Skip to main content
Compliance

GDPR & Subprocessors

Our commitment to data protection and the partners we work with.

Last Update: June 27, 2026

The General Data Protection Regulation (GDPR / DSGVO) is the toughest privacy and security law in the world. It imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The regulation was approved by the EU Parliament in April 2016 and came into effect on May 25, 2018.

Hook0 uses certain sub-processors to assist it in providing Application Services to its customers, as described in the Master Services Agreement or Terms of Use available at terms-of-service or such other location as the Terms of Use may be posted from time to time (as applicable, the "Agreement"). Defined terms used herein shall have the same meaning as defined in the Agreement.

What is Personal Data?

GDPR is especially concerned about protecting personal data of individuals. Personal data (Art. 4 GDPR) consists of any information that allows us to identify a person directly or indirectly and can be anything such as a name, email address, credit card number, or documents with personal information.

How We Process Personal Data

When you visit our websites or use our services, we will most likely process your personal data in one way or another. You can find all relevant information about which data we process, our legal basis for processing, and your rights regarding your personal data in our privacy policy.

Subprocessors and Their Roles

A subprocessor is a third-party data processor engaged by Hook0, including entities from within the Hook0 group, who has or potentially will have access to or process Customer Content (which may contain Personal Data). Hook0 engages different types of subprocessors to perform various functions as explained in the tables below.

Under Article 28(2) and 28(4) GDPR, you grant Hook0 a general written authorisation to engage the subprocessors listed below. We will inform you of any intended changes to this list, including the addition or replacement of subprocessors, giving you a reasonable opportunity to object before the change takes effect.

Infrastructure

We use the following subprocessors to provide our cloud infrastructure environment and storage of our Customer Content:

Subprocessor Country of Processing Purpose Transfer Mechanism
Clever Cloud SAS EU France, Europe Hook0 customer database, API, and web application EU processing (no transfer outside EEA)
Cloudflare, Inc. (101 Townsend St, San Francisco, CA 94107) USA DNS and DDoS protection SCC 2021 + TIA; EU-US DPF (Cloudflare is DPF-certified)

Processing of Customer Content

Hook0 works with various subprocessors that monitor, maintain, and support the Application Services. These subprocessors may, but not necessarily will, have access to Customer Content:

Subprocessor Country Purpose Transfer Mechanism
Clever Cloud SAS EU France, Europe Workers that call the webhook subscription endpoints EU processing (no transfer outside EEA)
Scaleway SAS EU France, Europe Private dedicated workers that call the webhook subscription endpoints (only for relevant customers) EU processing (no transfer outside EEA)
Stripe Inc. USA Hook0's customer subscription management SCC 2021 + TIA; EU-US DPF (Stripe is DPF-certified)
Brevo EU France, Europe Automated emailing EU processing (no transfer outside EEA)
Postmark USA Automated emailing SCC 2021 + TIA
BetterUptime EU Czech Republic, Europe Uptime monitoring, status page, and on-call management EU processing (no transfer outside EEA)
Sentry USA Error tracking SCC 2021 + TIA
Crisp EU France, Europe Customer relations management EU processing (no transfer outside EEA)
Gmail (Google Workspace) USA Support mailbox SCC 2021 + TIA; EU-US DPF (Google LLC is DPF-certified)

* The list of subprocessors above applies to any new Hook0 customers as of the date shown at the top of this page, and to existing Hook0 customers who have not otherwise received notice of a different effective date.

Stay in Control

Hook0 is a French SaaS designed for GDPR compliance. We rely on infrastructure and partners selected for confidentiality, integrity, and availability of your data. If you would rather not rely on our or our subprocessors' measures, you can still access our support services without disclosing your production data.

Data Ownership and Management

Your webhook payload data plane (Clever Cloud workers, and optionally Scaleway dedicated workers) is operated in the EU and your webhook content is not transferred outside the EEA for the purpose of webhook delivery. Backups are stored in French data centres. Ancillary services such as billing (Stripe), error tracking (Sentry), transactional email fallback (Postmark), the support mailbox (Gmail) and the CDN / DDoS layer (Cloudflare) do involve transfers to the United States, governed by the Standard Contractual Clauses 2021 (SCC 2021) and a documented Transfer Impact Assessment, and where applicable by the EU-US Data Privacy Framework. All Hook0 staff and consultants who may access your deployment are based in the EU.

Regarding your own user database, you must establish the required processes to comply with GDPR yourself and declare all data transfers that you handle independently. In this case, Hook0 acts as a subprocessor, and our DPA (Data Processing Agreement) specifies what we do.