Data Processing Agreement (DPA)
Last updated: March 12, 2025
1. Introduction
This Data Processing Agreement ("DPA") forms part of the Terms of Service between HookFlow ("Processor") and the Customer ("Controller") and reflects the parties' agreement with regard to the Processing of Personal Data.
2. Definitions
"Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor as a result of, or in connection with, the provision of the services.
"Processing" means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
"Data Subject" means an identified or identifiable natural person to whom the Personal Data relates.
3. Processing of Personal Data
The Processor shall process Personal Data only on behalf of the Controller and in accordance with its documented instructions.
The Controller instructs the Processor to process Personal Data for the following purposes: (a) Processing in accordance with the Terms of Service; (b) Processing to comply with other documented reasonable instructions provided by the Controller where such instructions are consistent with the terms of the Agreement.
4. Data Security
The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
- The pseudonymization and encryption of Personal Data
- The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
- The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing
5. Sub-processing
The Controller authorizes the Processor to engage sub-processors to process Personal Data provided that:
- The Processor provides the Controller with prior notice of any intended changes concerning the addition or replacement of sub-processors
- The Processor imposes data protection terms on any sub-processor it appoints that protect the Personal Data to the same standard provided for in this DPA
- The Processor remains fully liable to the Controller for the performance of that sub-processor's obligations
6. Data Subject Rights
The Processor shall, to the extent legally permitted, promptly notify the Controller if it receives a request from a Data Subject to exercise their rights under applicable data protection laws.
Taking into account the nature of the processing, the Processor shall assist the Controller by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to requests for exercising the Data Subject's rights.
7. Data Breach Notification
The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data breach affecting the Controller's Personal Data.
Such notification shall include, at a minimum: (a) a description of the nature of the breach; (b) the categories and approximate number of Data Subjects concerned; (c) the likely consequences of the breach; and (d) the measures taken or proposed to be taken to address the breach.
8. Return or Deletion of Data
Upon termination of the services, the Processor shall, at the choice of the Controller, delete or return all the Personal Data to the Controller and delete existing copies unless applicable law requires storage of the Personal Data.
9. Contact Us
If you have any questions about this DPA, please contact us.