Our commitment to protecting your data under GDPR and data protection regulations.
The purpose of this DPA is to reflect the parties' agreement with regard to the processing of Personal Data in accordance with the requirements of Data Protection Regulations.
In respect of the processing of Personal Data of the Customer by Hook0 under the Terms of Services, the parties acknowledge that the Customer is the Data Controller and Hook0 is the Data Processor and both agree to comply with all corresponding obligations as per the Data Protection Regulations.
The Customer gives instructions to Hook0 to process such Personal Data on its behalf as it is necessary for the purposes of the Terms of Services as defined in Appendix 1 "Description of Personal Data processing". The Appendix 1 is filled out by the Customer and shall be updated if any change is made by the Customer.
Each party shall comply with its obligations under the Data Protection Regulations.
All capitalized words in the DPA shall have the meaning ascribed to them in the GDPR, the Data Protection Regulations and in the Terms of Services.
As a reminder, for every processing carried out under this DPA, the Customer shall:
The Customer warrants to Hook0 that it is entitled to transfer the Personal Data to the Hook0 and/or the Sub-processor(s) in full compliance with Data Protection Regulations, including as needed, compliance to any prior required formalities and Data Subject rights, such as information and/or consent when such is required under Data Protection Regulations.
The Customer acknowledges that it is and shall remain solely responsible for determining the purposes and the means of Hook0's processing the Personal Data. The Data Controller remains solely responsible for the accuracy and adequacy of the aforementioned instructions. Any changes to the instructions given or the security measures that are required by the Customer, including in order to comply with applicable data protection laws, shall be agreed by the parties and/or via an amendment to this DPA. Any costs incurred by Hook0 in complying with such changes shall be borne by the Customer.
The Customer undertakes that the Data Subjects have been informed or will be informed before the transfer of their Personal Data to Hook0 in the scope of the Services.
The Product is not intended to process Special Categories of Personal Data. Therefore, the Customer undertakes to prevent any processing of Special Categories of Personal Data through the Product and the Services. However, at the Customer request, processing of Special Categories of Personal Data may be performed by Hook0. In such case, the Processing shall be covered by a specific addendum to the DPA to be entered into between the Customer and Hook0.
In case the Customer expressly requests the assistance of Hook0 for the fulfilment of its obligation under the Data Protection Regulations, then Hook0 shall address to the Customer the estimated costs for such assistance. Upon express acceptation of the estimated cost, Hook0 shall provide assistance pursuant to the instructions of the Customer and the terms of the present DPA.
Hook0 undertakes to:
The Customer's Personal Data processed under the DPA shall not be subject to any assignment, lease, concession, communication or disclosure to a third party, including sub-Processors of Hook0, except otherwise required by the Terms of Services or by a legal or regulatory mandatory provision.
In such a case, Hook0 shall inform the Customer of that legal requirement before Processing, unless that legal or regulatory mandatory provision prohibits such information on important grounds of public interest.
With respect to the conditions referred to in paragraphs 2 and 4 of article 28 of GDPR for engaging another Data Processor (the "Sub-processor"), the Customer agrees that Hook0 may sub-process the Processing of the Customer's Personal Data.
Notwithstanding the general consent given by the Customer, Hook0 shall inform the Customer of any intended changes concerning the addition or replacement of any Sub-processor within a reasonable time prior to implementation of such change. The list of the sub-Processors under the authority of Hook0 is available to the Customer at Hook0 / GDPR Sub-processors.
Where Hook0 engages a Sub-processor who shall process the Customer's Personal Data, the same data protection obligations as set out in the DPA shall be imposed on the Sub-processor by Hook0.
This agreement must in particular provide for an obligation of the Sub-processor to provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the Processing will meet the requirements of Data Protection Regulations and of the DPA.
Hook0 warranties the Customer that the Customer's Personal Data are located in France or in the European Union. Hook0 undertakes not to carry out any transfer of Customer's Personal Data outside the EEA without the written consent of the Customer.
At the request of the Customer and upon instructions, Hook0 shall store or transfer Personal Data to other Hook0 entities and/or to Sub-processors located in countries outside the EEA ("Third Countries"). In that case and when Third Countries have not been subject to an adequacy decision of the European Commission, Hook0 undertakes that the transfer will be carried out in accordance with the Data Protection Regulations and will be subject to appropriate safeguards to guarantee a level of protection equivalent to the one guaranteed by the Data Protection Regulations, such as the signing of the Standard Contractual Clauses adopted by the European Commission and available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en.
The Customer hereby mandates Hook0 to sign on its behalf the Standard Contractual Clauses with Hook0 entities and sub-Processors located in Third Countries.
At the request of the Customer, Hook0 agrees to assist the Customer to perform a transfer impact assessments to identify any gaps between the Data Protection Regulations and the laws of the Third Country and to implement the necessary supplementary measures to guarantee a level protection equivalent to the one guaranteed by the Data Protection Regulations.
Hook0 shall take, insofar as this is relevant to the provision of the Services or compliance with its other obligations in the DPA, adequate measures to ensure a level of security of the Customer's Personal Data appropriate to the risk and to take into account the principles of data protection by design and by default in the execution of the DPA.
Hook0 undertakes to:
Hook0 shall notify the Customer of any Personal Data Breach without undue delay, and in any event within 72 hours of becoming aware of the breach, in accordance with Article 33 of the GDPR, and in writing after it becomes aware of a Personal Data Breach. When the information is available to Hook0, such notification shall:
Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
At the request of the Customer, Hook0 also undertakes to provide the Customer with reasonable assistance and co-operation to notify the Personal Data Breach to the competent Data Protection Authority and to communicate such Personal Data Breach to the Data Subjects, in compliance with applicable Data Protection Regulations.
Based on the nature of the Personal Data Processing activities, Hook0 undertakes to:
At the request of the Customer, Hook0 undertakes to provide the Customer with reasonable assistance and co-operation to carry out an assessment of the impact of the Personal Data Processing operations carried out under the present DPA on the protection of Personal Data and to consult the competent data protection authorities, where necessary and at the expense of the Customer (based on a time and materials fee).
The Customer remains solely responsible for implementing and managing Personal Data retention periods, and undertakes to use the Product accordingly.
Without prejudice to the applicable laws and regulations Hook0 undertakes to, at the end of the Terms of Services:
Upon prior written notice of thirty (30) business days sent by the Customer, Hook0 shall disclose to the Customer the information strictly necessary to demonstrate compliance with the obligations laid down in this Terms of Services.
At the request of the Customer and once a year, Hook0 undertakes to allow for and contribute to reasonable audits, including inspections, conducted by or on behalf of the Customer, for the purposes of assessing the Hook0's compliance with the Data Protection Regulations and the provisions of the DPA.
Hook0 also undertakes to allow for and contribute to audits conducted by competent Data Protection Authorities.
The Customer shall have no right to view or access any systems, data, records or other information relating or pertaining to Hook0's other customers.
Any such audit by or on behalf of the Customer shall be conducted at its own costs. The Customer shall provide Hook0 with a copy of the audit report.
In the event that the Customer is subject to an investigation or a request for information by a competent data protection authority and concerning any of the processing operations carried out by Hook0 on behalf of the Customer, the Customer undertakes to inform Hook0 as soon as possible and to satisfy such investigation or request, to the best of its ability, at the expense of the Customer, and in accordance with the procedures adopted by the data protection authority.
The Customer undertakes to comply with any confidentiality provisions, policies and/or site rules Hook0 may notify to the Customer in relation to the audit.
| Data Controller | The Customer (as identified in the Terms of Service) |
|---|---|
| Data Processor | FGRibreau SARL, 3 rue de l'Aubépine, 85110 Chantonnay, France |
| Nature of the Processing operations |
|
| Purpose(s) of Processing | Provision of the Hook0 webhook-as-a-service platform as described in the Terms of Service. |
| Name and contact details of the Customer's Data Protection Officer (if applicable) | [to be completed by the Customer] |
| Category/ies of Personal Data |
Email addresses, names, IP addresses, webhook payload data (content determined by Customer), authentication tokens, billing information (processed by Stripe). Sensitive Data: None by default. The Customer is responsible for ensuring that webhook payloads do not contain special categories of data unless agreed upon in writing. At the Customer's request, processing of Special Categories of Personal Data may be performed by Hook0. In such case, the Processing shall be covered by a specific addendum to the DPA to be entered into between the Customer and Hook0. |
| Category/ies of Data Subjects | Customer's end users whose data is transmitted via webhooks; Customer's authorized users of the Hook0 platform. |
| Location(s) of Processing operations | France or EEA If the Customer requests the Personal Data to be located outside the EEA, such Processing shall be covered by a separate agreement between the Customer and Hook0. Please see: Hook0 / GDPR Sub-processors |
| Identity of the sub-Processor(s) | Please see: Hook0 / GDPR Sub-processors |
| Frequency of Processing | Continuous, automated processing. |
| Duration of Processing operations | For the duration of the Terms of Service, plus 30 days after account deletion. |
The following technical and organisational measures are implemented by Hook0 in order to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to Personal Data transmitted, stored or otherwise processed:
Note on multi-factor authentication (MFA): MFA is enforced for all infrastructure access (Clever Cloud, GitLab, Stripe). MFA for individual Hook0 user accounts is not yet implemented at the application level and is planned for a future release.