Data Processing Agreement

Version 2026-03-23

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Controller", "Customer") and staticq ("Processor", "we", "us"). By using staticq, you agree to this DPA. This DPA applies to all personal data that staticq processes on your behalf through form submissions.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person submitted through your forms.
"Processing" means any operation performed on Personal Data, including collection, storage, retrieval, transmission, and deletion.
"Data Subjects" means individuals who submit data through your forms hosted on staticq.
"Subprocessor" means a third party engaged by staticq to process Personal Data on your behalf.

2. Subject Matter and Duration

staticq processes form submission data on your behalf for the duration of your account. Processing begins when a Data Subject submits a form and continues until the data is deleted per the applicable retention schedule or upon account termination.

3. Nature and Purpose of Processing

staticq receives, stores, and delivers form submissions on your behalf. Specifically:

Receiving HTTP POST requests containing form field data from Data Subjects
Storing submission data in our database
Delivering submissions to you via your configured methods (dashboard, email notifications, webhooks)
Hashing IP addresses for abuse prevention (not reversible)

4. Types of Personal Data

The Personal Data processed depends on the fields in your forms. This may include but is not limited to:

Names, email addresses, phone numbers
Free-text messages and comments
Any other data your form collects

Additionally, staticq automatically collects the following metadata per submission:

IP address hash (SHA-256 with daily-rotating salt - not reversible)
User agent string
HTTP referer header

5. Categories of Data Subjects

Individuals who submit data through forms created by the Customer on staticq.

6. Controller's Instructions

staticq processes Personal Data only in accordance with your documented instructions, which are:

Receive and store form submissions
Deliver submissions per your configured connectors (email, webhook, dashboard)
Delete submissions per the retention schedule of your plan

Your use of the Service and its configuration options constitutes your instructions to us.

7. Confidentiality

staticq ensures that persons authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.

8. Security Measures

staticq implements the following technical and organizational security measures:

Encryption in transit (TLS) for all API and web traffic
Encryption at rest for the database (Cloudflare-managed)
Password hashing with PBKDF2-SHA256 (100,000 iterations)
IP address hashing with daily-rotating salt (not reversible)
httpOnly, Secure, SameSite session cookies
Rate limiting on all public endpoints
Automated nightly cleanup of expired tokens and codes

9. Subprocessors

You authorize staticq to engage the following subprocessors:

Subprocessor	Purpose	Location
Cloudflare, Inc.	Infrastructure: hosting, CDN, D1 database, Workers compute	Global
Stripe, Inc.	Payment processing	United States
Resend, Inc.	Transactional email delivery (submission notifications)	United States

We will notify you before adding or replacing subprocessors that process Personal Data, giving you the opportunity to object.

10. Data Subject Rights

staticq will assist you in fulfilling your obligations to respond to Data Subject requests (access, rectification, erasure, restriction, portability, objection). If we receive a request directly from a Data Subject, we will redirect them to you unless legally required to respond directly.

11. Breach Notification

staticq will notify you without undue delay upon becoming aware of a personal data breach affecting data processed on your behalf. The notification will include:

The nature of the breach, including categories and approximate number of Data Subjects affected
The likely consequences of the breach
Measures taken or proposed to address the breach

12. Data Deletion and Return

Upon termination of your account:

You may export your submission data within 30 days of termination.
After 30 days, all Personal Data processed on your behalf will be permanently deleted.
You may request immediate deletion at any time by contacting us.

During the active subscription period, submissions are automatically deleted per your plan's retention schedule (Free: 90 days, Pro: 365 days, Business: unlimited).

13. Audit Rights

You have the right to verify staticq's compliance with this DPA. We will make available information necessary to demonstrate compliance and allow for audits. At this stage, audits are conducted via written questionnaire. We will cooperate with reasonable audit requests.

14. International Transfers

Personal Data may be transferred to and processed in the United States and other countries where our subprocessors operate. For transfers from the EU/EEA, we rely on Standard Contractual Clauses (SCCs) as adopted by the European Commission.

15. Contact

For questions about this DPA: [email protected]