Effective Date: June 23, 2026
This Data Processing Addendum (“DPA”) forms part of and is incorporated into the Form Orah Terms of Service (the “Agreement”) between Pure Grace AI, LLC (“Form Orah,” “Processor”) and the customer agreeing to the Terms (“Customer,” “Controller”). It applies where Form Orah processes Personal Data on Customer’s behalf in providing the Service. If there is a conflict between this DPA and the Agreement on the subject of data protection, this DPA controls.
1. Definitions
Capitalized terms not defined here have the meaning given in the Agreement. “Data Protection Laws” means all privacy and data-protection laws applicable to the processing, including the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), and other applicable U.S. state privacy and data-protection laws (including the comprehensive consumer privacy statutes of states such as Virginia, Colorado, Connecticut, Texas, and Oregon). “Personal Data,” “Controller,” “Processor,” “Process/Processing,” “Data Subject,” and “Personal Data Breach” have the meanings in the GDPR; “Business,” “Service Provider,” “Sell,” “Share,” and “Consumer” have the meanings in the CCPA/CPRA. “Customer Personal Data” means Personal Data contained in Customer Content that Form Orah Processes on Customer’s behalf. “Subprocessor” means a third party engaged by Form Orah to Process Customer Personal Data.
2. Roles of the Parties
As between the parties, Customer is the Controller (or, where Customer is itself a processor, the processor) of Customer Personal Data, and Form Orah is the Processor (and, under the CCPA/CPRA, a Service Provider). Each party will comply with its obligations under Data Protection Laws. Customer is responsible for the lawfulness of the Customer Personal Data and of Customer’s collection and instructions, including providing any required notices and obtaining any required consents from Data Subjects.
3. Scope and Instructions
Form Orah will Process Customer Personal Data only (a) to provide and support the Service in accordance with the Agreement, (b) as further documented in Customer’s use and configuration of the Service, and (c) as otherwise instructed by Customer in writing, unless required to act by applicable law (in which case Form Orah will inform Customer of that legal requirement unless prohibited from doing so). The details of Processing are set out in Annex A. Form Orah will inform Customer if, in its opinion, an instruction infringes Data Protection Laws.
4. Confidentiality
Form Orah will ensure that personnel authorized to Process Customer Personal Data are bound by appropriate confidentiality obligations and Process the data only as necessary to provide the Service.
5. Security
Form Orah will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, taking into account the state of the art, the costs of implementation, and the nature, scope, and purposes of Processing. Those measures are described in Annex B. Form Orah may update its measures from time to time provided the level of protection is not materially reduced.
6. Subprocessing
Customer provides general authorization for Form Orah to engage Subprocessors to Process Customer Personal Data. The current Subprocessors are listed in Annex C. Form Orah will (a) impose data-protection obligations on each Subprocessor that are no less protective than those in this DPA, and (b) remain responsible for each Subprocessor’s performance. Form Orah will provide Customer a mechanism to be notified of intended changes to its Subprocessors at least 14 days before authorizing the new Subprocessor. If Customer reasonably objects to a new Subprocessor on data-protection grounds, the parties will work in good faith to resolve the concern; if they cannot, Customer may terminate the affected portion of the Service.
7. Data Subject Rights
Taking into account the nature of the Processing, Form Orah will assist Customer by appropriate technical and organizational measures, insofar as possible, to respond to requests from Data Subjects to exercise their rights under Data Protection Laws (access, rectification, erasure, restriction, portability, and objection). The Service provides self-service tools (including data-subject locate-and-erase functionality) that Customer may use to fulfill many such requests directly. If a request is made directly to Form Orah, Form Orah will, where legally permitted, direct the Data Subject to Customer or forward the request to Customer.
8. Personal Data Breach
Form Orah will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will describe, to the extent known, the nature of the breach, the likely consequences, and the measures taken or proposed to address it, and will be supplemented as further information becomes available. Form Orah will take reasonable steps to mitigate and remediate the breach. Notification is not an acknowledgment of fault or liability.
9. Data Protection Impact Assessments
Taking into account the nature of Processing and the information available to it, Form Orah will provide reasonable assistance to Customer with data protection impact assessments and prior consultations with supervisory authorities that Customer is required to carry out under Data Protection Laws.
10. Deletion and Return
On termination or expiry of the Agreement, Form Orah will, at Customer’s choice, delete or return Customer Personal Data. Customer may export Customer Content for 30 days after termination; thereafter Form Orah will delete Customer Personal Data in the ordinary course of operations, except to the extent retention is required by applicable law or for the limited period necessary for routine backup cycles, during which the data remains protected by this DPA.
11. International Transfers
Where Form Orah Processes Customer Personal Data subject to the GDPR or UK GDPR and transfers it outside the EEA, the UK, or Switzerland to a country without an adequacy decision, the parties agree that the applicable Standard Contractual Clauses (and the UK Addendum or Swiss amendments, as relevant) are incorporated by reference and apply to that transfer, with Customer as data exporter and Form Orah as data importer. Executed Standard Contractual Clauses are available to Customer on request.
12. CCPA / CPRA Service-Provider Terms
With respect to Customer Personal Data subject to the CCPA/CPRA, Form Orah acts as a Service Provider and will: (a) not Sell or Share such data; (b) not retain, use, or disclose it for any purpose other than the business purposes specified in the Agreement and this DPA, or as otherwise permitted by the CCPA/CPRA; (c) not retain, use, or disclose it outside the direct business relationship with Customer; (d) not combine it with personal information received from or on behalf of other persons, except as permitted by the CCPA/CPRA; and (e) comply with applicable obligations and provide the same level of privacy protection as required of Customer. Form Orah will notify Customer if it determines it can no longer meet these obligations.
13. Consumer Health Data (Washington My Health My Data Act)
Where Form Orah processes “consumer health data” as defined by the Washington My Health My Data Act (MHMDA) on Customer’s behalf, Form Orah acts as a processor and will: (a) process such data only pursuant to Customer’s documented instructions and this DPA, which constitute the binding processing instructions required by RCW 19.373.060; (b) not sell or share consumer health data and not use or disclose it for any purpose outside those instructions; (c) assist Customer, by appropriate technical and organizational measures and insofar as reasonably possible, in meeting Customer’s MHMDA obligations, including responding to consumer requests to access, withdraw consent, or delete consumer health data, and deleting such data and notifying relevant subprocessors on Customer’s instruction; and (d) not implement a geofence around any in-person health care service location through the Service. Form Orah acknowledges that if it processes consumer health data outside Customer’s instructions it may be treated as a regulated entity for that data under MHMDA. Customer, as the regulated entity, is responsible for obtaining any consent or authorization MHMDA requires and for maintaining its own consumer health data privacy policy. Form Orah’s own consumer health data practices are described in its Consumer Health Data Privacy Policy.
14. Audits
Form Orah will make available to Customer information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer. To minimize disruption, Form Orah may satisfy audit requests by providing relevant certifications, third-party audit reports, or its security documentation, and any on-site audit will be on reasonable prior notice, during business hours, no more than once per year (absent a Personal Data Breach or regulatory requirement), and subject to confidentiality.
15. Liability
Each party’s liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Agreement.
16. Governing Law and Term
This DPA is governed by the law specified in the Agreement (the State of California), except where Data Protection Laws require otherwise. This DPA takes effect when Customer accepts the Agreement (or signs this DPA) and remains in effect for as long as Form Orah Processes Customer Personal Data.
Annex A — Details of Processing
Subject matter: Form Orah’s provision of the Service (lead-capture forms, lead scoring, automated follow-up, messaging, AI features, e-signature, and payment/donation collection) to Customer.
Duration: For the term of the Agreement, plus the post-termination period in Section 10.
Nature and purpose: Hosting, storage, transmission, analysis, enrichment, scoring, and routing of form submissions and related lead data; sending email and SMS/WhatsApp communications at Customer’s direction; AI-assisted scoring, summarization, and drafting; and synchronization with Customer-configured third-party services.
Types of Personal Data: Identifiers and contact details (name, email, phone, address); form submission content and free-text provided by Data Subjects; lead metadata, scores, and interaction/analytics data; message content; and, where Customer collects them, additional fields configured by Customer. Customer is responsible for not submitting special-category or regulated data (including PHI) except as permitted under the Agreement.
Categories of Data Subjects: Customer’s leads, prospects, customers, donors, applicants, and other individuals who submit Customer’s forms or communicate with Customer through the Service.
Annex B — Technical and Organizational Security Measures
- Encryption: Personal Data encrypted in transit (TLS) and at rest; field-level/application-level encryption for designated sensitive fields, with fail-closed handling.
- Access control: Role-based access controls and least-privilege; team/role permissions within the Service; authentication controls and session management.
- Application security: Rate limiting on authentication and submission endpoints; bot protection (CAPTCHA/Turnstile) on forms; input validation and ownership/authorization checks on API routes.
- Tenant isolation: Logical separation of each customer’s data within a multi-tenant architecture.
- Logging and monitoring: Audit logging of administrative and security-relevant actions; monitoring of the application and infrastructure.
- Data lifecycle: Configurable, enforced data-retention windows and automated deletion; data-subject locate-and-erase tooling.
- Vendor management: Reputable infrastructure and subprocessors (Annex C) with their own security and compliance programs.
- Organizational: Confidentiality obligations for personnel; change-management and deployment controls; security reviews and remediation of identified issues.
Annex C — Subprocessors
Infrastructure (core)
| Subprocessor | Purpose |
|---|---|
| Vercel | Application hosting / serverless compute |
| Neon | Managed Postgres database hosting |
| Cloudflare (Turnstile) | Bot protection / CAPTCHA on form submission |
Service delivery (core)
| Subprocessor | Purpose | Data shared |
|---|---|---|
| Anthropic | AI lead scoring, summaries, follow-up drafting (Claude) | Submission field values, form metadata |
| OpenAI | Auxiliary AI generation and classification | Submission field values, form metadata |
| SendGrid | Transactional / notification email delivery | Email, name, lead summary |
| Resend | Transactional / notification email delivery | Email, name, lead summary |
| Twilio | Two-way SMS / A2P messaging to leads (where enabled) | Phone number, message content |
| Stripe | Payment and donation processing | Name, email, tokenized payment details |
Customer-activated (optional — engaged only when Customer connects them)
| Subprocessor | Purpose |
|---|---|
| HubSpot | CRM contact sync |
| Salesforce | CRM lead sync |
| Zoho CRM | CRM lead sync |
| Airtable | Lead records sync |
| Notion | Lead records sync |
| Mailchimp | Email-marketing list subscription |
| Kit (ConvertKit) | Email-marketing subscription |
| Meta (Facebook/Instagram) | Social DM lead intake / messaging |
| Google Sheets | Submission export to a spreadsheet |
| Slack | New-lead notifications |
| Zapier | Generic webhook automation |
| Make | Generic webhook automation |
An up-to-date subprocessor list is maintained by Form Orah and available to Customer on request.
Contact
Data-protection inquiries: legal@formorah.com — Pure Grace AI, LLC.