​​

How this Data Processing Agreement applies 

​

This Data Processing Agreement (“DPA”) forms part of your Agreement with Formly  Ltd and contains certain terms relating to data protection, privacy, and security in  accordance with the Data Protection Legislation, where applicable. In the event (and  to the extent only) that there is a conflict between the different Data Protection  Legislation laws and regulations, the parties shall comply with the more onerous  requirement or higher standard which shall, in the event of a dispute in that regard,  be determined solely by Formly Ltd. 

​

This Data Processing Agreement entered into between you (“Customers”) and  Formly Ltd (the “Formly”, “Company”, “we”, or “us”) regulates the particularities of  data processing in connection with your use of both the platform accessible through  the “getformly.com” and “getformly.app” domain names (the “Site”) and the services  we may offer through the Site from time to time, consisting in ‘Formly’ forms and  other services (indistinctly referred to as the “Services”).  

​

Please, note that ‘Data controller’, ‘data processor’, ‘data subject’, ‘personal data’,  ‘processing’ will have the meaning set forth in the GDPR or in any other applicable  European data protection law. 'GDPR' shall be understood as (i) the Regulation (EU)  2016/679, on the protection of natural persons with regard to the processing of  personal data and on the free movement of such data; (ii) the GDPR as it forms part  of UK law by virtue of section 3 of the UK European Union (Withdrawal) Act 2018  and the UK Data Protection Act 2018 (together, “UK Data Protection Laws”); (iii) any  future laws that may amend them or complement them in the future. 

​

For clarification purposes, under this DPA (i) the processing of data regulated  hereunder shall take place for as long as there is a service agreement in place  between you and we, or until you decide to terminate said agreement; (ii) the nature  and purposes of the processing shall be the collection, saving, organization, hosting,  and deletion of data, as well as making it available to you upon your request; and (iii)  the types of personal data and the categories of data subjects that are likely to be 

used in our product are name, surname, email address, telephone number, other ID  details belonging to employees, candidates, prospects, and clients. 

​

1. Processing of data 

We will process any personal data we may have access to because of the provision  of the Services in accordance with the documented instructions provided by you from  time to time. Should a Union or Member State law to which we are subject requires  us to process personal data —including the international transfer of personal data—,  we will inform you of that legal requirement before processing, unless that law  prohibits such information on important grounds of public interest. 

Should we have reasonable grounds to believe that a documented instruction given  by you infringes the GDPR or any other applicable EU data protection law or regulation, we will put said instruction on hold and immediately notify you. At your  sole risk and without us being responsible or liable to you for any losses, you will be  entitled to order us to perform any such instruction despite the concerns raised by  us, as long as you reconfirm your instruction in writing. 

For purposes of this DPA, it will be understood that a ‘documented instruction’  includes, without limitation, (i) any instruction delivered by you by means of any  durable media, such as a letter or email; (ii) any instruction electronically sent by you  when using the software provided as part of the Services (i.e. by using the interface  part of the software and the features made available through it); or (iii) the provisions  of the DPA. 

For clarification purposes and given your position of data controller, you warrant and  represent that you will timely and sufficiently perform your obligations under the  applicable privacy laws, such as inform data subjects (e. g. respondents to the  forms, etc.) and obtain their consent (where appropriate). This enumeration is for  illustration purposes only, in the sense that you will still be required to satisfy the  obligations you are subject under the GDPR, such as making sure, in general, that  the processing satisfies the requirements of the GDPR, you have the right and  obligation to decide about the purpose and means of said processing, or making  sure that there is a legal basis for the processing.

​

2. Confidentiality duty 

We will ensure that all employees authorized to process personal data have  committed to confidentiality or are under an appropriate statutory obligation of  confidentiality. 

​

3. Sub-processors 

Sub-processing. Customer provides a general authorization to Formly to engage  onward sub-processors, subject to compliance with the requirements in this Section  3. 

Sub-processor List. Formly will, subject to the confidentiality provisions of the  Agreement or otherwise imposed by Formly: 

(a) make available to Customer a list of the Formly subcontractors who are involved  in processing or sub-processing Customer Personal Data in connection with the  provision of the Services (“Sub-processors”), together with a description of the  nature of services provided by each Sub-processor (“Sub-processor List”). A copy of  this Sub-processor List may be requested at support@getformly.com 

(b) ensure that all Sub-processors on the Sub-processor List are bound by  contractual terms that are in all material respects no less onerous than those  contained in this DPA; and 

(c) be liable for the acts and omissions of its Sub-processors to the same extent  Formly would be liable if performing the services of each of those Sub-processors  directly under the terms of this DPA, except as otherwise set forth in the Agreement. 

New / Replacement Sub-processors. Formly will provide Customer with written  notice of the addition of any new Sub-processor or replacement of an existing Sub processor at any time during the term of the Agreement (“New Sub-processor  Notice”). The Customer will sign up to a mailing list made available by Formly 

through which such notices will be delivered by email. If Customer has a reasonable  basis to object to Formly’s use of a new or replacement Sub-processor, Customer  will notify Formly promptly in writing and in any event within 30 days after receipt of a  New Sub-processor Notice. In the event of such reasonable objection, either  Customer or Formly may terminate the portion of any Agreement relating to the  Services that cannot be reasonably provided without the objected-to new Sub processor (which may, at Formly's discretion and election, involve termination of the  entire Agreement) with immediate effect by providing written notice to the other  party. Such termination will be without a right of refund for any fees prepaid by Customer for the period following termination. 

​

4. Data subjects’ rights 

Taking into account the nature of the processing, we will assist you by appropriate  technical and organizational measures, insofar as this is possible, for the fulfilment of  your obligation to respond to requests for exercising the data subject's rights, if  applicable. For the avoidance of doubt, we will send to you any request data subjects  may address directly to us together with all relevant information, if any, so that you  can formally contact and answer to data subjects. 

​

5. Security measures 

We implement appropriate technical and organizational measures to ensure a level  of security appropriate to the risk. Taking into account the nature of processing and  the information available to us, we will reasonably assist you in compliance with the  security obligations set forth by Article 32 of the GDPR. 

​

6. Assistance and data breaches 

In addition to the duty set forth in Section 5 above, we will also provide, subject to  the nature of processing and information available to us, assistance in complying  with obligations set forth in Articles 32 to 36 of the GDPR, if applicable. 

With respect to data breaches, we will notify you without undue delay upon we 

becoming aware of a personal data breach affecting personal data and, in any event,  within the deadlines set forth under the GDPR. We will provide you with sufficient  information to allow it to meet any obligations to report or inform competent  authorities or data subjects. We will reasonably cooperate with you and take such  reasonable commercial steps as are directed by you to assist in the investigation,  mitigation and remediation of each such data breach. For the avoidance of doubt,  you will be the only Party responsible for both filing any reports required under  applicable law and notifying data subjects, and you will defend, indemnify and hold  us harmless of any and all costs (including attorney’s fines), fines or sanctions, or  any damages that lack of action on your side may cause. 

​

7. Termination 

You will decide whether you want us to delete or return personal data, unless Union  or Member State law requires storage of the personal data. To this end, you  acknowledge that deletion of the account provided as part of the Services will always  result in deletion of personal data, and its request to delete the account will be  understood as a request to delete data under this Section 7. 

Cancelling your paid subscription shall not result in a termination of the Services  and, therefore, a termination of this DPA. You will still be able to keep using our  Services under a free plan, but some of the functionalities offered to you may not be  fully available. This includes the ability to access and download pre-collected  responses - for clarification purposes, you will still be able to ask us to download and  send you a copy of these responses and we will perform this action as soon as  possible and, in any event, within fifteen (15) days. 

​

8. Audit rights 

Where Formly is processing Customer Personal Data for Customer as a processor (only), the Customer will provide Formly with at least one month's prior written notice  of any audit, which may be conducted by Customer or an independent auditor  appointed by Customer (provided that no person conducting the audit shall be, or 

shall act on behalf of, a competitor of Formly) (“Auditor”). The scope of an audit will  be as follows: 

(a) Customer will only be entitled to conduct an audit once per subscription year  unless otherwise legally compelled or required by a regulator with established  authority over the Customer to perform or facilitate the performance of more than 1  audit in that same year (in which circumstances Customer and Formly will, in  advance of any such audits, agree upon a reasonable reimbursement rate for  Formly’s audit expenses). 

(b) Formly agrees, subject to any appropriate and reasonable confidentiality  restrictions, to provide evidence of any certifications and compliance standards it  maintains. 

(c) The scope of an audit will be limited to Formly systems, processes, and documentation relevant to the processing and protection of Customer Personal Data,  and Auditors will conduct audits subject to any appropriate and reasonable  confidentiality restrictions requested by Formly. 

(d) Customer will promptly notify and provide Formly on a confidential basis with full details regarding any perceived non-compliance or security concerns discovered  during the course of an audit. 

The parties agree that, except as otherwise required by order or other binding  decree of a supervisory authority or regulator with authority over the Customer, this  Section 8 sets out the entire scope of the Customer’s audit rights as against Formly. 

​

9. International transfer of personal data 

In the event that the you are neither subject to the GDPR, nor located in the EEA,  nor the transfer can be legally performed in accordance with the GDPR (because  such transfer falls under an adequacy decision passed by the European Commission  or can be otherwise performed under the GDPR on the basis of BCR, a certification  mechanism or under a legally binding instrument), you and us enter into the standard  contractual clauses (SCCs), as a mechanism to ensure the adequate protection of  personal data being transferred outside the EEA.

You authorize to the transfer of data to the sub-processors listed in Section 3 above,  it being understood that any such transfer will be performed to the extent that we  enter into a written contract with the sub-processors setting forth the obligations to  be implemented by the sub-processors in respect of the transfer of data and you  have the right to oppose any future changes or amendments of the sub-processors  by following the same steps mentioned in Section 3 above. Should you exercise any  such right, we will be entitled to early terminate the contractual relationship set forth  for the provision of the Services.  

​

10. General Provisions 

Liability for data processing. Each party's aggregate liability for any and all claims  whether in contract, tort (including negligence), breach of statutory duty, or otherwise  arising out of or in connection with this DPA shall be as set out in the Agreement,  unless otherwise agreed in writing by the parties. 

​

Conflict. In the case of conflict or ambiguity between: (i) the terms of this DPA and  the terms of the Agreement, with respect to the subject matter of this DPA, the terms  of this DPA shall prevail; (ii) the terms of any provision contained in this DPA and  any provision contained in the Standard Contractual Clauses, the provision in the  Standard Contractual Clauses shall prevail. 

Independent Processing. Customer remains exclusively liable for its own compliance  with Data Protection Legislation with respect to any independent collection and  processing of personal data unrelated to the Services. Customer will provide its own  clear and conspicuous privacy notices that accurately describe how it does this and  Formly will not be liable for any treatment of personal data by Customer in those  circumstances. Customer hereby indemnifies Formly in full for any and all claims or  liability arising as a result of such collection and use of personal data by it in those  circumstances.

​

Entire Agreement. The Agreement (which incorporates this DPA) and any Order  Form represent the entire agreement between the parties and it supersedes any  other prior or contemporaneous agreements or terms and conditions, written or oral,  concerning its subject matter. Each of the parties confirms that it has not relied upon any representations not recorded in the Agreement inducing it to enter into the  Agreement. 

 

Severance. If any provision of this DPA is determined to be unenforceable by a court  of competent jurisdiction, that provision will be severed and the remainder of terms  will remain in full effect. Nothing in this DPA is intended to, or shall be deemed to,  establish any partnership or joint venture between any of the parties, nor authorize  any part to may or enter into any commitments for or on behalf of any other party  except as expressly provided herein. 

​

Governing Law. This DPA shall be governed by the laws of United Kingdom (UK)  and the parties submit to the exclusive jurisdiction of the UK courts in relation to all  contractual and non-contractual disputes. 

​

Formly may amend this Agreement at any time and is expressly committed to ensuring that any amendment complies with applicable ethical principles and legislation (including the Regulation). Amendments will be effective thirty (30) days following their publication through a written notification. Following this period, the Customer will be considered to have tacitly accepted the changes. The most recent version of this Agreement will always be available on Formly website for easy access and review.

​​
 

.