Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Formstack is a web technology service that provides essential functionality for websites and digital platforms. It delivers core capabilities that support site operations, content delivery, and user experience optimization. Formstack integrates seamlessly with modern web architectures, ensuring reliable performance and compatibility across browsers and devices. Trusted by businesses worldwide, Formstack helps organizations maintain robust websites that meet user expectations and technical requirements.
Formstack, founded in 2006 in Indianapolis, has grown from a SaaS form builder into a workplace productivity platform combining online forms, document generation, electronic signature and workflow automation. Used by tens of thousands of businesses including hospitals, banks and universities, it positions itself as a no code alternative to building back office processes.
Formstack offers four main modules: Forms (drag and drop builder with conditional logic, payments, file uploads), Documents (template based document generation), Sign (electronic signature with full audit trail) and Workflows (multi step approvals). Forms can be embedded as iframe, JavaScript or full page link. Integrations include Salesforce, HubSpot, Stripe, PayPal, Microsoft 365, Workday and Slack.
The Formstack embed loads JavaScript from formstack.com and sets third party cookies including ga_session, fs_session, an _ga identifier (when analytics is enabled) and __cf_bm (Cloudflare). Submissions, IP, user agent, referrer and time on form are stored on Formstack servers. The platform offers field level encryption for sensitive data and granular access controls.
Formstack acts as a processor under Art. 28 GDPR. Website operators must sign the Formstack DPA, document Formstack as a sub processor and choose the EU data residency option when relevant. The embedded widget sets third party cookies that require prior consent under Art. 5(3) ePrivacy. Formstack is self certified under the EU US Data Privacy Framework.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Standard plans store data in AWS us east 2 (Ohio). Enterprise customers can request the EU Data Region (AWS eu west 1, Dublin). Healthcare customers can request a HIPAA isolated environment with Business Associate Agreement. Transfers to the US rely on the EU US DPF or on Standard Contractual Clauses with supplementary measures.
Block the Formstack widget until consent. Sign the DPA and request EU data residency when handling EU resident data. Enable field level encryption for sensitive fields. Configure retention policies. Add a privacy notice and consent checkbox to every form. Document Formstack as a sub processor in your records of processing and your privacy notice with the US transfer mechanism.
Websites using Formstack must obtain user consent under GDPR regulations.
Third-party domains contacted
formstack.comwww.formstack.comcdn.formstack.comsubmit.formstack.ioCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| fs_session | third_party | Session | Session identifier set by formstack.com to track the current form submission state. |
| ga_session | third_party | Session | Internal session cookie used by Formstack for form analytics and submission attribution. |
| _ga | third_party | 2 years | Google Analytics identifier set on formstack.com when Formstack analytics is enabled. |
| __cf_bm | third_party | 30 minutes | Cloudflare bot management cookie used to distinguish humans from bots on formstack.com. |
Formstack places tracking cookies for advertising — comply with GDPR using FlowConsent.
The embedded Formstack widget sets third party cookies on formstack.com: ga_session, fs_session, _ga (when analytics is enabled) and __cf_bm (Cloudflare). All require prior consent in the EEA except __cf_bm which is often claimed as strictly necessary for bot protection.
Yes for the embedded widget. The third party cookies require consent under Art. 5(3) ePrivacy. The submission data itself can be processed under Art. 6(1)(b) GDPR (pre contractual) with marketing fields under consent.
Contract or pre contractual measures (Art. 6(1)(b)) for contact and quote forms. Consent (Art. 6(1)(a)) for cookies and marketing fields. Healthcare data is processed under HIPAA with a BAA in the US. Sensitive data (Art. 9 GDPR) needs explicit consent.
By default yes. Enterprise customers can activate the EU Data Region (Dublin). Otherwise transfers rely on the EU US Data Privacy Framework (Formstack is certified) or on Standard Contractual Clauses with supplementary measures and a TIA.
A DPIA is recommended when Formstack collects special categories of data, employee data, financial data or is connected to payments and signatures. The DPIA documents the residency choice, the transfer mechanism, the encryption, and the rights workflow.
Block the widget until consent. Sign the DPA. Activate EU Data Region for EU resident data. Enable field level encryption for sensitive fields. Add a privacy notice and consent checkbox. Set retention policies. Document Formstack as a sub processor.
EU based SaaS: Tally (Belgium), Typeform (Spain), Formbricks (open source). US SaaS: Jotform (with EU residency), SurveyMonkey, Wufoo. WordPress self hosted: Gravity Forms, WPForms, Ninja Forms, Fluent Forms.
Track the Formstack sub processor list and trust centre. When sub processors, certifications or residency options change, update your cookie table, privacy notice and records of processing, and bump the consent banner version.