Overview
MachForm is compliant with the EU General Data Protection Regulation (GDPR). Our platform is capable of conducting business with all EU-based customers since the GDPR deadline, May 25th, 2018.
The GDPR is intended to strengthen individuals’ rights and unify data protection rules across the EU through stricter personal data handling requirements and higher fines for non-compliance. The GDPR applies the processing of data subjects’ personal data by any size of EU or non-EU organization that provides goods or services to the EU or monitors EU users’ behavior.
GDPR FAQ
What is GDPR?
In 2016, the European Commission approved and adopted the new General Data Protection Regulation (GDPR). GDPR is a significant change in data protection regulation in the EU and it will come into effect on May 25, 2018.
Who does the GDPR apply to?
The GDPR applies to all entities and individuals based in the EU and to entities and individuals, whether or not based in the EU, that process the personal data of EU individuals.
I’m using MachForm Cloud, what do I need to do?
In relation to your use of MachForm Cloud, you need to be clear and transparent with your clients about your use of a third party processor (MachForm Cloud) to collect their personal data. Transparency is key under GDPR.
What’s the best way to inform my clients that I use MachForm Cloud?
You can update your website privacy notice. Under the GDPR, you’re only required to say that you’re using an externally hosted third party to enable you to provide your service, rather than name MachForm specifically.
As an example, you could add some wording like this to your website privacy notice: “We uses an externally hosted third party to manage and administer your data.”
I’m using MachForm Self-Hosted, what do I need to do?
When you use MachForm Self-Hosted, you’ll be the data processor and the data controller.
You’ll need to make sure to secure your MachForm database server and manage the data according to the GDPR.
You can go to your Settings page and review your Data Retention policy.
You can also read our guide on how to delete data permanently.
Is MachForm GDPR-ready?
Yes. We’ve taken various steps to ensure that we’re ready and compliant. We have reviewed our products and services, customer terms, privacy notices and arrangements with third parties for compliance with the GDPR.
For example, we’ve updated the Privacy Policy on our website and all related backend operations to cover the new regulations. We added new feature to let you control your form data retention. We also offer GDPR compliant DPA (Data Processing Addendum) for our customers that we’ll sign and become legally binding.
Is there any difference between MachForm Self-Hosted and MachForm Cloud regarding GDPR?
Yes, there is a major difference.
MachForm Self-Hosted stores all the data completely on your own server and it doesn’t go through our server. Thus GDPR compliance will be fully your own responsibility.
MachForm Cloud stores all the data on our datacenter. Thus GDPR compliance will be a shared responsibility between you and us.
Where is the location of MachForm Cloud servers?
MachForm Cloud data centers are located in Virginia (US) and Frankfurt (Germany, EU). All data remains in-region, so EU data always resides in the EU zone and vice versa. More details.
What is MachForm Cloud data retention policy?
We retain all your form data for as long as your account is active. When you terminate or cancelled your cloud subscription, all your form data will be automatically deleted within 30 days.
Do you offer Data Processing Addendum?
Yes, we offer Data Processing Addendum (DPA) for our customers that qualify as data controller under the GDPR. Our DPA contains contractual terms that meet GDPR requirements and that reflect our data privacy and security commitments to our clients.