Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Use ("Agreement") between you ("Customer", "Controller") and HookListener.com ("HookListener", "Processor") and applies to the processing of Personal Data by HookListener on behalf of Customer in connection with the Service.

This DPA applies automatically to all customers on self-serve plans (Pro and Team). By using the Service, you accept the terms of this DPA. For Enterprise customers requiring custom data processing terms, please contact us.

1. Definitions

• "Data Protection Laws" means all applicable data protection legislation, including the EU General Data Protection Regulation (Regulation 2016/679) ("GDPR") and any national implementing legislation.
• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by HookListener as part of the Service.
• "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, transmission, and deletion.
• "Sub-processor" means any third party engaged by HookListener to process Personal Data on behalf of the Customer.

2. Roles and Scope of Processing

Customer acts as the Controller and HookListener acts as the Processor with respect to any Personal Data contained in webhook payloads, HTTP requests, or email content submitted to the Service.

3. Customer Obligations

The Customer shall:

• Ensure that it has a valid legal basis under applicable Data Protection Laws (e.g., consent, legitimate interest, or contractual necessity) for any Personal Data submitted to the Service.
• Be solely responsible for the accuracy, quality, and legality of Personal Data and the means by which it was obtained.
• Provide all necessary notices to, and obtain all necessary consents or authorizations from, data subjects as required under applicable Data Protection Laws.
• Not submit special categories of Personal Data (e.g., health data, biometric data, racial or ethnic origin) to the Service unless the Customer has ensured an appropriate legal basis and adequate safeguards under Article 9 GDPR.
• Use the Service's built-in data deletion tools to fulfill data subject requests (e.g., erasure requests) in a timely manner.

4. HookListener Obligations

HookListener shall:

• Process Personal Data only in accordance with the Customer's documented instructions, which are constituted by the Agreement, this DPA, and the Customer's use of the Service's features and settings.
• Ensure that persons authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Section 5.
• Assist the Customer in responding to data subject rights requests solely through the Service's existing self-serve functionality, as described in Section 8.
• Make available information to demonstrate compliance with this DPA as described in Section 9.
• Notify the Customer of confirmed Personal Data breaches as described in Section 7.

5. Security Measures

HookListener implements and maintains the following technical and organizational security measures:

• Encryption of data in transit using TLS/HTTPS for all connections.
• Encryption of sensitive data at rest.
• Automatic redaction of common sensitive HTTP headers (e.g., Authorization, API keys, cookies) from stored request data.
• Authentication and access controls for the Service, including API key authentication and session-based access.
• Infrastructure hosted in European data centers with industry-standard physical and network security.
• Automatic data deletion in accordance with plan-based retention periods.

6. Sub-processors

Customer provides general written authorization for HookListener to engage Sub-processors to assist in providing the Service. A current list of Sub-processors is maintained at the Sub-processors page.

HookListener will notify Customer of any changes to Sub-processors by updating the Sub-processors page. Customer may subscribe to change notifications by contacting HookListener support. Customer has 30 days from the date of notification to object to a new Sub-processor on reasonable data protection grounds. If Customer objects, Customer's sole remedy is to terminate the affected Service by canceling their subscription. No refunds or credits will be issued for the remaining subscription period in such case.

HookListener shall impose data protection obligations on Sub-processors that are no less protective than those in this DPA.

7. Data Breach Notification

HookListener shall notify the Customer without undue delay after becoming aware of a confirmed Personal Data breach affecting Customer's data. The notification shall include, to the extent reasonably available at the time:

• A general description of the nature of the breach.
• A description of the measures taken or proposed to address the breach.

HookListener shall provide additional information as it becomes reasonably available. The Customer is solely responsible for notifying the relevant supervisory authority and affected data subjects, where required under applicable Data Protection Laws, and for determining whether a breach is notifiable.

8. Data Subject Rights

The Customer is solely responsible for responding to data subject requests (access, rectification, erasure, portability, restriction, or objection). HookListener's obligation to assist is fulfilled entirely through the Service's existing self-serve functionality:

• Individual request deletion via the Service dashboard.
• Endpoint deletion, which removes all associated request data.
• Full account deletion, which permanently removes all Customer data.

These tools constitute the full extent of HookListener's assistance with data subject requests. HookListener is not obligated to provide manual assistance, custom data exports, or bespoke processing beyond these tools. If a data subject contacts HookListener directly, HookListener may, but is not obligated to, redirect them to the Customer.

9. Audits

HookListener satisfies its obligation to make available information necessary to demonstrate compliance with this DPA through the publication of this DPA, the Privacy Policy, and the Sub-processors page.

On-site audits, custom questionnaires, and individual compliance assessments are not available under self-serve plans. Enterprise customers requiring audit rights should contact us to discuss a custom agreement.

10. International Data Transfers

All HookListener servers and primary data storage are located in the European Union. Where Personal Data is transferred outside the EEA (for example, through the use of a Sub-processor), HookListener shall ensure that appropriate safeguards are in place, such as:

• An adequacy decision by the European Commission (e.g., EU-US Data Privacy Framework).
• Standard Contractual Clauses (SCCs) as adopted by the European Commission.

11. Data Deletion and Return

Upon termination of the Agreement, HookListener shall delete all Personal Data processed on behalf of the Customer in accordance with the retention periods specified in the Privacy Policy and applicable plan terms, unless retention is required by applicable law.

The Customer may export or delete their data at any time during the term of the Agreement using the Service's self-serve tools.

12. Liability and Indemnification

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement. In no event shall HookListener's aggregate liability arising out of or related to this DPA exceed the total amounts actually paid by the Customer to HookListener in the one (1) month preceding the event giving rise to the claim.

The Customer shall indemnify, defend, and hold harmless HookListener and its officers, directors, employees, and agents from and against any claims, damages, losses, liabilities, costs, and expenses (including reasonable legal fees) arising out of or related to: (a) the Customer's breach of this DPA or applicable Data Protection Laws; (b) the Customer's failure to obtain necessary consents or provide required notices to data subjects; or (c) any Personal Data submitted to the Service by or on behalf of the Customer.

13. Term and Termination

This DPA takes effect when the Customer begins using the Service and remains in effect for as long as HookListener processes Personal Data on behalf of the Customer. The provisions of this DPA that by their nature should survive termination (including data deletion obligations, liability, and confidentiality) shall survive.

14. Governing Law

This DPA is governed by the laws of Spain, consistent with the Agreement. Where Data Protection Laws require the application of the law of the EU Member State in which the data subject is located, those laws shall apply to the extent required.

15. Contact

For any questions about this DPA or to exercise your rights, contact us here.