GDPR & Subprocessors
Our commitment to data protection and the partners we work with.
The General Data Protection Regulation (GDPR / DSGVO) is the toughest privacy and security law in the world. It imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The regulation was approved by the EU Parliament in April 2016 and came into effect on May 25, 2018.
Hook0 uses certain sub-processors to assist it in providing Application Services to its customers, as described in the Master Services Agreement or Terms of Use available at terms-of-service or such other location as the Terms of Use may be posted from time to time (as applicable, the "Agreement"). Defined terms used herein shall have the same meaning as defined in the Agreement.
What is Personal Data?
GDPR is especially concerned about protecting personal data of individuals. Personal data (Art. 4 GDPR) consists of any information that allows us to identify a person directly or indirectly and can be anything such as a name, email address, credit card number, or documents with personal information.
How We Process Personal Data
When you visit our websites or use our services, we will most likely process your personal data in one way or another. You can find all relevant information about which data we process, our legal basis for processing, and your rights regarding your personal data in our privacy policy.
Subprocessors and Their Roles
A subprocessor is a third-party data processor engaged by Hook0, including entities from within the Hook0 group, who has or potentially will have access to or process Customer Content (which may contain Personal Data). Hook0 engages different types of subprocessors to perform various functions as explained in the tables below.
Under Article 28(2) and 28(4) GDPR, you grant Hook0 a general written authorisation to engage the subprocessors listed below. We will inform you of any intended changes to this list, including the addition or replacement of subprocessors, giving you a reasonable opportunity to object before the change takes effect.
Infrastructure
We use the following subprocessors to provide our cloud infrastructure environment and storage of our Customer Content:
| Subprocessor | Country of Processing | Purpose | Transfer Mechanism |
|---|---|---|---|
| Clever Cloud SAS |
|
Hook0 customer database, API, and web application | EU processing (no transfer outside EEA) |
| Cloudflare, Inc. (101 Townsend St, San Francisco, CA 94107) | USA | DNS and DDoS protection | SCC 2021 + TIA; EU-US DPF (Cloudflare is DPF-certified) |
Processing of Customer Content
Hook0 works with various subprocessors that monitor, maintain, and support the Application Services. These subprocessors may, but not necessarily will, have access to Customer Content:
| Subprocessor | Country | Purpose | Transfer Mechanism |
|---|---|---|---|
| Clever Cloud SAS |
|
Workers that call the webhook subscription endpoints | EU processing (no transfer outside EEA) |
| Scaleway SAS |
|
Private dedicated workers that call the webhook subscription endpoints (only for relevant customers) | EU processing (no transfer outside EEA) |
| Stripe Inc. | USA | Hook0's customer subscription management | SCC 2021 + TIA; EU-US DPF (Stripe is DPF-certified) |
| Brevo |
|
Automated emailing | EU processing (no transfer outside EEA) |
| Postmark | USA | Automated emailing | SCC 2021 + TIA |
| BetterUptime |
|
Uptime monitoring, status page, and on-call management | EU processing (no transfer outside EEA) |
| Sentry | USA | Error tracking | SCC 2021 + TIA |
| Crisp |
|
Customer relations management | EU processing (no transfer outside EEA) |
| Gmail (Google Workspace) | USA | Support mailbox | SCC 2021 + TIA; EU-US DPF (Google LLC is DPF-certified) |
* The list of subprocessors above applies to any new Hook0 customers as of the date shown at the top of this page, and to existing Hook0 customers who have not otherwise received notice of a different effective date.
Stay in Control
Hook0 is a French SaaS designed for GDPR compliance. We rely on infrastructure and partners selected for confidentiality, integrity, and availability of your data. If you would rather not rely on our or our subprocessors' measures, you can still access our support services without disclosing your production data.
Data Ownership and Management
Your webhook payload data plane (Clever Cloud workers, and optionally Scaleway dedicated workers) is operated in the EU and your webhook content is not transferred outside the EEA for the purpose of webhook delivery. Backups are stored in French data centres. Ancillary services such as billing (Stripe), error tracking (Sentry), transactional email fallback (Postmark), the support mailbox (Gmail) and the CDN / DDoS layer (Cloudflare) do involve transfers to the United States, governed by the Standard Contractual Clauses 2021 (SCC 2021) and a documented Transfer Impact Assessment, and where applicable by the EU-US Data Privacy Framework. All Hook0 staff and consultants who may access your deployment are based in the EU.
Regarding your own user database, you must establish the required processes to comply with GDPR yourself and declare all data transfers that you handle independently. In this case, Hook0 acts as a subprocessor, and our DPA (Data Processing Agreement) specifies what we do.