This article explains where Form Publisher's data is stored and how our processing complies with GDPR. It also explains our compliance with GDPR’s International Data Transfer clause.
The legitimacy of our data processing operations
Data Storage
We store and process your user and usage data (refer to the article: [DATA STORAGE] What data is stored by Form Publisher and how is it used?) in Firebase, the Google cloud-hosted database.
Google manages Firebase, and its servers are located primarily in the United States(refer to the Firebase’s privacy policy for more information).
Form Publisher data and processing's physical storage is protected under Data Processing and Security Terms of Google Cloud Platform.
Data Processing
Form Publisher is GDPR compliant as we do not transfer any personal data. We never save your content or data of your google form or the documents generated out of your google form submission, in our database.
If a document approval workflow is set up, we store the specific configuration data and the generated file information in Google Firebase. This data is essential for Form Publisher’s web app to trigger email notification and update the approval information in the Form responses spreadsheet whenever there is an approval action on the document flow.
On the legality of the electronic signature proposed by Form Publisher:
We consider that e-signatures through Form Publisher is legally binding since it meets the requirements of US law and, notably, Form Publisher allows us to fulfil the requirement to maintain a digital audit trail that associates the signature with unique signifiers. Indeed, in order to sign a form sent through Form Publisher and then approve the workflow, the user needs to log to the application first. Therefore, identification and authentication of the signer are done and associated with the signature.
Do we do international transfer of personal data?
We won't transfer, sell, make copies, or share any of your data stored by Form Publisher to third party services or companies.
Which Data Transfer mechanisms does Form Publisher rely on? Standard Clauses or Privacy Shield?
Upon completion of the DPA, it is stipulated that: The application of lawful data transfer mechanisms for our customers who wish to transfer personal data to a third country (outside the EEA) in accordance with Article 45 or 46 of the GDPR, relies on entering into Standard Contractual Clauses or offer any alternative transfer solution if requested (for example, the EU-U.S. Privacy Shield).
On July 16, 2020, the Court of Justice of the European Union issued a judgment declaring as “invalid” the European Commission’s Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU-U.S. Privacy Shield. As a result of that decision, the EU-U.S. Privacy Shield Framework is no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States.
However, Awesome Gapps does not depend on the Privacy Shield mechanism. Instead, Awesome Gapps relies on the Standard Contractual Clauses to transfer all of its users’ EEA personal data according to the GDPR. The Court confirmed that such Standard Contractual Clauses remain a valid data export mechanism. The Standard Contractual Clauses are referenced in and automatically apply through Awesome Gapps' Data Processing Addendum, which you can find here.
That means that our users can take comfort that their EEA personal data continues to be protected to European standards in compliance with applicable data protection laws, including GDPR.
Is Form Publisher HIPAA Compliant?
It is possible to use Form Publisher and be compliant with the Health Insurance Portability and Accountability Act (HIPAA). To do so, you need to form a Business Associate Agreement (BAA) with Form Publisher regarding the data stored on Form Publisher. This will make using Form Publisher HIPAA compliant.
To request a BAA from us, please fill in this Google Form and you will automatically receive our standard BAA to sign.
On HIPAA compliance of electronically signing with Form Publisher:
Signature process does not fall under the BAA in itself as electronic signature is not regulated by HIPAA. So if you are requesting a patient to fill in a medical form with PHI, the form will be covered by the BAA and thus HIPAA compliant regardless of whether and how it is signed. HIPAA doesn’t mandate the way documents are signed, so an electronic signature in itself doesn’t conflict with HIPAA, but it doesn’t constitute compliance on its own either. HIPAA governs the use and transmission of PHI, which may or may not be contained in signed documents.
To read more about what data is stored on Form Publisher, please refer to this page.