GDPR & Mokaform
How Mokaform approaches GDPR, form response data, subprocessors, and customer data rights.
This page is for general information only and is not legal advice. You should work with your legal advisor to decide how GDPR applies to your organization and your forms.
Overview
Mokaform is operated by Mokaform SAS, a French company located at 61 RUE de Lyon, 75012 Paris, France. Because Mokaform is based in the European Union, we build our service around European privacy and data protection expectations.
This page explains how Mokaform approaches GDPR for customers who create forms, respondents who submit forms, and people who use the Mokaform website or product.
What is GDPR?
The General Data Protection Regulation, or GDPR, is the European Union data protection law that governs how personal data is collected, used, stored, shared, protected, and deleted.
GDPR may apply to you if your organization is based in the European Union, if you offer goods or services to people in the European Union, or if your forms collect personal data from people in the European Union.
Is Mokaform GDPR compliant?
Mokaform is designed to support GDPR-compliant use by our customers.
Our main commitments are:
- We do not sell personal data.
- We process customer form response data to provide the Mokaform service.
- We use technical and organizational safeguards to protect personal data.
- We support export and deletion workflows for form responses.
- We make a Data Processing Agreement available for business customers.
- We require subprocessors that process personal data for Mokaform to protect that data under appropriate contractual terms.
Mokaform can help you run GDPR-aware forms, but you remain responsible for your own forms, notices, lawful basis, consent choices, data retention, and respondent requests.
Do you have a Data Processing Agreement?
Yes. Mokaform provides a Data Processing Agreement for customers who use Mokaform as a business, organization, or professional user.
Unless a separately signed agreement says otherwise, the DPA forms part of the customer agreement when Mokaform processes personal data on behalf of a customer.
Who is the controller and who is the processor?
For form responses collected through your forms:
- You, the form creator or customer, are generally the controller. You decide what data to collect, why you collect it, who receives it, and how long it should be kept.
- Mokaform is generally the processor. We host, store, transmit, and otherwise process form response data to provide the service to you.
For account, billing, support, security, analytics, and website data about Mokaform customers and visitors, Mokaform generally acts as a controller. More detail is available in our Privacy Policy.
What happens with form response data?
Mokaform does not own the responses submitted through your forms. The customer who created the form controls that data.
As a form creator, you are responsible for:
- Telling respondents what data you collect and why.
- Choosing an appropriate lawful basis for collection.
- Avoiding unnecessary personal data.
- Exporting, deleting, or retaining responses according to your own legal obligations.
- Responding to respondent requests when GDPR or other privacy laws apply.
Mokaform helps by providing product controls to access, export, and delete responses. Mokaform stores response data and uploaded files in AWS regions located in the European Union. Mokaform may derive respondent country locally from IP address using GeoLite2 data created by MaxMind. We do not share respondent IP addresses with MaxMind or another third-party geolocation provider for this lookup, and we do not derive city, precise location, or individual-level inferences from GeoLite2 data. When you delete response data from Mokaform, we remove it from active systems and delete remaining backup copies according to our normal backup lifecycle, unless we must keep limited data for legal, security, or fraud-prevention reasons.
How does Mokaform use customer personal data?
Mokaform uses customer account and usage data to:
- Create and manage accounts.
- Provide, secure, monitor, and improve the service.
- Process billing and subscriptions.
- Respond to support requests.
- Send service notices and transactional messages.
- Detect abuse, fraud, and security issues.
- Comply with legal obligations.
Mokaform does not sell personal data and does not use form response data to target advertising.
Security measures
Mokaform applies security measures appropriate to the nature of the service and the data processed, including:
- Encryption in transit using HTTPS/TLS.
- Access controls based on least privilege.
- Authentication and account security controls.
- Environment separation and restricted production access.
- Logging, monitoring, and security review processes.
- Backup and recovery practices.
- Vendor review for services that may process personal data.
- Confidentiality obligations for personnel and service providers.
Customers are responsible for configuring their forms appropriately, limiting access to their workspace, choosing what data to collect, and avoiding collection of sensitive data unless they have a valid legal basis and adequate safeguards.
Subprocessors
Mokaform uses subprocessors to provide hosting, storage, authentication, payments, analytics, monitoring, customer support, and related service operations.
| Provider or category | Purpose | Region | May process form submissions | Link |
|---|---|---|---|---|
| Render Services, Inc. | Application and website hosting, deployment, networking, and runtime logs | EU | Yes, for traffic, logs, and hosted application processing | Learn more |
| Amazon Web Services, Inc. and affiliates | Storage, backups, file uploads, and related infrastructure services | EU | Yes | Learn more |
| Logto, Inc. | Authentication and account access for Mokaform's EU tenant | EU | No | Learn more |
| Stripe, Inc. and affiliates | Payment processing for paid plans and payment forms | US | Only for payment-related form data when payment features are used | Learn more |
| Segment.io, Inc. | Product and website analytics routing | US | No | Learn more |
| Sentry.io | Error tracking, application monitoring, performance diagnostics, and crash reporting | US | No by default, except limited technical metadata and error context where necessary | Learn more |
| Google Analytics | Website analytics | US | No | Learn more |
| Amazon Web Services, Inc. and affiliates (email services) | Transactional emails and optional form notifications | EU | Yes, if a customer includes response data in email notifications | Learn more |
| Kikliko, Inc. (Klipy) | Optional GIF search and media library content, requested server-side by Mokaform | US | No | Learn more |
| Pexels, a Canva Germany GmbH brand | Optional video search and media library content, requested server-side by Mokaform | EU | No | Learn more |
| Unsplash Inc. | Optional photo search and media library content, requested server-side by Mokaform | US | No | Learn more |
We require subprocessors to process personal data only for the services they provide to Mokaform and to protect that data under appropriate contractual, security, and transfer safeguards.
MaxMind GeoLite2 is used as a local country lookup database, not as a request-based geolocation provider. Mokaform does not send respondent IP addresses to MaxMind for country detection, so MaxMind is not listed above as a subprocessor for that lookup.
For Klipy, Pexels, and Unsplash, Mokaform sends media search requests from Mokaform's servers. These providers do not receive respondent IP addresses, browser metadata, or form submissions from the respondent's browser as part of Mokaform's current media search architecture.
International transfers
Some Mokaform subprocessors are located outside the European Economic Area or may process data from outside the EEA.
Where GDPR requires transfer safeguards, Mokaform relies on appropriate mechanisms such as adequacy decisions, the European Commission Standard Contractual Clauses, or equivalent transfer safeguards, together with supplementary measures where appropriate.
Data subject requests
If a respondent contacts Mokaform about a form response, we will generally direct them to the customer that created the form, because that customer controls the form response data.
If you are a Mokaform customer and need help responding to a GDPR request, contact us at security@mokaform.com. We will provide reasonable assistance where the request relates to personal data Mokaform processes on your behalf.