Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
FormAssembly is a powerful form builder and data collection platform used by enterprises, nonprofits, and healthcare organisations to create complex forms with conditional logic, Salesforce integration, and HIPAA-compliant configurations. Form submission data is processed in the US by default, with EU data residency available on Enterprise plans. Each form deployment requires careful consideration of the GDPR legal basis applicable to the data being collected.
FormAssembly is an enterprise data collection platform specialising in complex form creation with conditional logic, multi-step workflows, Salesforce native integration, and HIPAA-compliant configurations. It is used by healthcare organisations, financial services firms, nonprofits, and higher education institutions to collect sensitive data through secure online forms. Forms can be embedded on websites or accessed via hosted URLs. The platform processes form submission data including all personally identifiable information entered by respondents.
FormAssembly collects all data entered by form respondents, which varies by form configuration but may include names, email addresses, phone numbers, addresses, dates of birth, health information, financial data, and any other fields defined by the form designer. It also collects IP addresses and browser information when the form loads. Submitted data is stored in FormAssembly''s database and may be synced to Salesforce or other connected systems depending on integration configuration.
FormAssembly''s GDPR compliance depends heavily on what data is collected in each specific form. For contact or inquiry forms, the legal basis is often legitimate interest or contract performance. For forms collecting consent to marketing, the form itself is the consent mechanism. For healthcare forms collecting health data, explicit consent under Article 9(2)(a) is required. Each form deployment should be assessed individually for its applicable legal basis, data minimisation compliance, and retention period.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
ePrivacy consent is required before the FormAssembly embed script loads for any non-essential cookies it sets. For the form data itself, the consent requirement depends on the purpose: contact forms may rely on legitimate interest or contract performance; lead generation forms require marketing consent captured in the form; forms collecting special category data require explicit consent under Article 9. Every form must include a privacy notice linking to your privacy policy before respondents submit their data.
FormAssembly processes data on US infrastructure by default. EU data residency is available for Enterprise customers. For organisations collecting sensitive data from European users, evaluating EU data residency is strongly recommended. Standard Contractual Clauses apply for non-Enterprise customers. The Salesforce integration may create additional transfer obligations if Salesforce data is also processed in the US.
To use FormAssembly compliantly: assess each form individually for its applicable legal basis; include a privacy notice on every form before submission; obtain ePrivacy consent before the embed script loads; for special category data forms, obtain explicit Article 9 consent; sign a DPA with FormAssembly; evaluate EU data residency for sensitive data forms; configure data retention and auto-deletion in the FormAssembly admin; document all form processing in your RoPA with the specific legal basis for each form type.
Websites using FormAssembly must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is advisable when FormAssembly forms collect sensitive personal data at scale, particularly health data (HIPAA-applicable forms), financial information, or special category data under GDPR Article 9. The US data transfer and the breadth of Salesforce integration data flows also warrant assessment.
Sample consent text
This form is powered by FormAssembly. The data you submit will be processed by FormAssembly and may be transferred to servers in the United States. Please review our privacy policy to understand how your data will be used before submitting this form.
Third-party domains contacted
formassembly.comapp.formassembly.comcdn.formassembly.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| FASM_SESSION | session | Session | Session management cookie required for secure form submission and CSRF protection |
| fa_track | persistent | 1 year | Form interaction tracking cookie used to measure form completion rates and funnel analytics |
FormAssembly places tracking cookies for advertising — comply with GDPR using FlowConsent.
When FormAssembly forms are embedded on a website, the form script may set functional cookies for session management and CSRF protection. For forms served from formassembly.com, cookies are set on the FormAssembly domain. Embedded forms on your own domain require ePrivacy consent for any non-essential cookies.
For form submission data, no separate cookie consent is needed if the form uses a contract performance basis. However, embedded form scripts that set non-essential cookies require ePrivacy consent. Every form must include a privacy notice informing submitters of the data controller, legal basis, and US transfer.
The basis depends on the form purpose. Contact and service request forms: contract performance (Art. 6(1)(b)) or legitimate interest (Art. 6(1)(f)). Marketing and newsletter sign-up forms: consent (Art. 6(1)(a)). Healthcare and sensitive data forms: explicit consent (Art. 9(2)(a)).
Yes by default. FormAssembly processes data in the US. EU data residency is available on Enterprise plans. Standard Contractual Clauses apply for standard plans. Sign FormAssembly's DPA and document the transfer in your RoPA.
A DPIA is advisable when FormAssembly is used to collect sensitive personal data at scale, particularly in healthcare contexts where HIPAA configuration is used, or when form data is used for automated decision-making or profiling.
Include a privacy notice on every form with the data controller identity, legal basis, data recipients (including FormAssembly), US transfer and SCC safeguard, and data subject rights. For sensitive data, use EU data residency if possible. Sign FormAssembly's DPA. Document the processing in your RoPA.
Typeform and Tally offer EU data residency. For Salesforce-integrated forms with EU data, Formstack (with EU hosting) is an alternative. For self-hosted form solutions with full data sovereignty, open-source tools like Formio or LimeSurvey can be deployed on EU infrastructure.
Use FormAssembly's HIPAA-compliant configuration and sign a BAA (Business Associate Agreement). Under GDPR, health data collected via forms is special category data under Article 9, requiring explicit consent (not just implied consent). Include a specific statement that health information is being collected and will be processed for the stated medical purpose. Evaluate EU data residency for maximum compliance.