Legal

Data Processing Agreement

Last updated: 13 July 2026

If you use Forgelo to build sites that collect personal data from other people, for example a contact form on a site you built for a client, then you are the controller of that data and we are your processor. GDPR Article 28 says that relationship needs a written contract. This is that contract.

It applies automatically to every business customer as part of the Terms of Service. If your buyer or your own client needs a signed copy on paper, email hello@forgelo.com and we will sign one.

This is a working draft prepared in house and not yet reviewed by external counsel. Treat it as our commitment about how we handle data, and have your lawyer read it before you rely on it in a regulated procurement.

1. Who is who

You (the Customer) are the data controller. You decide what personal data your sites collect and why.

Forgelo, operated by Creativism of Yogyakarta, Indonesia, is the data processor. We process that personal data only to provide the service to you.

This agreement covers only the data you process through Forgelo as a controller. The data we hold about you, our own customer, such as your account and your billing, is covered by the Privacy Policy, where we are the controller.

2. What we process, and for how long

3. We only act on your instructions

We process personal data only on your documented instructions, which for the most part means: as needed to provide the service you signed up for, as described in the Terms of Service and in the settings you choose.

We will not process it for our own purposes, and we will not sell it. We do not use data your sites collect to train AI models.

If the law requires us to process it some other way, we will tell you before we do, unless the law forbids us from telling you.

If we think an instruction of yours breaks data protection law, we will tell you, and we may pause that processing until it is resolved.

4. Confidentiality

Everyone at Forgelo who can access personal data is bound to keep it confidential, and access is limited to the people who actually need it to do their job.

5. Security measures

We take appropriate technical and organisational measures under Article 32, which today means:

6. Subprocessors

You give us general authorisation to use the subprocessors below. Each of them is bound by written terms that impose data protection obligations equivalent to the ones in this agreement.

7. Changing a subprocessor

If we want to add or replace a subprocessor, we will update this page and email the address on your account at least 30 days before the change takes effect. If you have a reasonable data protection objection, tell us within those 30 days and we will try to resolve it. If we cannot, you may terminate the affected part of the service and we will refund the unused portion of your term.

8. International transfers

We are in Indonesia and most of our subprocessors are in the United States, so personal data will leave the country it was collected in.

For data covered by the GDPR, transfers are made under the European Commission's Standard Contractual Clauses (Implementing Decision (EU) 2021/914), or under an adequacy decision where one applies. For UK data we use the UK Addendum to those clauses.

For data covered by Indonesia's Personal Data Protection Law (Law No. 27 of 2022), we apply Article 56: we assess whether the receiving country's level of protection is equal to or higher than Indonesian law, and where it is not, we ensure adequate and binding safeguards are in place before the transfer.

Ask us and we will give you the transfer safeguards that apply to any specific subprocessor.

9. Helping you with your obligations

10. Deletion and return

You can export or delete your data from the app at any time. When your account closes, we delete personal data within 30 days and purge it from backups within 90 days, except where the law requires us to keep something, such as payment records for tax. On request, and before deletion, we will return a copy in a common machine readable format.

11. Audits

We will give you the information you need to show that we are meeting Article 28, including our security documentation and any third party reports our providers publish. If that is not enough, you may audit us once a year, on 30 days' written notice, at your cost, at a time that does not disrupt the service, and subject to confidentiality. We may satisfy an audit request by giving you an independent report instead.

12. Liability

Liability under this agreement is subject to the limits in the Terms of Service, except where data protection law says it cannot be.

13. How to accept this

Using Forgelo as a business customer accepts these terms, and no signature is needed. If your procurement process requires a countersigned copy, or your own DPA template, email hello@forgelo.com with the document and we will review and sign it.