Data Processing Agreement
Last updated: June 9, 2026
1. Introduction and scope
This Data Processing Agreement (DPA) forms part of the Terms of Service between Rowdrop (Processor) and the Customer (Controller) who uses Rowdrop to collect personal data from their form submitters. It applies where Rowdrop processes personal data on the Customer's behalf and the GDPR, UK GDPR, or similar laws apply.
2. Roles of the parties
The Customer (the form creator) is the data Controller of the personal data collected through their forms. Rowdrop is the data Processor, processing that data only on the Customer's documented instructions (namely, to receive form submissions and deliver them to the Customer's Notion workspace, store file and signature uploads, and send transactional emails the Customer enables). For Rowdrop account data (the Customer's own email, password, billing), Rowdrop is the Controller, as described in the Privacy Policy.
3. Subject matter and duration
The subject matter is the processing of form submission data. Processing continues for as long as the Customer maintains an active account or forms, and ends on account deletion or upon written request, subject to the retention terms below.
4. Nature and purpose of processing
Rowdrop processes personal data to:
- Receive and validate form submissions
- Forward submission content to the Customer's Notion database
- Store file and signature uploads in Cloudflare R2 and link them into Notion
- Send transactional emails (owner notifications and submitter confirmations) where the Customer enables them
5. Categories of data subjects and personal data
Data subjects are the Customer's form submitters. Personal data is whatever the Customer chooses to collect through their form fields, which may include names, email addresses, free text, uploaded files, and signature images. The Customer is responsible for the categories of data they choose to collect, and must not collect special category data without a lawful basis.
6. Sub-processors
The Customer authorizes Rowdrop to engage the following sub-processors:
- Railway: Cloud hosting and compute (United States)
- Upstash: Redis storage of form configuration
- Cloudflare R2: File and signature storage
- Resend: Transactional email delivery
- Stripe: Billing, for account data only
- Notion: The destination the Customer directs submissions to
- PostHog: Privacy-first analytics, for Rowdrop account/usage data only (United States). Analytics does not run on public form pages, so form-submitter data is not processed by PostHog.
Rowdrop will give the Customer notice of new sub-processors and an opportunity to object. Each sub-processor is bound by data protection obligations consistent with this DPA.
7. Security measures
Rowdrop implements appropriate technical and organizational measures, including encryption in transit (HTTPS), bcrypt password hashing, HTTP-only secure cookies, access controls, and rate limiting. No method of transmission or storage is fully secure, but Rowdrop maintains reasonable safeguards appropriate to the risk.
8. Data subject rights
Rowdrop will, to the extent reasonably possible, assist the Customer in responding to data subject requests (access, correction, deletion, portability, objection). Because submission content lives in the Customer's Notion workspace, the Customer is primarily responsible for fulfilling such requests. For data Rowdrop stores (file uploads, signatures), the Customer may request deletion at [email protected].
9. International transfers
Where personal data is transferred outside the European Economic Area or the UK, such transfers are made under appropriate safeguards, including the European Commission's Standard Contractual Clauses (SCCs) or equivalent mechanisms offered by the relevant sub-processors.
10. Data breach notification
Rowdrop will notify the Customer without undue delay after becoming aware of a personal data breach affecting the Customer's data, and will provide information reasonably necessary for the Customer to meet its own breach notification obligations.
11. Deletion and return of data
On termination of the Customer's account, or on written request, Rowdrop will delete the Customer's form configuration and stored file/signature data within 30 days, except where retention is required by law. Submission content already delivered to the Customer's Notion workspace is controlled by the Customer.
12. Audit
Rowdrop will make available, on reasonable written request and no more than once per year, information necessary to demonstrate compliance with this DPA, subject to confidentiality.
13. Contact
For any matter relating to this DPA, contact [email protected].
This DPA is provided as a baseline. For high-volume or regulated use, contact us at [email protected] to execute a signed agreement.