PabblePabble
GDPRSOC 2 Type IIReviewed May 2026

GDPR Compliance

How Pabble collects, processes, and protects personal data in accordance with the General Data Protection Regulation (GDPR) — and what it means for you and your form respondents.

What Is the GDPR?

The General Data Protection Regulation (GDPR) is a European Union law that governs how organizations collect, store, and use personal data about individuals in the EU and EEA. It applies to any business that processes EU residents' data — regardless of where that business is located.

As a form builder, Pabble processes personal data on behalf of our customers. This page explains what that means, what obligations it creates, and how we fulfill them.

Diagram showing the data flow between Pabble, our customers (data controllers), and form respondents (data subjects)
Pabble acts as a data processor. Our customers are the data controllers responsible for lawful processing.

Our Role: Data Processor

Under the GDPR, there are two key roles:

  • Data Controller — decides why and how personal data is processed. This is you (our customer).
  • Data Processor — processes data on behalf of the controller. This is Pabble.

When your form respondents submit their name, email, or any other personal information, you are the controller and Pabble is the processor. This means:

  • You are responsible for having a lawful basis to collect the data
  • You are responsible for informing respondents about how their data will be used
  • Pabble is responsible for processing that data securely and only on your instructions

Data Processing Agreement (DPA)

A GDPR-compliant relationship between a controller and processor must be governed by a Data Processing Agreement. Pabble's DPA is available to all customers and covers:

  • The subject matter, nature, and purpose of processing
  • The type of personal data and categories of data subjects
  • Our obligations and rights as a processor
  • Sub-processor disclosures
  • Data transfer mechanisms for transfers outside the EEA

To request a signed DPA, contact us.

Data Subject Rights

The GDPR grants your form respondents specific rights over their data. Pabble's platform helps you fulfill these:

Right of Access — Respondents can request a copy of their submitted data. You can export it from the Pabble dashboard at any time.

Right to Erasure — Respondents can request deletion. You can delete individual responses from the dashboard, or delete the form and all associated data.

Right to Rectification — If a respondent needs a correction, you can edit the response directly in the dashboard.

Right to Data Portability — All response data is exportable to CSV or JSON.

Where We Store Data

Pabble stores all customer and response data in data centers located in the European Union (EU). No personal data collected via your Pabble forms is transferred to servers outside the EEA unless you have explicitly configured an integration that does so (e.g., a CRM based in the US).

For integrations that transfer data outside the EEA, we recommend ensuring your privacy policy discloses this and that appropriate safeguards (Standard Contractual Clauses) are in place.

Sub-Processors

We maintain an up-to-date list of sub-processors — third-party services that process data as part of delivering Pabble. You will be notified at least 30 days before any new sub-processor is added. Contact us to request the current sub-processor list.

Security Measures

We implement appropriate technical and organizational measures to protect personal data, including:

  • AES-256 encryption at rest
  • TLS 1.2+ encryption in transit
  • Role-based access control with MFA for all staff
  • Automated vulnerability scanning and annual penetration testing
  • Incident response procedures with 24-hour breach notification commitment to affected controllers

See our SOC 2 Type II page for a full breakdown of our security controls.

Contact Our Data Protection Team

For GDPR-related inquiries, DPA requests, or to exercise data subject rights on behalf of your respondents:

We respond to all privacy requests within 72 hours.