·· workflow · dpos, compliance teams, eu founders, regulated industries

GDPR-compliant contact form, hosted in the EU, no DPA negotiations required.

Formspring collects, filters, routes, and retains every submission. Developers still get one endpoint, signed webhooks, API access, and the examples below.

Create intake flow See implementation
Try a Quick Form first no signup, 24h endpoint

  1. ·· 01

    Capture

    visitor · website form

  2. ·· 02

    Filter

    Formspring · spam + honeypot

  3. ·· 03

    Route

    Formspring · integrations + webhooks

  4. ·· 04

    Notify

    team · email · Slack · CRM

  5. ·· 05

    Retain

    Formspring · retention rule

owner

DPOs, compliance teams, EU founders, regulated industries

handoff

EU visitor -> EU-hosted form -> per-form retention -> queued erasure

retention

Per-form rule · GDPR-friendly · EU-hosted

What this workflow fixes

From paper-cut to plumbing.

Pain on the left, what changes on the right.

Lost or delayed submissions

Persistent inbox, signed webhooks, retries

Spam and low-quality responses

Honeypot + hCaptcha + AI moderation

Manual forwarding and copy-paste

Route to Slack, Sheets, Notion, CRM, webhook

Unsafe file attachments

Encrypted storage, time-limited signed links

Unclear GDPR retention

Per-form retention rule with auto-cleanup

Scattered inboxes and handoffs

One destination per team, audit trail

Most form backends were built in San Francisco and bolted on a DPA template years later. Formspring was built in Germany, runs on EU-resident infrastructure, and treats lawful basis, retention, and erasure as first-class form settings rather than legal copy. If your DPO has ever asked "where exactly is this data stored?" and the answer involved a 40-page transfer impact assessment, this page is for you.

This is the same backend powering forms on regulated European sites - public sector, healthcare-adjacent, EU SaaS - where Schrems II is a daily reality rather than a footnote. The list of GDPR-relevant controls below is what you actually get out of the box, not what's promised in a sales call.

Technical implementation 

<!-- 1. Create form in dashboard, enable EU-hosted storage -->
<!-- 2. Add the consent checkbox - audit-log row written on submit -->
<!-- 3. Set per-form retention policy (default 30d on Free) -->
<form action="https://formspring.io/f/abc123" method="POST">
  <input name="name" required>
  <input type="email" name="email" required>
  <textarea name="message" required></textarea>

  <label>
    <input type="checkbox" name="consent" value="granted" required>
    I consent to Formspring processing this message under their
    <a href="/legal/privacy">privacy policy</a>. (GDPR Art. 6(1)(a))
  </label>

  <button>Send</button>
</form>

The compliance pillars, at a glance

Every GDPR question a procurement team or DPO will ask, with the Formspring answer in the same row. No "contact us for details," no "available on enterprise."

Pillar What Formspring provides
Data residency Submissions, files, backups, and logs stored exclusively in EU data centres in Germany and Finland. No US replicas, no CDN egress to non-EEA regions.
Signed DPA A pre-signed Data Processing Agreement under GDPR Art. 28 is available on every paid plan. Download it, counter-sign, attach to your records. No legal negotiation required for the standard template.
Lawful-basis options Per-form selection of consent (Art. 6(1)(a)), contract necessity (Art. 6(1)(b)), or legitimate interest (Art. 6(1)(f)). The choice is stamped on each submission for your audit trail.
Retention controls Per-form retention rules. Default 30 days on Free, unlimited on paid with explicit choice. Submissions are deleted via queued job after the rule fires; deletion is logged.
Right to erasure One-click erasure from the dashboard plus a public erasure request endpoint for data subjects. Deletion fans out to integrations and webhook destinations via queued jobs.
Consent capture Built-in consent checkbox field type. Each submission writes an audit-log row with timestamp, hashed IP, and the exact consent text shown to the visitor.
Sub-processors disclosure Public sub-processors page, versioned and dated. Email subscription for 30-day advance notice of any addition or change.
Encryption TLS 1.3 in transit, AES-256 at rest. File uploads land in private S3-compatible storage with signed, time-limited download URLs only.
Audit log Submission-level audit log: who viewed, who exported, who deleted, when. Retained for the life of the form plus 90 days.

The matrix is intentionally short. If your DPO has more questions, the answer is almost always "yes, here is the page" rather than "let me check."

What GDPR actually requires - article by article

Most "GDPR-compliant" claims gloss over which articles they're talking about. Here are the five that govern a contact form, with the Formspring control that maps to each.

Art. 6 - Lawful basis for processing. Every processing operation needs one of six lawful bases. For contact forms it's almost always (a) consent or (b) contract necessity. Formspring lets you pick per form and records the choice on every submission, so your audit trail shows lawful basis at the row level rather than at the policy level. Full text: https://eur-lex.europa.eu/eli/reg/2016/679/oj.

Art. 13 - Transparency at collection. You must tell the data subject who you are, why you're processing, retention period, their rights, and how to contact your DPO - at the moment of collection. Formspring forms render a configurable transparency notice block above the submit button, with a link to your privacy policy. The notice is part of the form payload, so a screenshot at the time of submission is reproducible.

Art. 17 - Right to erasure. The data subject can ask you to delete their data, and you have one month. Formspring exposes a one-click erasure flow in the dashboard plus a public erasure endpoint that any data subject can use without going through your support team. Deletion is queued, cascades to file storage and integration destinations, and writes an audit-log row that you can show the regulator. Full text: https://gdpr-info.eu/art-17-gdpr/.

Art. 28 - Processor agreement. If anyone else processes personal data on your behalf, you need a contract with them that meets Art. 28's mandatory clauses. Formspring's DPA is built on the EDPB-approved template, includes Standard Contractual Clauses where required, and is pre-signed by us. You download it, counter-sign it, file it. No tickets, no legal review cycle. Full text: https://gdpr-info.eu/art-28-gdpr/.

Art. 32 - Security of processing. Appropriate technical and organisational measures. That's TLS 1.3 in transit, AES-256 at rest, access logging, regular pen-tests, principle of least privilege on operator accounts, encrypted off-site backups in the same EU region, and a published incident response process with a 72-hour breach notification commitment.

Implementation - three steps

The dashboard does the heavy lifting. The form itself is plain HTML with a consent field.

  1. Create the form. New form in the dashboard, pick the GDPR contact template. EU-hosted storage is the default and cannot be toggled off on a per-form basis - the workspace's data residency is set at signup and is enforced at the infrastructure layer.

  2. Add the consent field. Drop in the built-in consent field type. It renders a checkbox with your configurable consent text, marks the submission's lawful basis as consent, and writes an audit-log row capturing timestamp, hashed IP, and the exact text shown. If you prefer contract necessity or legitimate interest, change the lawful basis dropdown and the consent field becomes optional.

  3. Set the retention policy. Per-form rule, default 30 days on Free. On paid plans you choose: 7 days, 30 days, 90 days, 1 year, or indefinite (with explicit acknowledgement that retention should match your published privacy policy). The deletion job runs nightly and writes an audit-log row when it fires.

That's it. No DPA addendum, no Schrems II transfer impact assessment, no fighting with a US vendor's EU-region toggle that might fall back to us-east-1 on failover.

Formspring vs the usual alternatives

The honest comparison. Each row picks the one thing a DPO will actually care about.

Backend Data residency DPA status Transfer mechanism
Formspring EU-only (DE + FI), no replicas outside EEA Pre-signed Art. 28 DPA on every paid plan None - data never leaves the EEA
Google Forms (Workspace) US Workspace defaults to US; EU storage available on Enterprise tiers; Workspace data has crossed the Atlantic historically DPA available via Workspace terms Standard Contractual Clauses + Data Privacy Framework certification
Typeform Ireland data centre (AWS eu-west-1); responses may transit US-based services for analytics and ML features DPA available SCCs for any US-routed processing
US-hosted form backends (generic) US primary storage DPA usually available; quality varies SCCs + DPF; Schrems II transfer impact assessment is on you

The Typeform row is the one most teams under-estimate. Ireland storage doesn't mean Ireland-only processing - third-party analytics, ML features, and shared infrastructure can route response data through US-based services depending on plan tier. EU-only by infrastructure beats EU-default with carve-outs, every time a DPO reads the small print.

Schrems II and why US-only backends carry extra weight

The Court of Justice of the European Union invalidated the EU-US Privacy Shield in Schrems II (case C-311/18, July 2020): https://curia.europa.eu/juris/document/document.jsf?docid=228677. The ruling held that US surveillance law (FISA Section 702, Executive Order 12333) does not provide European data subjects with rights equivalent to those guaranteed by the GDPR, so transfers to US-based processors require additional safeguards - typically Standard Contractual Clauses plus a Transfer Impact Assessment documenting that the SCCs are actually effective in the specific case. In practice, that TIA is a document that has to be re-done whenever the underlying processor's architecture changes - and it's the controller (you), not the processor, who carries the regulatory risk if it's wrong.

The EU-US Data Privacy Framework (adequacy decision, July 2023) restored a transfer route for certified US recipients, but it's already facing legal challenges and the EDPB has signalled it will revisit it. The same Max Schrems-led complaint that took down Privacy Shield is the template for the case currently working its way toward the CJEU. A form backend whose primary data path crosses the Atlantic is a backend whose compliance posture depends on a contested legal mechanism that could be invalidated again, possibly on short notice, with no graceful migration path for the submissions already in storage.

Formspring's answer is simpler: the data doesn't cross the Atlantic in the first place. There's no transfer to assess, no SCC clause to enforce, no fallback adequacy decision to depend on, no TIA to maintain. For a contact form receiving European visitors' messages, "the data stays inside the EEA" is a structurally lower-risk position than "the data leaves but we have paperwork." Procurement teams who have lived through one Schrems-style invalidation tend to value the structural answer over the paperwork answer - because they remember what the paperwork answer looked like the morning after the ruling came down.

Who this is for, and who it is not

This page is written for the audiences most likely to need an out-of-the-box answer rather than a custom-built one:

  • DPOs and compliance teams standing up forms on behalf of a marketing or growth team that needs an answer this quarter rather than next year.
  • EU founders who want their stack to default to compliant rather than retrofitting it after the first sales-cycle questionnaire.
  • Regulated industries - healthcare-adjacent, public sector, financial services, ed-tech - where the contact-form layer is one of many places that has to hold up to a Data Protection Impact Assessment.
  • Agencies serving European clients who would rather use one EU-hosted backend across every client than negotiate a fresh DPA per project.

If you are a single-developer side project with no European visitors, the residency story is less load-bearing and a US-hosted backend will likely work fine. If you operate inside a regulated industry that mandates ISO 27001 or SOC 2 Type II at the form-backend layer, Formspring's certifications are on the security page and continue to grow - check before signing. The honest answer is that Formspring is the default for the audience above; for the long-tail outside it, the comparison page is the better starting point.

Frequently asked

Is there a DPA we can sign?
Yes. A pre-signed Data Processing Agreement under GDPR Art. 28 is available on every paid plan and downloadable from your workspace settings. It's built on the EDPB-approved template, includes Standard Contractual Clauses where the documented sub-processor list requires them (in practice, none currently), and is pre-signed on our side. Counter-sign, attach to your record-keeping under Art. 30, you're done.
Where is form submission data stored?
Exclusively in EU data centres in Germany and Finland. Application servers, database, file storage, backups, and logs are all in those two locations. There are no US replicas. Failover between EU regions is in-region only. CDN edges serving the marketing site are not used for submission storage.
How long is submission data retained?
Per-form. Default 30 days on Free; on paid plans you choose 7 days, 30 days, 90 days, 1 year, or indefinite. The retention rule is enforced by a nightly job that deletes submissions exceeding the configured age and writes an audit-log entry. "Indefinite" requires an explicit acknowledgement on save - that your published privacy policy reflects the choice.
Can respondents request erasure of their submission?
Yes, two paths. (1) You can delete any submission from the dashboard with one click - the deletion is queued, cascades to file storage and integration destinations, and writes an audit-log row. (2) A public erasure request endpoint accepts a data subject's email and message reference, verifies it, and triggers the same deletion flow without requiring you to be in the loop for routine requests. Both paths satisfy GDPR Art. 17's one-month window with substantial headroom.
Who are the sub-processors?
Published on the public sub-processors page, versioned and dated. The list is intentionally short - infrastructure (EU regions), transactional email (with EU-region routing where applicable), and error tracking (self-hosted). You can subscribe to email notifications for 30-day advance notice of any addition or change.
What's the lawful basis for processing form submissions?
You choose per form. For most contact forms it's either (a) consent under Art. 6(1)(a) - typically via the built-in consent checkbox - or (b) contract necessity under Art. 6(1)(b) when the submission is a step toward entering a contract. The chosen basis is stamped on every submission row, so your audit trail shows lawful basis at the per-submission level rather than at the policy level. Legitimate interest under Art. 6(1)(f) is also supported but requires a documented Legitimate Interest Assessment on your side.
Are file uploads also EU-hosted?
Yes. File uploads land in S3-compatible object storage hosted in the same EU regions as the rest of the platform (EU-resident object storage in Germany and Finland). Files are encrypted at rest, accessible only via signed, time-limited download URLs generated from the dashboard, and never exposed via a public URL. The same retention rule that deletes the submission also deletes the file.
Does Formspring sell or use respondent data?
No. Submission content is processed solely on your instructions as documented in the DPA. We do not sell, share, mine, or train models on submission data. AI features (insights, moderation) operate on your data only when you enable them per workspace, and the providers we use for those features are listed on the sub-processors page with the scope of processing documented.

Related

Keep moving through the workflow.

Give your next important form a real home.

Start free with one form. Add ownership, private files, and clear history before responses pile up in inboxes.

Start free →Browse examples

·· no card · 50 submissions / mo · no countdown