Data Processing Agreement
Mokaform's Data Processing Agreement for customers that use Mokaform to process personal data.
Last updated: July 8, 2026
This Data Processing Agreement ("DPA") forms part of the agreement between Mokaform SAS, located at 61 RUE de Lyon, 75012 Paris, France ("Mokaform", "Processor", "we", "us", or "our"), and the customer using Mokaform's services ("Customer", "Controller", or "you").
This DPA applies when Mokaform processes Personal Data on behalf of Customer in connection with the Mokaform form builder, form hosting, response collection, storage, export, notification, integration, and related services (the "Services").
1. Definitions
For this DPA:
- "Agreement" means the Mokaform Terms of Service, an applicable order form, or another written agreement governing Customer's use of the Services.
- "Applicable Data Protection Laws" means data protection and privacy laws that apply to the processing of Personal Data under this DPA, including Regulation (EU) 2016/679 (the "GDPR") where applicable.
- "Controller", "Processor", "Data Subject", "Personal Data", "Personal Data Breach", "processing", and "Supervisory Authority" have the meanings given in the GDPR.
- "Customer Data" means data submitted to, collected through, stored in, or otherwise processed by the Services on behalf of Customer, including form responses and uploaded files.
- "Subprocessor" means another processor engaged by Mokaform to process Personal Data on behalf of Customer.
- "Technical and Organizational Measures" or "TOMs" means the security measures described in Schedule 2 and any additional measures Mokaform makes available.
Terms not defined in this DPA have the meanings given in the Agreement.
2. Roles of the parties
For Customer Data processed through forms created or managed by Customer:
- Customer is the Controller or Processor, as applicable to Customer's own relationship with Data Subjects.
- Mokaform is the Processor or Subprocessor, as applicable, processing Customer Data on behalf of Customer.
For account registration, billing, website analytics, product analytics, support, fraud prevention, service administration, and security data that Mokaform determines how and why to process, Mokaform acts as an independent Controller. That processing is described in the Mokaform Privacy Policy.
3. Subject matter and purpose
Mokaform will process Personal Data only to provide, secure, maintain, support, and improve the Services, and only as instructed by Customer through:
- the Agreement;
- this DPA;
- Customer's use and configuration of the Services;
- documented support requests; and
- other written instructions agreed by the parties.
The details of processing are described in Schedule 1.
4. Customer instructions
Mokaform will process Personal Data only on documented instructions from Customer unless required to do otherwise by EU law, Member State law, or other law applicable to Mokaform. If such legal requirement applies, Mokaform will inform Customer before processing unless the law prohibits notice on important public interest grounds.
Mokaform will promptly inform Customer if, in Mokaform's opinion, an instruction infringes Applicable Data Protection Laws.
Customer is responsible for ensuring that its instructions are lawful and that Customer has all notices, consents, lawful bases, and rights required to collect and process Personal Data through the Services.
5. Confidentiality
Mokaform will ensure that personnel authorized to process Personal Data are bound by confidentiality obligations or are under an appropriate statutory duty of confidentiality.
Mokaform will limit personnel access to Personal Data to those who need access to provide, support, secure, or maintain the Services.
6. Security
Mokaform will implement and maintain appropriate Technical and Organizational Measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access.
The current TOMs are described in Schedule 2. Mokaform may update its TOMs over time, provided that updates do not materially reduce the overall level of protection for Personal Data processed under this DPA.
Customer is responsible for securely configuring its account, forms, integrations, exports, notifications, users, and access permissions.
7. Subprocessors
Customer gives Mokaform general written authorization to engage Subprocessors for the purposes described in this DPA.
Mokaform will:
- maintain a public or otherwise available list of material Subprocessors;
- impose data protection obligations on Subprocessors that are no less protective in substance than those in this DPA;
- remain responsible for Subprocessors' performance of their data protection obligations where required by Applicable Data Protection Laws; and
- notify Customer of material Subprocessor changes through the Services, the GDPR resource page, email, or another reasonable channel.
Customer may object to a new Subprocessor on reasonable data protection grounds by contacting security@mokaform.com within 30 days after notice. If the parties cannot resolve the objection, Customer may stop using the affected Services and terminate the affected portion of the Agreement according to the Agreement.
8. Assistance with Customer obligations
Taking into account the nature of processing and the information available to Mokaform, Mokaform will provide reasonable assistance to Customer with:
- responding to Data Subject requests;
- meeting security obligations under Applicable Data Protection Laws;
- performing data protection impact assessments where the processing by Mokaform is relevant;
- consulting with Supervisory Authorities where legally required; and
- documenting compliance with this DPA.
Mokaform may charge reasonable fees for assistance that requires significant work outside standard product functionality or support.
9. Data Subject requests
If Mokaform receives a request from a Data Subject relating to Personal Data processed on behalf of Customer, Mokaform will, where legally permitted, direct the Data Subject to Customer or notify Customer.
Mokaform will not respond to such request on Customer's behalf unless Customer instructs Mokaform to do so or Mokaform is legally required to respond.
10. Personal Data Breach
Mokaform will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Data.
Where available, Mokaform's notice will describe:
- the nature of the Personal Data Breach;
- the categories and approximate number of affected Data Subjects;
- the categories and approximate number of affected records;
- likely consequences;
- measures taken or proposed to address the breach; and
- measures proposed to mitigate possible adverse effects.
Mokaform's notice is not an admission of fault or liability. Customer is responsible for determining whether it must notify a Supervisory Authority or affected Data Subjects.
11. Audits and information
Mokaform will make available information reasonably necessary to demonstrate compliance with this DPA.
Customer may request an audit no more than once per calendar year, unless a Personal Data Breach or material non-compliance gives Customer a reasonable basis for an additional audit.
Audits must:
- be conducted during normal business hours;
- be subject to reasonable confidentiality obligations;
- avoid disruption to Mokaform's business and other customers;
- be limited to systems, records, and personnel relevant to Customer's Personal Data; and
- be performed by Customer or an independent auditor that is not a Mokaform competitor.
Customer will bear audit costs unless the audit reveals material non-compliance by Mokaform with this DPA.
12. International transfers
Mokaform and its Subprocessors may process Personal Data in countries outside the European Economic Area.
Where a transfer mechanism is required by Applicable Data Protection Laws, Mokaform will rely on one or more appropriate safeguards, including:
- an adequacy decision;
- the European Commission Standard Contractual Clauses adopted under Commission Implementing Decision (EU) 2021/914;
- the United Kingdom International Data Transfer Addendum or other applicable UK transfer mechanism;
- another lawful transfer mechanism; and
- supplementary measures where appropriate.
For transfers from Customer to Mokaform or from Mokaform to Subprocessors that require the EU Standard Contractual Clauses, the relevant modules and annex details are incorporated by reference as described in Schedule 4 unless the parties execute a separate transfer agreement.
13. Return and deletion
During the term of the Agreement, Customer may access, export, and delete Customer Data using available product functionality.
After termination or expiry of the Agreement, Mokaform will delete or return Personal Data according to the Agreement, Customer's instructions, and Mokaform's standard deletion and backup lifecycle, unless applicable law requires continued storage.
Deleted Customer Data may remain in backups for a limited period until overwritten or deleted through standard backup rotation. Mokaform will protect backup data under this DPA while retained.
14. Customer responsibilities
Customer is responsible for:
- deciding what Personal Data to collect through forms;
- providing required notices to Data Subjects;
- obtaining and documenting any required consent;
- selecting a lawful basis for processing;
- honoring Data Subject rights;
- configuring form retention, exports, integrations, notifications, and workspace access;
- avoiding unnecessary collection of sensitive or regulated data; and
- ensuring Customer's use of the Services complies with Applicable Data Protection Laws.
Customer will not instruct Mokaform to process Personal Data in a way that violates Applicable Data Protection Laws.
15. Government and legal requests
If Mokaform receives a legally binding request from a public authority for Personal Data processed on behalf of Customer, Mokaform will, where legally permitted:
- promptly notify Customer;
- review the request for legal validity;
- disclose only the Personal Data legally required; and
- reasonably cooperate with Customer's lawful efforts to challenge or narrow the request.
16. Liability
Each party's liability under this DPA is subject to the limitations and exclusions of liability in the Agreement, unless Applicable Data Protection Laws require otherwise.
Nothing in this DPA limits liability that cannot legally be limited.
17. Term
This DPA begins when Mokaform first processes Personal Data on behalf of Customer and continues while Mokaform processes Personal Data on behalf of Customer.
18. Changes
Mokaform may update this DPA from time to time. If an update materially reduces Customer's rights or Mokaform's obligations, Mokaform will provide reasonable notice. Continued use of the Services after the effective date of an updated DPA constitutes acceptance unless the Agreement provides another process.
Schedule 1 - Details of processing
| Item | Description |
|---|---|
| Subject matter | Processing Personal Data to provide Mokaform's form builder, hosting, response collection, storage, export, notification, integration, analytics, support, security, and related services. |
| Duration | For the term of the Agreement and until Personal Data is deleted or returned according to the Agreement, this DPA, and applicable law. |
| Nature of processing | Collection, recording, organization, structuring, storage, retrieval, consultation, use, transmission, disclosure by transmission, restriction, erasure, and destruction. |
| Purpose | Providing, securing, maintaining, supporting, and improving the Services. |
| Data Subjects | Customer users, workspace members, form respondents, people whose data is included in form responses, support contacts, and other individuals whose Personal Data is submitted to the Services by Customer. |
| Categories of Personal Data | Account data, contact details, identifiers, authentication data, billing-related data, form questions, form responses, uploaded files, signatures, payment-related form data, respondent metadata, respondent country metadata, usage data, device and log data, support communications, integration data, and any other Personal Data Customer chooses to submit to the Services. |
| Sensitive data | The Services are not intended for unnecessary collection of special categories of Personal Data. Customer is responsible for determining whether it collects sensitive data and for ensuring a valid lawful basis and safeguards. |
| Frequency | Continuous while Customer uses the Services. |
Schedule 2 - Technical and organizational measures
Mokaform maintains measures designed to protect Personal Data, including:
Governance
- Internal responsibility for privacy and security.
- Vendor review for service providers that may process Personal Data.
- Contractual confidentiality and data protection commitments.
Access control
- Least-privilege access to production systems.
- Role-based access controls where appropriate.
- Authentication controls for personnel and users.
- Periodic review of access where appropriate.
Data protection
- HTTPS/TLS encryption in transit.
- Encryption at rest where supported by infrastructure and storage providers.
- Logical separation of customer workspaces and records.
- Controls designed to prevent unauthorized access, disclosure, alteration, or deletion.
Operations
- Monitoring and logging for reliability, abuse prevention, and security.
- Backup and recovery practices.
- Vulnerability review and remediation practices.
- Incident response procedures.
Personnel
- Confidentiality obligations for personnel.
- Access limited to personnel with a business need.
- Security and privacy guidance for personnel handling Personal Data.
Subprocessor management
- Review of subprocessors that process Personal Data.
- Written data protection terms with subprocessors where required.
- Transfer safeguards for international processing where required.
Schedule 3 - Subprocessors
Mokaform's current subprocessor information is published on the GDPR & Mokaform page.
Customer authorizes Mokaform to use the subprocessors listed there and subprocessors performing materially similar functions, subject to the notice and objection process in this DPA.
Schedule 4 - International transfer clauses
Where the EU Standard Contractual Clauses are required for a transfer of Personal Data under this DPA:
- Module Two applies where Customer is a controller and Mokaform is a processor.
- Module Three applies where Customer is a processor and Mokaform is a subprocessor.
- Clause 7, the optional docking clause, is included.
- Clause 9, Option 2, general written authorization for subprocessors, applies with the notice period described in this DPA.
- Clause 17 is governed by the law of France unless another EU Member State law is required.
- Clause 18 courts are the courts of France unless another competent forum is required.
- Annex I details are completed by the information in the Agreement, this DPA, and Schedule 1.
- Annex II details are completed by the TOMs in Schedule 2.
- Annex III details are completed by the subprocessor list referenced in Schedule 3.
If the United Kingdom International Data Transfer Addendum or another transfer mechanism is required, the parties will apply the relevant mechanism in a manner consistent with this DPA and the Agreement.