written request, we will make available information necessary to demonstrate compliance (e.g., policy summaries, third‑party reports) and allow audits once per 12 months, subject to confidentiality and reasonable limits.

9. Return/Deletion

Upon termination or upon request, we will delete CPD from active systems within a commercially reasonable time, subject to legal obligations and backups. Model artifacts and de‑identified aggregates created for improvement are retained.

Schedule C — Security Overview (v2.0)

  • Encryption: TLS 1.2+ in transit; AES‑256 at rest (managed encryption).
  • Access Controls: RBAC; MFA for privileged accounts; production access restricted and reviewed.
  • Data Management: Separate prod/staging; least‑privilege DB roles; periodic access reviews; data minimization where feasible.
  • Logging & Monitoring: Application/auth/admin actions logged; alerting for anomalies.
  • Change Management: CI/CD with peer review; secrets management; infrastructure as code.
  • Business Continuity: Daily backups; tested restores; RPO ≤ 24h.
  • Incident Response: Triage within 24h; notify impacted customers within 72 hours of confirming a breach of CPD likely to pose risk.

Annex I — Data Processing Details

Data subjects: website visitors, lead submitters, Customer personnel.

Categories of CPD: name, email, phone, title, company, message text, IP/geolocation, form platform/ID, domain verification records, ICP settings, timestamps, logs.

Special categories: not permitted.

Purposes: provide/support/secure the Service; comply with law.

Frequency: continuous.

Duration/Retention: as in Terms §5.6 and Privacy Policy.

Data location: primarily U.S.; transfers per §7.

Annex II — Technical & Organizational Measures

Encryption in transit (TLS 1.2+) and at rest; RBAC; MFA for admin; least‑privilege production access; audit logging/monitoring; vulnerability management; secure SDLC; backups with RPO ≤ 24h; incident response with initial notice within 72 hours of confirming a breach likely to pose risk.

Annex III — Subprocessors

See Schedule D.

Last updated: September 26, 2025

Questions? Contact us at hello@formwatch.ai

Legal matters: legal@formwatch.ai