Data Processing Agreement
Effective Date: February 11, 2026
This Data Processing Agreement ("DPA") is entered into by and between QuikForms, LLC, an Oregon limited liability company ("Processor" or "QuikForms"), and the entity identified in the applicable QuikForms subscription agreement or order form ("Controller" or "Customer").
This DPA supplements and forms part of the agreement between the Parties for the provision of the QuikForms managed package and related services (the "Principal Agreement"). In the event of any conflict between this DPA and the Principal Agreement, this DPA shall prevail with respect to the processing of Personal Data.
1. Definitions
- "Applicable Data Protection Law" means all applicable laws and regulations relating to the processing of Personal Data, including the GDPR, UK GDPR, CCPA, and other applicable data protection legislation.
- "Controller" means the Customer who determines the purposes and means of processing Personal Data.
- "Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
- "Managed Package" means the QuikForms software distributed via the Salesforce AppExchange as a managed package.
- "Personal Data" means any information relating to a Data Subject that is processed by the Processor on behalf of the Controller.
- "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of Personal Data.
- "Processing" means any operation performed on Personal Data, whether or not by automated means.
- "Processor" means QuikForms, LLC, which processes Personal Data on behalf of the Controller.
- "Sub-processor" means any third party appointed by the Processor to process Personal Data on behalf of the Controller.
- "Standard Contractual Clauses" (SCCs) means the standard contractual clauses for international data transfers as adopted by the European Commission.
2. Scope and Roles
2.1 Roles of the Parties
The Customer is the Controller; QuikForms is the Processor. QuikForms shall process Personal Data only on behalf of and in accordance with the documented instructions of the Controller.
2.2 Nature of Processing
The Managed Package operates within the Controller's own Salesforce Org. QuikForms' code performs the following processing activities:
- Receiving form field values submitted by Data Subjects via a REST API endpoint;
- Validating submitted inputs (required fields, regex patterns, email format, field type constraints);
- Transmitting Cloudflare Turnstile CAPTCHA tokens to Cloudflare for bot verification;
- Creating Salesforce records within the Controller's Org;
- Processing file uploads as ContentVersion records;
- Hashing IP addresses using SHA-256 with a daily rotating salt for analytics;
- Collecting device category, browser type, and referrer domain for aggregated analytics;
- Optionally logging raw IP addresses and user agent strings when enabled by the Controller;
- Logging exceptions with automated sensitive data filtering; and
- Publishing Platform Events for the Controller's automations and integrations.
2.3 Processing Architecture
The Managed Package executes within the Controller's Salesforce Org. All Personal Data is stored in the Controller's Org and is subject to the Controller's existing Salesforce security and access controls. QuikForms does not maintain a separate infrastructure for Customer Personal Data storage, except for the Cloudflare Turnstile verification callout.
3. Controller's Instructions
The Processor shall process Personal Data only on the documented instructions of the Controller, as set forth in this DPA and the Principal Agreement. The Controller's configuration of the Managed Package (including enabling/disabling features, setting retention periods, and defining form fields) constitutes documented processing instructions.
4. Processor's Obligations
- Compliance: Comply with all Applicable Data Protection Law in processing Personal Data.
- Confidentiality: Ensure authorized personnel are bound by confidentiality obligations.
- Security: Implement and maintain appropriate technical and organizational measures as described in Annex II.
- Sub-processors: Meet the conditions set forth in Section 8 for engaging Sub-processors.
- Data Subject Rights: Assist the Controller in responding to Data Subject requests.
- Compliance Assistance: Assist with security assessments, breach notifications, and data protection impact assessments.
- Deletion/Return: Delete or return all Personal Data upon termination of services.
- Audit: Make available information necessary to demonstrate compliance and allow for audits.
5. Controller's Obligations
The Controller warrants a lawful basis for processing and is responsible for:
- Ensuring processing instructions comply with applicable law;
- Limiting data collection to what is necessary (data minimization);
- Providing appropriate privacy notices to Data Subjects;
- Configuring optional data collection features appropriately;
- Setting appropriate retention periods; and
- Ensuring data accuracy, quality, and legality.
7. Security Measures
The Managed Package incorporates the following security measures:
Access Control
| Measure | Description |
|---|---|
| Field-Level Security (FLS) | Enforces Salesforce field-level security using WITH SECURITY_ENFORCED clauses. |
| CRUD Enforcement | Object-level permissions enforced through Salesforce's security model. |
| Forbidden Objects | Explicit blocklist of sensitive system objects (User, Profile, PermissionSet, etc.). |
| Guest User Context | Public forms execute in the Salesforce Site Guest User security context. |
Bot and Spam Protection
| Measure | Description |
|---|---|
| Cloudflare Turnstile CAPTCHA | Non-intrusive bot detection with server-side token verification. |
| Honeypot Protection | Hidden fields to detect and silently reject automated bot submissions. |
| Rate Limiting | Configurable submissions-per-minute rate limiting on the REST API. |
| Origin/Referrer Verification | Configurable HTTP header validation to restrict submissions to authorized domains. |
Data Minimization and Pseudonymization
| Measure | Description |
|---|---|
| IP Address Hashing | SHA-256 hashing with daily rotating salt by default. Raw IPs stored only when explicitly enabled. |
| Aggregated Analytics | Daily rollup records with aggregate counts rather than individual visitor records. |
| Configurable Data Collection | Optional data collection features disabled by default. |
Sensitive Data Protection in Logs
| Measure | Description |
|---|---|
| Pattern-Based Redaction | Automatic redaction of passwords, tokens, API keys, SSNs, and credit card numbers in logs. |
| Configurable Log Levels | Exception logging granularity configurable (None through Debug). |
| Log Truncation | Automatic truncation to prevent excessive storage of sensitive data. |
Data Retention and Deletion
| Measure | Description |
|---|---|
| Analytics Cleanup | Records automatically deleted after configurable retention period (default: 365 days). |
| Exception Log Cleanup | Logs automatically deleted after configurable retention period (default: 7 days). |
| Survey Token Expiration | Tokens expire after configurable validity period. |
| Batch Deletion | Automated cleanup in batches to avoid exceeding Salesforce governor limits. |
8. Sub-processors
8.1 Authorized Sub-processors
| Sub-processor | Description | Data Processed |
|---|---|---|
| Salesforce, Inc. | Cloud computing platform hosting the Controller's Salesforce Org. All form data, analytics, logs, and file uploads are stored on Salesforce infrastructure. | All Personal Data processed by the Managed Package. |
| Cloudflare, Inc. | Provides Cloudflare Turnstile CAPTCHA bot protection. CAPTCHA tokens are verified via external callout during form submission. | IP addresses, CAPTCHA tokens, and verification responses. |
8.2 Notification of Changes
The Processor shall provide at least thirty (30) days' prior written notice before engaging a new Sub-processor. If the Controller objects on reasonable data protection grounds and no resolution can be reached, the Controller may terminate the affected services without penalty within thirty (30) days of the Processor's notice.
8.3 Sub-processor Liability
Where a Sub-processor fails to fulfil its data protection obligations, the Processor shall remain fully liable to the Controller.
9. Data Subject Rights
The Processor shall assist the Controller in responding to Data Subject requests (access, rectification, erasure, restriction, portability, and objection). Because Personal Data is stored within the Controller's Salesforce Org, the Controller has direct access and can fulfill most Data Subject requests using standard Salesforce administrative tools. The Processor shall provide additional assistance where needed.
10. Audit Rights
The Processor shall make available information necessary to demonstrate compliance with this DPA and shall allow for audits upon at least thirty (30) days' prior written notice. Audits shall be conducted during regular business hours, at the Controller's cost (unless a material breach is revealed), and limited to one (1) audit per twelve (12)-month period unless required by a Supervisory Authority or following a breach.
11. Data Deletion and Return
Upon termination of the Principal Agreement, the Processor shall delete or return all Personal Data within thirty (30) days at the Controller's choice. The primary repository of data is the Controller's own Salesforce Org, which the Controller controls directly. Automated retention mechanisms include:
- Analytics data: auto-deleted after the configured retention period (default: 365 days);
- Exception logs: auto-deleted after the configured retention period (default: 7 days);
- Survey tokens: expire after the configured validity period; and
- Form submission data: persists until deleted by the Controller.
12. Personal Data Breach
The Processor shall notify the Controller without undue delay, and within seventy-two (72) hours, after becoming aware of a Personal Data Breach. The notification shall include the nature of the breach, likely consequences, and measures taken or proposed. The Processor shall cooperate with the Controller in investigation, mitigation, and remediation, and shall maintain records of all breaches.
13. International Data Transfers
The Processor shall not transfer Personal Data outside the EEA, UK, or Switzerland unless adequate safeguards are in place (adequacy decisions, Standard Contractual Clauses, or applicable derogations). Where SCCs are required, the Parties agree to incorporate Module Two (Controller to Processor) by reference. The Cloudflare Turnstile verification callout may result in data being processed across Cloudflare's global network.
15. Liability
Each Party's liability is subject to the limitations in the Principal Agreement, except where prohibited by applicable law. The Controller bears responsibility for data protection liabilities arising from its form configuration choices, optional feature enablement, retention period settings, and failure to provide adequate privacy notices or obtain consents.
16. Term and Termination
This DPA remains in force for so long as the Processor processes Personal Data under the Principal Agreement. Confidentiality, deletion/return, indemnification, and liability provisions survive termination. Either Party may terminate upon material breach with thirty (30) days' cure period.
17. General Provisions
This DPA is governed by the laws of the State of Oregon, without regard to conflict of laws principles, except to the extent Applicable Data Protection Law mandates a different law. Disputes shall be resolved per the Principal Agreement. This DPA may not be amended except by written instrument signed by both Parties, except that the Processor may update security measures and Sub-processor lists provided the overall level of protection is not materially reduced.
Contact Information
QuikForms, LLC
Email: [email protected]
Website: www.sfquikforms.com