Starting May 25, 2018 GDPR has replaced the Data Protection Directive, which has been in effect across the European Union (EU) for the past 20 years. The goal of GDPR is the enforcement of a standardized data protection law for the entire EU.


To ensure that the protection of personal data remains a fundamental right for EU citizens, GDPR’s aim is to modernize outdated privacy laws. GDPR has the potential to impact any business that collects data in or from Europe.

If organizations are not GDPR compliant, significant fines of up to €20,000,000 or 4% of global annual turnover, whichever is greater, may be levied on them.


With a signed JotForm Data Processing Addendum, ensures the compliant transfer of personal data from data controllers in the EU to data processors in the EU.

JotForm is committed to subjecting all personal information and data received from the European Union (EU) member countries and Switzerland, in reliance on the GDPR, to the GDPR’s applicable Principles.


JotForm makes it easy for our users to show that they use JotForm in a GDPR-compliant way. To make it convenient and easy, we provide a Data Processing Addendum (DPA), which is a self-serve and easy-to-execute document pre-signed by JotForm. It only requires an electronic signature from the user.

Once the DPA is filled out and submitted, it will automatically be sent to JotForm’s legal team for final review. If it is correctly completed, the DPA will then become legally binding. You can provide the DPA to auditors to show that you use JotForm in a way that demonstrates your data is being processed in a manner that meets your GDPR compliance obligation.

For more information, please see the "How to Execute this DPA" section in the DPA below.

The JotForm GDPR compliant DPA is available here.

Please send questions to gdpr@jotform.com

Questions & Answers

  • What is GDPR?
    The General Data Protection Regulation (GDPR) is a sweeping new EU law which mandates how companies can collect, store, delete, modify and otherwise process personal data of EU citizens. It applies to any company that processes personal data of EU citizens, regardless of whether it has any physical presence in the EU, or even whether it has any EU customers. Companies are also required to pass these obligations down to all of their vendors and suppliers who may also handle personal data of EU citizens anywhere in the world.
  • When will GDPR be the law?
    GDPR comes into effect across the European Union on May 25, 2018. It’s a regulation (rather than a directive), meaning that it will instantly become law in all EU Member States on that date. Despite Brexit, the UK is committed to stay compliant with the GDPR.
  • What should I do to get started with the GDPR compliance process?
    Inform: Review your vendor list and get comfortable with how data flows across your business, what type of personal data you collect and who has access. If JotForm is one of your vendors, and you have determined that you need a DPA in place with JotForm, our GDPR compliant DPA is available for download and signature at the link above.

    Assess: Undertake a risk assessment within your business and identify any gaps that need to be filled in order to meet GDPR compliance.

    Plan: Get in touch with us to understand how our products can help meet your compliance needs, and develop an action plan that is mindful of the May 25, 2018 deadline.

    Act: Implement your GDPR compliance program and make GDPR compliance an ongoing discipline.
  • What is the definition of “personally identifiable information” under GDPR?
    The first and most important thing to realize is that the EU concept of “personal data” is much, much broader than the U.S. concept of “PII”. Under EU law, personal data means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. It doesn’t have to be confidential or sensitive to qualify as personal data.
  • Do I count as a Data Controller or Data Processor?
    JotForm customers will typically act as the data controller for any personal data made available to JotForm in connection with their use of JotForm’s web optimization and security services. The data controller determines the purposes and means of processing personal data, while the data processor processes data on behalf of the data controller. JotForm, as the data processor, will process personal data on behalf of our customers in connection with providing the services to our customers.
  • What type of data does JotForm process?
    The first and most important thing to realize is that the EU concept of “personally identifiable information” (PII) is much, much broader than the U.S. concept of PII. Additionally, we may gather certain information regarding use of our customers’ forms, and process data submitted by our customers or which we are instructed to process on their behalf. While it’s not up to us which data we receive, it typically includes items such as contact information, IP addresses, and form data. We will process such data in order to provide the service to our customers and in accordance with applicable laws, including the GDPR.
  • Why should I sign a DPA?
    Once signed, you can provide the DPA to auditors to show that you use JotForm in a way that demonstrates your data is being processed in a way that meets your GDPR compliance obligation.