Typeform is GDPR compliant as a data processor. It provides a Data Processing Agreement, Standard Contractual Clauses for EU-to-US transfers, and ISO 27001 and SOC 2 Type II certifications. But that covers only Typeform's side. Your use is compliant only if you meet your own controller-side duties: lawful in-form consent, data minimization, retention limits, and cookie consent for embedded forms.
This article covers what Typeform provides and what you must do as the form owner. It also explains the cookie-consent layer most people miss and how responsibility divides between Typeform and you.
Is Typeform GDPR Compliant? The Short Answer
Typeform is GDPR compliant as a data processor. In its own words, "all our customers' data is processed complying with this framework [GDPR]." Typeform applies that standard worldwide (Typeform Help Center).
That compliance is real but only covers Typeform's side. You, the form owner, are the data controller. Whether your use of Typeform is GDPR compliant depends entirely on choices you make:
- What data you collect.
- What legal basis you have to collect it.
- How long you retain it.
- How you handle respondents' rights.
- Whether your website gets cookie consent before the embedded form loads.
Typeform gives you the compliance infrastructure. You supply the compliant behavior on top of it.
What Typeform Does for GDPR (the Processor's Side)
As your data processor, Typeform provides four compliance building blocks. They are a Data Processing Agreement, EU-to-US transfer safeguards under Standard Contractual Clauses, independent security certifications, and disclosure of where your data is stored.
Its Data Processing Agreement (DPA) and SCCs
A Data Processing Agreement is the contract that governs how a processor handles a controller's data. Typeform's DPA is built into Section 4 of its Privacy Policy. By accepting Typeform's Terms of Service, you enter into the DPA automatically. No separate signing is required. (Typeform DPA FAQ)
This is legal under GDPR Art. 28 Para. 9, which allows a DPA to be concluded "in writing, including in electronic form." An electronically accepted Privacy Policy satisfies that requirement.
For EU-to-US data transfers, Typeform uses the European Commission's 2021 Standard Contractual Clauses, Module 2 (Controller-to-Processor). If you are an EU-based controller using a standard plan, those SCCs cover you without any additional action.
Enterprise and Growth Custom customers who need a separately executed, custom DPA can request one from Typeform's legal team.
Security Certifications (ISO 27001, SOC 2, and More)
Typeform is certified against two independent security standards:
- SOC 2 Type II (annual third-party audit of security controls)
- ISO 27001 (information security management system)
Technical controls include data encryption in transit (TLS 1.2+) and at rest (AES-256). Typeform also runs regular penetration testing, role-based access control, and SSO on Business and Enterprise plans. (Typeform Security)
Typeform is also a participant in the EU-US Data Privacy Framework. HIPAA compliance, including a Business Associate Agreement, requires the Enterprise Core or Growth Custom plan.
In June 2018, Typeform experienced a data breach affecting data from before May 2018. The company notified customers and supervisory authorities at the time. Typeform has since overhauled its security infrastructure and now operates under the independent SOC 2 Type II and ISO 27001 audit regimes.
Where Typeform Stores Your Data
Standard Typeform plans (Basic, Plus, Business) store response data in the United States, in AWS us-east-1 (Virginia). This is a fact that many "yes, Typeform is GDPR compliant" answers omit.
EU data residency, meaning storage in AWS eu-central-1 (Frankfurt), is available only on the Enterprise Core and Growth Custom plans. On those plans, response data never leaves EU infrastructure. (Typeform Data Storage)
For standard-plan users, the 2021 SCCs cover the EU-to-US transfer. You should document this transfer basis in your Records of Processing Activities if your organization is subject to that requirement.
What You Must Do to Stay Compliant (the Controller's Side)
Typeform's certifications do not make your use of it compliant. As the data controller under GDPR Art. 4(7), you determine the purposes and means of collecting respondents' data. That position carries independent obligations Typeform cannot discharge on your behalf.
Collect Lawful Consent Inside the Form
Every form that collects personal data needs a lawful basis under GDPR Art. 6. For marketing or non-essential data collection, that basis is typically explicit, freely given consent.
In practice, this means:
- Add a clear consent question or checkbox to the form.
- Never pre-tick it.
- Link to your privacy notice from within the form.
- State the specific purpose for which the data will be used.
Consent collected through dark patterns (pre-ticked boxes, confusing language, or bundled permissions) is invalid under GDPR. An uncompliant form consent voids your lawful basis regardless of Typeform's own processor compliance.
Minimize Data and Set a Retention Period
Under GDPR Art. 5(1)(c), you may only collect data that is adequate, relevant, and limited to what is necessary for the stated purpose. That means reviewing every field in your form and removing any that are not strictly needed.
Under Art. 5(1)(e), you must not keep response data longer than necessary. Typeform retains response data for as long as your account is active. The retention schedule you apply to that data is your decision. Set a retention period, record it in your data inventory, and delete responses on that schedule.
Handle Data-Subject Requests
Respondents exercise their GDPR rights (access, rectification, erasure, portability) through you, not through Typeform. Typeform's documentation is explicit. Respondents are told to "contact the person or organization that created the typeform." Typeform only acts directly if it cannot reach the form owner. (Typeform GDPR Rights)
You need a documented process for receiving, locating, exporting, and deleting an individual's responses on request. Typeform provides export and deletion tools in the admin panel; using them in response to a valid request is your responsibility, not Typeform's.
The Part Most People Miss: Cookie Consent for an Embedded Typeform
When you embed a Typeform with the standard iframe install, the embed loads third-party scripts on your page. Those scripts can set tracking cookies and transfer the visitor's data before they have consented. Under GDPR Art. 28 and the ePrivacy cookie rules, you need prior opt-in consent before that embed loads, plus an easy opt-out.
This obligation is on your site, not inside Typeform. It is separate from and in addition to Typeform's own processor compliance.
A Typeform community thread from June 2024 documents the problem precisely. A visitor accepted cookies on a host website through a site-level CMP, then opened a page with an embedded Typeform. The form showed a second, unconnected consent request of its own. The two systems do not communicate. In November 2025, a Typeform staff member confirmed that no fix exists, stating: "It's not possible to inject the code into Typeform" (Typeform Community).
A workaround circulating in that thread is to add data-cookieconsent="ignore" to the Typeform embed script. Do not use it. That attribute tells the CMP to skip blocking the script entirely, which means the Typeform embed loads before consent is given. This is the opposite of compliance.
The correct approach is to use a site-level CMP that auto-blocks the Typeform iframe and script until the visitor opts in. The same shared-responsibility test applies to the rest of your tech stack. Embedded tools like Google Analytics raise the same cookie-consent question on your host page. The pattern repeats whether you run Shopify, WordPress, or any other platform with embedded third-party scripts.
Controller vs Processor: Who Is Responsible for What?
Under GDPR Art. 4(7) and 4(8), the controller determines the purposes and means of processing; the processor processes data only on the controller's instructions. When you create a Typeform form, you are the controller and Typeform is your processor.
The table below maps each compliance obligation to the party responsible:
| Obligation | Typeform (Processor) | You (Controller) |
|---|---|---|
| DPA and SCCs | Provides (embedded in Privacy Policy; 2021 Module 2 SCCs) | Accepts via ToS |
| Platform security | Maintains (SOC 2 Type II, ISO 27001, TLS/AES-256) | Verify before deploying |
| Sub-processors | Discloses and manages (AWS, Stripe, Zendesk; 30-day notice) | Review sub-processor list |
| Lawful basis for form data | N/A | Your obligation (Art. 6) |
| In-form consent design | N/A | No pre-ticked boxes; clear purpose; privacy link |
| Data minimization | N/A | Only collect what you need (Art. 5(1)(c)) |
| Retention period | Retains while account is active; deletes on account deletion | Set and enforce your own schedule (Art. 5(1)(e)) |
| Data-subject rights (access, erasure) | Provides admin tools; assists on request | First point of contact; must fulfill requests |
| Cookie consent for the embed | N/A | Block the embed until the visitor opts in (ePrivacy/GDPR) |
| Breach notification | Notifies you within 72 hours (GDPR Art. 33) | Notify your supervisory authority within 72 hours of learning of a breach |
| Does Typeform sell your data? | No. "The typeforms you create are yours." Typeform does not share response data with third parties except sub-processors named in its list. | Review sub-processor list; do not connect integrations that conflict with your stated purpose. |
How Consently Helps You Embed Typeform Compliantly
Consently does not change how Typeform processes form responses. It solves the cookie-consent layer you inherit the moment you embed a Typeform on your site. That is a distinct obligation, and one Typeform's built-in cookie consent feature does not resolve.
Consently is a consent management platform. Its Customizable Cookie Banner adds a GDPR opt-in banner to your site with a single script. You style it to match your brand from button labels to corner radius, with a live preview before publishing. No developer needed.
The feature that solves the embedded Typeform problem is Consently's automatic cookie and tracker scanning with iframe blocking. Consently scans your pages and detects the cookies, scripts, and iframes they set, including the Typeform embed. It then blocks those non-essential scripts and iframes from loading until the visitor opts in through the banner. When a visitor gives consent, the Typeform embed loads. If they decline, it does not. This is what "prior opt-in consent before the embed becomes active" means in practice.
Consently also passes Google Consent Mode v2 and IAB TCF v2.3 signals. It logs each visitor's consent choice for your audit trail. If you run other embedded tools on the same site, those are scanned and blocked too.
To be clear about scope: Consently handles your website's cookie-consent layer. It does not affect Typeform's response-data processing, its DPA, or the in-form consent you configure inside Typeform. Those remain your separate obligations.
Try Consently free and add Consently's cookie banner to your site in minutes. No credit card required.
FAQs
Is Typeform GDPR compliant?
Yes, as a data processor. Typeform provides a DPA embedded in its Privacy Policy, 2021 SCCs for EU-to-US transfers, and ISO 27001 and SOC 2 Type II certifications. Your own use is compliant only if you meet your controller-side duties. Those duties are lawful in-form consent, data minimization, a retention period, data-subject request handling, and cookie consent before your embedded Typeform loads.
Do I need to sign a DPA with Typeform?
No separate signature is required. Typeform's DPA is part of Section 4 of its Privacy Policy. Accepting the Terms of Service constitutes acceptance of the DPA under GDPR Art. 28 Para. 9. If you need a custom, separately executed DPA, that is available on Enterprise or Growth Custom plans.
Where does Typeform store its data?
Standard Typeform plans (Basic, Plus, Business) store response data in Virginia, USA (AWS us-east-1). Typeform uses EU Commission 2021 Standard Contractual Clauses Module 2 to cover that EU-to-US transfer. EU data residency in Frankfurt (AWS eu-central-1), where data stays entirely within the EU, is available only on Enterprise Core and Growth Custom plans.
Does an embedded Typeform set cookies I need consent for?
Yes. An embedded Typeform loads as a third-party iframe that can set tracking cookies and transfer visitor data before they consent. Under GDPR and ePrivacy rules, you must block the embed until the visitor opts in via your site's cookie banner. Typeform's built-in cookie consent does not solve this: it operates inside the form and does not communicate with site-level CMPs.
Is Typeform compliant for collecting sensitive or health data?
Typeform is HIPAA-audited, but HIPAA compliance requires the Enterprise Core or Growth Custom plan and a Business Associate Agreement. For GDPR purposes, collecting health data or other special-category data under Art. 9 requires explicit consent and additional safeguards. You configure those safeguards in your form and data practices, not Typeform.
Who is the data controller when I use Typeform?
You are. Under GDPR Art. 4(7), the controller is the party that determines the purposes and means of processing personal data. You decide what questions to ask, what data to collect, and how to use the responses. Typeform is your processor. Respondents exercise their GDPR rights (access, erasure) through you, not through Typeform.
Can I make Typeform GDPR compliant for free?
Partly. Typeform's DPA and certifications are included on all plans at no extra cost. But you also need a cookie banner on your website that blocks the embedded Typeform until the visitor consents. Free DIY scripts typically lack iframe blocking and do not integrate with a CMP's consent signal, so they leave the cookie-consent obligation unmet. A proper CMP with auto-blocking, like Consently (14-day free trial, no credit card), closes that gap.

