Legal
Data Processing Addendum
This Data Processing Addendum ("DPA") forms part of the agreement between the customer ("Customer", "you") and Askery, Inc. ("Askery", "we", "us") for use of the Service, and applies where Askery processes personal data on the Customer's behalf. It reflects the requirements of the GDPR, UK GDPR and similar data-protection laws. Where a separately negotiated and executed DPA exists between the parties, that signed DPA controls.

Last updated: 19 May 2026
About this document
This document is published in good faith as a clear, industry-standard template so that customers, respondents and prospective customers can understand how Askery approaches this topic. It is provided for transparency only and is NOT legal advice, and it does not create an attorney-client relationship. Laws differ by jurisdiction and by how you use the service. Askery, Inc. and its customers should each have qualified counsel review and, where appropriate, adapt this document before relying on it. If a separately negotiated and signed agreement exists between you and Askery, Inc., that agreement controls to the extent it conflicts with this page. We will update this page as the product and applicable law evolve; material changes are described in the "Changes to this policy" section below.
Definitions and roles
Terms such as "personal data", "processing", "controller", "processor", "sub-processor", "data subject" and "supervisory authority" have the meanings given in applicable data-protection law. With respect to personal data submitted by the Customer's respondents into the Customer's forms ("Respondent Data"), the Customer is the controller (or itself a processor for its own customers) and Askery is the processor (or sub-processor). For Askery's own account, billing and security data, Askery is an independent controller, as described in the Privacy Policy.
Scope and purpose of processing
We process Respondent Data only to provide, secure, maintain and support the Service in accordance with the Customer's documented instructions, the agreement, this DPA, and the Customer's configuration of forms, logic and settings. The subject matter is the operation of the form-building Service; the duration is the term of the agreement plus the deletion period below; the nature and purpose is collecting, storing, displaying, exporting and transmitting form responses as the Customer directs; the types of data and categories of data subjects are determined by the Customer through the questions it chooses to ask. We will not process Respondent Data for our own purposes, including advertising or model training.
Customer instructions and obligations
The agreement, this DPA and the Customer's use and configuration of the Service constitute the Customer's complete documented instructions. We will inform the Customer if, in our opinion, an instruction infringes applicable data-protection law (without obligation to provide legal advice). The Customer is responsible for the lawfulness of the data it collects, for having a valid legal basis and any required notices or consents, for the accuracy of its instructions, and for responding to its data subjects as the controller.
Confidentiality and personnel
We ensure that personnel authorized to process Respondent Data are bound by appropriate confidentiality obligations and are granted access only on a need-to-know, least-privilege basis. Access to production systems is restricted and the service-role key is confined to the server and never exposed to the browser.
Security measures
We implement and maintain appropriate technical and organizational measures designed to protect Respondent Data, taking into account the state of the art and the risks of processing. These include: tenant isolation enforced at the database layer via Postgres row-level security; a single audited, security-definer write path for public submissions with no anonymous insert access; encryption of data in transit (TLS); form passwords stored as salted bcrypt hashes in an isolated table (user account passwords are managed by our authentication provider using current best-practice hashing); least-privilege access controls; anti-abuse measures including per-IP and per-form rate limiting, a database-enforced honeypot field, and optional Cloudflare Turnstile challenges enabled per form by the Customer; structured request and webhook-delivery logging; and routine managed backups. We may update measures provided the overall level of protection is not materially reduced.
Sub-processors
The Customer provides general authorization for Askery to engage sub-processors to deliver the Service, by the categories listed in our Privacy Policy (cloud hosting and managed Postgres, transactional email, payment processing, error monitoring/analytics, and support tooling). We impose data-protection obligations on each sub-processor that are no less protective than this DPA and remain responsible for their performance. We maintain a current sub-processor list and will give the Customer advance notice of intended additions or replacements; the Customer may object on reasonable data-protection grounds, and the parties will work in good faith toward a resolution.
Assistance to the Customer
Taking into account the nature of processing, we will provide reasonable assistance to enable the Customer to: respond to data-subject requests (including via the Service's export and deletion features); fulfil security, breach-notification, data-protection-impact-assessment and prior-consultation obligations; and demonstrate compliance. We will promptly forward to the Customer any data-subject request we receive that relates to the Customer's Respondent Data and will not respond directly except to confirm the request concerns the Customer.
Personal data breach notification
We will notify the Customer without undue delay, and in any event within the timeframe required by applicable law, after becoming aware of a personal data breach affecting Respondent Data. The notification will include, to the extent known, the nature of the breach, likely consequences, and the measures taken or proposed. We will cooperate with the Customer's reasonable investigation and remediation. Notification is not an acknowledgment of fault or liability.
Audit and information rights
We will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA. Where a Customer requires an audit beyond the information we make available, the parties will agree on reasonable scope, timing, confidentiality and cost, conducted no more than once per year (absent a regulator requirement or a known incident) and in a manner that does not compromise the security or confidentiality of other customers' data.
International transfers and Standard Contractual Clauses
Where processing of Respondent Data involves a transfer from the EEA, the UK or Switzerland to a country without an adequacy decision, the parties agree that the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum and Swiss adaptations where applicable) are incorporated into this DPA by reference and apply to that transfer, with the Customer as data exporter and Askery as data importer, supplemented by the technical and organizational measures described above.
Return and deletion of data
On termination or expiry of the agreement, and upon the Customer's request, we will delete or return Respondent Data and delete existing copies, except to the extent retention is required by law. Deletion or return will occur within a commercially reasonable period (target: within 30 days), recognizing that data may persist temporarily in routine encrypted backups that age out on a defined rotation schedule and are not used for any other purpose during that interval. The Customer is responsible for exporting its data before termination using the Service's export features.
Liability and order of precedence
Each party's liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. In the event of a conflict, an executed negotiated DPA controls over this page; this DPA controls over the Terms of Service with respect to processing of Respondent Data; and the Standard Contractual Clauses control over this DPA where they apply and conflict.
Contact
For DPA matters, including sub-processor notifications and audit requests, contact support@askery.app.
Questions about this document? Contact support@askery.app.