Safe Harbor

Formstack Safe Harbor

Update: 6 October 2015

On 6 October 2015, the European Court of Justice (ECJ) ruled that the US-EU Safe Harbor Framework no longer provides a legal basis for transferring personal data from Europe to the U.S. This decision impacts businesses in both Europe and the United States, and especially Formstack customers established in Europe.

To ensure that customers can continue to use Formstack, Formstack is making available a Data Process Agreement (DPA) that includes the European Commission’s Standard Contractual Clauses (also known as the “model clauses”). This will facilitate customer compliance with European personal data export requirements, allowing them to continue using Formstack despite the invalidation of the US-EU Safe Harbor.

By using this model clause, European customers are able to continue using Formstack in accordance with EU requirements and gather the data they need.

The "model clause" is a standard form of contract, approved by the European Commission (EC), that provide a mechanism for parties which use that contract to transfer or export data from Europe in accordance with cross-border transfer requirements.

Paid Formstack accounts with a billing address in a EU country that participates will be able to execute the DPA within their account.

Harbor Standards

This Safe Harbor Notice (the "Notice") sets forth the privacy principles followed by Formstack in connection with the transfer and protection of "personal information" received from the European Union ("EU") or Switzerland.

Affirmative Statement

Formstack complies with the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries and Switzerland. Formstack has certified that it adheres to the Safe Harbor Privacy Policy of notice, choice, onward transfer, security, data integrity, access, and enforcement. To learn more about the Safe Harbor program, and to view Formstack's certification, please visit

About the Safe Harbor

The "Safe Harbor" program was jointly established in June 2000 by the United States Department of Commerce and the European Commission, as a method for transferring personal information from the EU to companies in the Unites States. Certified companies represent that they are upholding privacy standards for personal information received from the EU that have been jointly accepted by the EU Commission and the US Department of Commerce. These standard exceed current US privacy standards. Formstack is Safe Harbor certified and upholds this commitment.

"Personal Information" means information that can directly or indirectly lead to the identification of a living person, such as an individual's name, address, e-mail, telephone number, license number, medical identification number, photograph, or other identifying characteristic. The identification can occur by reference to one or more factors specific to the individual's physical, physiological, mental, economic, cultural or social identity. Personal information does not include information that has been anonymized, encoded or otherwise stripped of its identifiers, or information that is publicly available, unless combined with other non-public personal information.


This Notice governs personal information transferred from countries in the EU or Switzerland (which has adopted substantially similar privacy laws to those of the EU), to the United States on behalf of Formstack. It applies to personal information in electronic and off-line formats.

Safe Harbor Privacy Principles

The following privacy principles apply to the transfer, collection, use or disclosure of personal information form the EU by Formstack.

Notice: Formstack informs individuals in the EU about the purposes for which it collects and uses their personal information, how to contact Formstack, the types of 3rd parties with which Formstack shares their personal information, and the choice and means Formstack offers for limiting the use and disclosure of their personal information.

Consistent with the Safe Harbor requirements, Formstack may not be in a position to furnish notice in certain limited situation. Specifically, notice is not required where the processing of EU personal information is necessary to respond to a government inquiry; is required by applicable laws, court orders or government regulations; or is necessary to protect Formstack's legal interests and providing notice would interfere with those interests.

Choice: Formstack will not process personal information about EU individuals for purposes other than those for which the information was originally obtained or subsequently authorized by the EU individual unless the individual affirmatively and explicitly consents ("opt-in") to the processing, or unless an exception applies. Formstack also provides EU individuals with the opportunity to withdraw consent at any time ("opt-out"), in which case their personal information will not be further processed.

Data Integrity: Formstack seeks to ensure that any personal information held about EU individuals is accurate, complete, current and otherwise reliable in relation to the purposes for which the information was obtained. Formstack collects personal information that is adequate, relevant and not excessive for the purposes for which it is to be processed. EU individuals have a responsibility to assist Formstack in maintaining accurate, complete and current personal information about them.

Transfers to Third Parties: Formstack will not transfer personal information about EU individuals to 3rd parties unless the 3rd party (a) has provided satisfactory assurance to Formstack that it will protect the information consistently with this Notice; or (b) is located in the EU or a country considered "adequate" for privacy by the EU Commission, and therefore is required to comply with the EU data protection laws or substantially equivalent privacy laws; or (c) the 3rd party has also certified to the Safe Harbor, and is accordingly independently responsible for complying with the Safe Harbor requirements.

Where Formstack has knowledge that a 3rd party to whom it has provided EU personal information is processing that information in a manner contrary to this Notice or the Safe Harbor requirements, Formstack will take reasonable steps to prevent or stop the processing.

Access and Correction: Upon written request to Formstack, Formstack will provide EU individuals with reasonable access to their personal information. Formstack will also take reasonable steps to allow EU individuals to review their information for the purposes of correction their information. There are certain limitations to the Access and Correction rights, as set forth in the US Department of Commerce's Safe Harbor website. []

Security: Formstack takes reasonable precautions to protect EU personal information in its possession from loss, misuse, unauthorized access, disclosure, alteration and destruction.

Enforcement: Formstack has established internal mechanisms to verify its ongoing adherence to this Notice. Formstack also encourages individuals covered by this Notice to raise any concerns about our processing of their personal information by contacting Formstack at the address below or by contacting their local privacy officer. Formstack will seek to resolve any concerns. Formstack has also agreed to participate in the dispute resolution program provided by the European Data Protection Authorities.

Limitation on Scope of Principles: Adherence to these privacy principles may be limited to the extent required to meet a legal, governmental, national security or public interest obligation.

Contact Information: Questions or comments about this Notice should be directed to:

Formstack, LLC
8604 Allisonville Rd.
Suite 300
Indianapolis, IN 46250