Data Processing Agreement
Last updated: 13 July 2026
If you use Forgelo to build sites that collect personal data from other people, for example a contact form on a site you built for a client, then you are the controller of that data and we are your processor. GDPR Article 28 says that relationship needs a written contract. This is that contract.
It applies automatically to every business customer as part of the Terms of Service. If your buyer or your own client needs a signed copy on paper, email hello@forgelo.com and we will sign one.
This is a working draft prepared in house and not yet reviewed by external counsel. Treat it as our commitment about how we handle data, and have your lawyer read it before you rely on it in a regulated procurement.
1. Who is who
You (the Customer) are the data controller. You decide what personal data your sites collect and why.
Forgelo, operated by Creativism of Yogyakarta, Indonesia, is the data processor. We process that personal data only to provide the service to you.
This agreement covers only the data you process through Forgelo as a controller. The data we hold about you, our own customer, such as your account and your billing, is covered by the Privacy Policy, where we are the controller.
2. What we process, and for how long
| Item | Detail |
|---|---|
| Subject matter | Providing the Forgelo AI website builder: generating, hosting, and serving the websites you create, and processing whatever those websites collect |
| Duration | For as long as your account is open, plus the deletion periods in section 10 |
| Nature and purpose | Storage, hosting, generation, display, backup, and deletion of content and of data submitted to your sites |
| Types of personal data | Whatever your sites collect. Typically: names, email addresses, phone numbers, WhatsApp numbers, and free text messages submitted through contact and lead forms. Plus the technical data of your sites' visitors, such as IP address |
| Categories of data subjects | Visitors to the websites you publish, and the people whose details you enter into them |
| Special category data | Not expected. Do not use Forgelo forms to collect health data, biometric data, or other special category data without telling us first |
3. We only act on your instructions
We process personal data only on your documented instructions, which for the most part means: as needed to provide the service you signed up for, as described in the Terms of Service and in the settings you choose.
We will not process it for our own purposes, and we will not sell it. We do not use data your sites collect to train AI models.
If the law requires us to process it some other way, we will tell you before we do, unless the law forbids us from telling you.
If we think an instruction of yours breaks data protection law, we will tell you, and we may pause that processing until it is resolved.
4. Confidentiality
Everyone at Forgelo who can access personal data is bound to keep it confidential, and access is limited to the people who actually need it to do their job.
5. Security measures
We take appropriate technical and organisational measures under Article 32, which today means:
- Encryption in transit (TLS) and encryption at rest through our hosting and database providers.
- Row level security in the database, so one customer's data cannot be read by another.
- Passwords stored hashed, never in plain text.
- Access to production limited to named people, with authentication required.
- Rate limiting and abuse detection on public endpoints.
- Regular backups, and a documented deletion path.
- Security is a moving target, so these measures will change. We will not weaken them below the level described here without telling you.
6. Subprocessors
You give us general authorisation to use the subprocessors below. Each of them is bound by written terms that impose data protection obligations equivalent to the ones in this agreement.
| Subprocessor | What they do | Location |
|---|---|---|
| Vercel Inc. | Application hosting, edge delivery, serving published sites | United States, global edge |
| Supabase Inc. | Database, authentication, and file storage | Outside Indonesia |
| Cloudflare, Inc. | R2 object storage for site images | Global network |
| AI model providers | Generating and editing site content from prompts | United States |
| Resend | Transactional email delivery | United States |
| Lemon Squeezy | Merchant of record, card payments and subscriptions | United States |
| Xendit | QRIS and Indonesian payment processing | Indonesia, Singapore |
7. Changing a subprocessor
If we want to add or replace a subprocessor, we will update this page and email the address on your account at least 30 days before the change takes effect. If you have a reasonable data protection objection, tell us within those 30 days and we will try to resolve it. If we cannot, you may terminate the affected part of the service and we will refund the unused portion of your term.
8. International transfers
We are in Indonesia and most of our subprocessors are in the United States, so personal data will leave the country it was collected in.
For data covered by the GDPR, transfers are made under the European Commission's Standard Contractual Clauses (Implementing Decision (EU) 2021/914), or under an adequacy decision where one applies. For UK data we use the UK Addendum to those clauses.
For data covered by Indonesia's Personal Data Protection Law (Law No. 27 of 2022), we apply Article 56: we assess whether the receiving country's level of protection is equal to or higher than Indonesian law, and where it is not, we ensure adequate and binding safeguards are in place before the transfer.
Ask us and we will give you the transfer safeguards that apply to any specific subprocessor.
9. Helping you with your obligations
- Data subject requests. If someone contacts us to exercise their rights over data you control, we will not answer for you. We will forward it to you without undue delay and help you respond, including by giving you access to the data through the app.
- Breaches. If we suffer a personal data breach affecting your data, we will notify you without undue delay and, in any event, in time for you to meet your own deadlines: 72 hours under the GDPR, and 3x24 hours under Indonesia's Personal Data Protection Law. We will tell you what happened, what data was involved, what we think the consequences are, and what we are doing about it.
- Impact assessments. We will give you the information you reasonably need for a data protection impact assessment or a prior consultation with a regulator.
10. Deletion and return
You can export or delete your data from the app at any time. When your account closes, we delete personal data within 30 days and purge it from backups within 90 days, except where the law requires us to keep something, such as payment records for tax. On request, and before deletion, we will return a copy in a common machine readable format.
11. Audits
We will give you the information you need to show that we are meeting Article 28, including our security documentation and any third party reports our providers publish. If that is not enough, you may audit us once a year, on 30 days' written notice, at your cost, at a time that does not disrupt the service, and subject to confidentiality. We may satisfy an audit request by giving you an independent report instead.
12. Liability
Liability under this agreement is subject to the limits in the Terms of Service, except where data protection law says it cannot be.
13. How to accept this
Using Forgelo as a business customer accepts these terms, and no signature is needed. If your procurement process requires a countersigned copy, or your own DPA template, email hello@forgelo.com with the document and we will review and sign it.