Hello Typeform community,
This is Rai from the Typeform Compliance Support team. This article is the second part of our four-piece Compliance & Security 101 series. This time we’re looking at the areas of GDPR, data protection and HIPAA.
Data protection is a common topic in the tickets our users and customers are contacting us with. At Typeform we know the protection of your data is very important and we wanted to provide the community with the basics to get a better understanding of how it works at Typeform.
As you may already know the so called GDPR (General Data Protection Regulation) is a big thing. It was first introduced in the EU in 2018 and now is applied, or at least used as a guideline, for data protection in many other countries worldwide.
HIPAA is an important regulation in the USA that organisations and users of data collection platforms like Typeform need to comply with when collecting health related data from their respondents.
Here’s a short introduction to the topic, along with details of where you can find support on these topics on our Help Center.
Now, let's take a look at the data protection and HIPAA-related questions we get asked about lot…
GDPR & data protection
Is Typeform GDPR compliant?
Yes absolutely, at Typeform, all our customers’ data is processed complying with this framework, no matter which country it belongs to. Please read more about this here and here.
Is Typeform CCPA compliant?
Our Privacy Policy was prepared in accordance with the GDPR, which has similar obligations as the California Consumer Privacy Act (CCPA). You can find the DPA and CCPA sections of our documentation here.
Where are Typeform's servers located and where is the data stored/processed?
Typeform’s infrastructure is hosted by Amazon Web Services (AWS). Our main servers are located in Virginia, USA. They are compliant with security and privacy standards.
Can I decide where my data is stored?
Currently this is not an option, however it may be considered in the future. Rest assured that the security and integrity of your data is critically important for us, and we’ve built our services around this idea.
Typeform is transferring data between Europe and the US, does this mean you are still GDPR compliant?
Yes, we are. So-called SCCs (Standard Contractual Clauses) are being used for this. You can read more about this in our Data Processing Agreement (DPA - section 4) here as well as in this Help Center article here.
Who owns/is responsible for the data that is collected in my forms?
The data collected in forms created by you is owned by you and you are also responsible for any requests from your respondents to remove data they submitted via your form. These responses can be deleted from the responses section of the typeform. This article explains how to do it.
What can I do when my respondents request their form data to be deleted?
See above. Responses can be deleted from the Responses section of each typeform they submitted data to. Also see GDPR rights for respondents.
Do you share your data with other companies / 3rd parties?
On this page you can see all third parties we share data with, what and why. It also offers you to sign-up to our newsletter to get notified of any changes to this page here.
Can I sign a custom Data Processing Agreement (DPA)?
This is currently being offered to Enterprise customers only. Customers on our prepaid subscriptions can access the DPA they agree to when signing up to Typeform here.
HIPAA & Business Associate Agreements (BAA)
Is Typeform certified in HIPAA/ HIPAA compliant?
Short answer, YES! As mentioned in this Help Center article Typform successfully passed the compliance assessment, and as a result, this allows the company to sign a Business Associate Agreement (BAA) with its clients when needed.
I work for a healthcare provider/organisation and/or need to collect health-related data from US-based respondents through my typeforms, do I need to / how can I comply with HIPAA?
In order to comply with HIPAA regulations you can sign a BAA with us. Please contact our legal team via the form on this Help Center page.
I am not based in the US and my respondents aren't based there either. What if I want to collect health-related data from them?
In principle you do not need to sign a BAA, however we strongly recommend checking in your local jurisdiction the requirements in order to be able to collect health-related data with your typeforms.
I need to collect Social Security numbers, do I need to comply with HIPAA or sign a BAA?
Yes, it is a requirement to sign a BAA with us in order to collect SSNs via your forms.
I hope this FAQ has helped with any questions you may have had about this topic, but if there's something you're still wondering let us know.