GDPR compliance - where is form data stored and can we delete it

our legal team is asking about data residency and GDPR compliance for the forms we run. specifically: - where are form submissions stored geographically? - can we set up automatic data retention policies (delete after X days)? - is there a way to export and delete all data for a specific user (right to erasure)? - are submissions encrypted at rest? not trying to be paranoid but we collect PII through our forms and need to check these boxes. any info would be appreciated