HookFeed Data Processing Addendum

Date of last revision: March 2026

This Data Processing Addendum ("DPA") forms part of the HookFeed Terms of Service (the "Agreement") between HookFeed LLC ("HookFeed," "we," "us") and the customer entity that is party to the Agreement ("Customer," "you"). This DPA applies to the extent that HookFeed processes Personal Data on behalf of Customer in the course of providing the Services.

In the event of a conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data.

1. DEFINITIONS

In this DPA, the following terms have the meanings set out below. Capitalized terms not defined in this DPA have the meanings given in the Agreement.

"Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data under this DPA, including (as applicable): (a) the General Data Protection Regulation (EU) 2016/679 ("EU GDPR"); (b) the EU GDPR as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of the European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 ("UK GDPR"); (c) the Swiss Federal Act on Data Protection ("Swiss DPA"); (d) the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"); and (e) any other applicable US state privacy law, including the Virginia Consumer Data Protection Act, Colorado Privacy Act, Connecticut Data Privacy Act, and similar laws enacted in other states (collectively, "US State Privacy Laws").

"Controller" means the entity that determines the purposes and means of the processing of Personal Data. For the purposes of this DPA, Customer is the Controller.

"Data Subject" means the identified or identifiable natural person to whom Personal Data relates.

"EEA" means the European Economic Area.

"Inbound Data" means webhook payloads and other event data transmitted to HookFeed by Customer or by third-party services at Customer's direction, as defined in the Agreement.

"Personal Data" means any information relating to an identified or identifiable natural person that is contained within Inbound Data or otherwise processed by HookFeed on behalf of Customer in connection with the Services. For the purposes of US State Privacy Laws, this includes "personal information" as defined in those laws.

"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed by HookFeed.

"Processor" means the entity that processes Personal Data on behalf of the Controller. For the purposes of this DPA, HookFeed is the Processor.

"Processing" (and "process," "processed," etc.) means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

"Standard Contractual Clauses" or "SCCs" means: (a) for transfers subject to the EU GDPR, the standard contractual clauses approved by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021; (b) for transfers subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner's Office ("UK Addendum"); and (c) for transfers subject to the Swiss DPA, the SCCs as recognized by the Swiss Federal Data Protection and Information Commissioner.

"Sub-processor" means any third party engaged by HookFeed to process Personal Data on behalf of Customer.

2. SCOPE AND ROLES

2.1 Scope

This DPA applies to the processing of Personal Data by HookFeed on behalf of Customer in connection with the provision of the Services under the Agreement.

2.2 Roles

The parties acknowledge and agree that with respect to the processing of Personal Data under this DPA: (a) Customer is the Controller; (b) HookFeed is the Processor acting on behalf of Customer; and (c) HookFeed's Sub-processors are sub-processors acting on behalf of HookFeed.

2.3 Customer Responsibilities

Customer is responsible for: (a) determining the lawful basis for processing Personal Data and for ensuring that its transmission of Personal Data to HookFeed complies with Applicable Data Protection Law; (b) providing any required notices to, and obtaining any required consents from, Data Subjects; (c) configuring the Services' filtering features and data sources to prevent categories of Personal Data that Customer does not wish HookFeed to process from being included in Inbound Data; and (d) responding to Data Subject requests, with HookFeed's reasonable assistance as described in Section 6.

3. DETAILS OF PROCESSING

3.1 Subject Matter and Duration

HookFeed processes Personal Data for the purpose of providing the Services to Customer as described in the Agreement. Processing will continue for the duration of the Agreement, plus the period required to delete or return Personal Data in accordance with Section 9.

3.2 Nature and Purpose of Processing

HookFeed processes Personal Data contained within Inbound Data in order to: (a) ingest and store webhook payloads; (b) extract, filter, and transform event data; (c) generate feeds, dashboards, metrics, charts, and other views; (d) deliver alerts, digests, and notifications; (e) provide AI-powered analysis and auto-configuration features; and (f) share dashboards and views as configured by Customer.

3.3 Categories of Data Subjects

Data Subjects may include any individuals whose Personal Data is contained within the Inbound Data that Customer transmits to HookFeed. This typically includes Customer's own customers, users, subscribers, contacts, employees, or other individuals whose data flows through Customer's configured third-party services and workflows.

3.4 Types of Personal Data

The types of Personal Data processed depend entirely on what Customer transmits to HookFeed through its configured data sources. This may include names, email addresses, IP addresses, transaction identifiers, user identifiers, and any other Personal Data contained within webhook payloads. Customer controls what data is sent and may use HookFeed's filtering tools to limit the Personal Data processed.

3.5 Special Categories of Data

HookFeed is not designed to process special categories of Personal Data (as defined in Article 9 of the EU GDPR) or sensitive data (as defined under US State Privacy Laws). Customer shall not transmit such data to HookFeed unless the parties have entered into a separate written agreement specifically addressing such processing.

4. HOOKFEED'S OBLIGATIONS AS PROCESSOR

4.1 Processing Instructions

HookFeed shall process Personal Data only on documented instructions from Customer, unless required to do otherwise by applicable law. The Agreement (including this DPA) and Customer's configuration of the Services constitute Customer's documented instructions. If HookFeed is required by applicable law to process Personal Data other than on Customer's instructions, HookFeed shall inform Customer of that legal requirement before processing, unless prohibited by law from doing so.

4.2 Confidentiality

HookFeed shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.3 Security

HookFeed shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, or disclosure. These measures shall be appropriate to the harm that might result from such processing and shall include, at a minimum, the measures described in HookFeed's Security Materials at our security page. HookFeed's current security measures include:

(a) Encryption of data in transit via TLS/HTTPS for all application, webhook ingestion, and API traffic;
(b) Encryption of data at rest at the disk level for all databases and storage systems;
(c) Additional encryption at rest for sensitive configuration data (webhook secrets, API keys);
(d) Access controls limiting employee access to Personal Data to authorized personnel on an as-needed basis behind two-factor authentication;
(e) Data retention in accordance with Customer's plan tier;
(f) Rate limiting on webhook ingestion endpoints;
(g) Regular security assessments and annual penetration testing by an independent third party;
(h) Network protection via Cloudflare for CDN, DDoS protection, and traffic filtering.

HookFeed shall regularly test, assess, and evaluate the effectiveness of these measures and shall update them as necessary to maintain an appropriate level of security.

4.4 Sub-processors

(a) Customer provides general authorization for HookFeed to engage Sub-processors to process Personal Data on behalf of Customer, subject to the requirements of this Section 4.4.

(b) HookFeed shall maintain a list of its current Sub-processors at our sub-processors page, which shall include the name, purpose, and location of each Sub-processor.

(c) HookFeed shall notify Customer at least thirty (30) days before engaging a new Sub-processor or replacing an existing Sub-processor by updating the Sub-processor list and, where Customer has subscribed to notifications, by email. Customer may subscribe to Sub-processor change notifications by emailing privacy@hookfeed.com.

(d) If Customer has a reasonable, good-faith objection to a new Sub-processor based on data protection grounds, Customer shall notify HookFeed in writing within fifteen (15) days of receiving notice. The parties shall discuss the objection in good faith. If the parties are unable to resolve the objection within thirty (30) days, Customer may terminate the affected Services by providing written notice to HookFeed. HookFeed will refund any prepaid fees for the terminated Services covering the period after the effective date of termination.

(e) HookFeed shall impose on each Sub-processor, by way of a written agreement, data protection obligations no less protective than those set out in this DPA. HookFeed shall remain liable to Customer for the acts and omissions of its Sub-processors to the same extent HookFeed would be liable if performing the processing directly.

(f) HookFeed's current Sub-processors as of the Effective Date are:

Sub-processor	Purpose	Location
Amazon Web Services, Inc.	Cloud infrastructure and data storage	United States
Anthropic PBC	AI-powered event analysis and dashboard auto-configuration	United States
Cloudflare, Inc.	CDN, DDoS protection, network security	United States (global edge network)
Help Scout, Inc.	Customer support and help desk	United States
Heroku (Salesforce, Inc.)	Application hosting platform	United States
Hex Technologies, Inc.	Data collaboration and analytics	United States
PostHog, Inc.	Product analytics and session replay	United States
Postmark (ActiveCampaign, LLC)	Transactional email delivery	United States
Sentry (Functional Software, Inc.)	Error tracking and application monitoring	United States
Stripe, Inc.	Payment processing	United States

The current list is maintained at our sub-processors page.

4.5 Assistance with Data Subject Rights

HookFeed shall, taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer's obligation to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law. If HookFeed receives a request from a Data Subject directly, HookFeed shall promptly redirect the Data Subject to Customer and notify Customer of the request, unless prohibited by law.

4.6 Assistance with Customer's Compliance Obligations

HookFeed shall assist Customer in ensuring compliance with Customer's obligations under Articles 32 to 36 of the EU GDPR (and equivalent provisions under other Applicable Data Protection Law), taking into account the nature of processing and the information available to HookFeed. This includes reasonable assistance with:

(a) Security of processing (Article 32);
(b) Notification of Personal Data Breaches to supervisory authorities and Data Subjects (Articles 33 and 34);
(c) Data protection impact assessments (Article 35); and
(d) Prior consultation with supervisory authorities (Article 36).

5. PERSONAL DATA BREACH

5.1 Notification

HookFeed shall notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Personal Data processed on behalf of Customer.

5.2 Content of Notification

The notification shall include, to the extent reasonably available:

(a) A description of the nature of the Personal Data Breach, including where possible the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
(b) The name and contact details of HookFeed's point of contact from whom further information can be obtained;
(c) A description of the likely consequences of the Personal Data Breach; and
(d) A description of the measures taken or proposed to be taken by HookFeed to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

5.3 Cooperation

HookFeed shall cooperate with Customer and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of any Personal Data Breach. HookFeed shall not inform any third party of any Personal Data Breach without first consulting with Customer, unless required by law.

5.4 Limitations

HookFeed's obligation to report or respond to a Personal Data Breach under this Section is not and will not be construed as an acknowledgment by HookFeed of any fault or liability with respect to the Personal Data Breach.

6. DATA SUBJECT REQUESTS

6.1 Assistance

If Customer receives a request from a Data Subject to exercise rights under Applicable Data Protection Law (including rights of access, rectification, erasure, restriction, portability, or objection) that relates to Personal Data processed by HookFeed, HookFeed shall provide reasonable assistance to Customer in responding to such request. This assistance may include:

(a) Providing Customer with the ability to access, export, or delete Personal Data through the Services' standard features (such as data source management, event deletion, and account data export);
(b) Where the Services' standard features are insufficient, HookFeed shall use reasonable efforts to assist Customer upon written request, provided that Customer reimburses HookFeed for any reasonable costs incurred in providing such assistance beyond what is available through standard features.

6.2 Response Time

HookFeed shall respond to Customer's requests for assistance with Data Subject requests within ten (10) business days, or such shorter period as is reasonably necessary for Customer to comply with applicable deadlines.

7. INTERNATIONAL DATA TRANSFERS

7.1 Location of Processing

HookFeed processes and stores Personal Data in the United States. Customer acknowledges and consents to the processing and storage of Personal Data in the United States.

7.2 Transfer Mechanism for EEA, UK, and Swiss Data

To the extent that Customer's use of the Services involves the transfer of Personal Data from the EEA, the United Kingdom, or Switzerland to the United States, the parties agree that such transfers shall be governed by the Standard Contractual Clauses as follows:

(a) EU Transfers: The SCCs (Module Two: Controller to Processor) approved by the European Commission in Implementing Decision (EU) 2021/914 shall apply to transfers of Personal Data from the EEA to the United States. For the purposes of the SCCs:

Clause 7 (Docking Clause): the optional docking clause shall apply;
Clause 9(a) (Sub-processors): Option 2 (General Written Authorization) shall apply, with the notice period set at thirty (30) days as specified in Section 4.4(c) of this DPA;
Clause 11 (Redress): the optional clause shall not apply;
Clause 13(a) (Supervision): the supervisory authority of the EU Member State in which Customer is established, or if Customer is not established in the EU, the supervisory authority of the EU Member State in which Customer's EU representative is established, shall act as the competent supervisory authority;
Clause 17 (Governing Law): Option 1 shall apply, and the SCCs shall be governed by the law of Ireland;
Clause 18(b) (Choice of Forum): disputes shall be resolved before the courts of Ireland;
Annex I, II, and III shall be deemed completed with the information set out in Appendices A, B, and C of this DPA.

(b) UK Transfers: For transfers of Personal Data from the United Kingdom, the UK Addendum to the EU SCCs issued by the UK Information Commissioner's Office (as may be amended or replaced) shall apply. The information required by Table 1 to 4 of the UK Addendum shall be deemed completed with the information set out in this DPA and its Appendices, and the "Approved EU SCCs" referenced in the UK Addendum shall be the SCCs as incorporated under subsection (a) above.

(c) Swiss Transfers: For transfers of Personal Data from Switzerland, the SCCs shall apply with the modifications necessary to comply with the Swiss DPA, including that the Swiss Federal Data Protection and Information Commissioner shall act as the competent supervisory authority and Swiss law shall govern to the extent required.

7.3 EU-U.S. Data Privacy Framework

If HookFeed certifies under the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, or the Swiss-U.S. Data Privacy Framework, such certification may serve as a valid transfer mechanism in addition to or in place of the SCCs for covered transfers, to the extent permitted by Applicable Data Protection Law. HookFeed shall notify Customer if it obtains or loses such certification.

7.4 Alternative Transfer Mechanisms

If any transfer mechanism relied upon under this Section 7 is invalidated or otherwise found to be insufficient by a court of competent jurisdiction or regulatory authority, the parties shall cooperate in good faith to implement an alternative lawful transfer mechanism.

8. AUDITS

8.1 Information and Audit Rights

HookFeed shall make available to Customer all information reasonably necessary to demonstrate compliance with this DPA. Upon Customer's written request, and no more than once per twelve (12) month period (unless a Personal Data Breach has occurred or a supervisory authority requires an audit), HookFeed shall permit Customer or a qualified, independent third-party auditor appointed by Customer (and acceptable to HookFeed, such acceptance not to be unreasonably withheld) to conduct an audit of HookFeed's processing activities relevant to this DPA.

8.2 Audit Procedures

(a) Customer shall provide HookFeed with at least thirty (30) days prior written notice of any audit request, specifying the proposed scope and duration.

(b) Audits shall be conducted during normal business hours, with reasonable advance scheduling, and in a manner that minimizes disruption to HookFeed's operations.

(d) Customer shall bear the costs of any audit, including any reasonable costs incurred by HookFeed in facilitating the audit.

(e) HookFeed may satisfy audit requests by providing Customer with relevant certifications, audit reports, or summaries of penetration test results, to the extent such materials reasonably address the subject matter of the audit request.

8.3 Supervisory Authority Audits

HookFeed shall cooperate with and permit audits by any supervisory authority or regulatory body with jurisdiction over Customer's processing activities, to the extent required by Applicable Data Protection Law.

9. DATA RETENTION AND DELETION

9.1 Retention

HookFeed shall retain Personal Data only for as long as necessary to provide the Services and in accordance with the retention periods applicable to Customer's plan tier as described in the Agreement and Security Materials.

9.2 Deletion on Termination

Upon termination or expiration of the Agreement, HookFeed shall, at Customer's election and written request, either: (a) return all Personal Data to Customer in a commonly used, machine-readable format; or (b) delete all Personal Data in HookFeed's possession or control, including Personal Data held in backups, within ninety (90) days. HookFeed shall confirm deletion in writing upon Customer's request.

If Customer does not provide instructions within thirty (30) days of termination, HookFeed shall delete all Personal Data in accordance with subsection (b) above.

9.3 Exceptions

HookFeed may retain Personal Data to the extent required by applicable law, provided that HookFeed shall: (a) limit such retention to the minimum required; (b) maintain the confidentiality and security of the retained data; and (c) process the retained data only for the purpose required by law.

10. US STATE PRIVACY LAW PROVISIONS

10.1 CCPA/CPRA

To the extent that HookFeed processes Personal Data that constitutes "personal information" as defined under the CCPA/CPRA:

(a) HookFeed is a "service provider" (as defined in the CCPA/CPRA) with respect to such Personal Data;
(b) HookFeed shall not sell or share (as those terms are defined in the CCPA/CPRA) Personal Data;
(c) HookFeed shall not retain, use, or disclose Personal Data for any purpose other than providing the Services as specified in the Agreement, or as otherwise permitted by the CCPA/CPRA for service providers;
(d) HookFeed shall not retain, use, or disclose Personal Data outside of the direct business relationship between HookFeed and Customer;
(e) HookFeed shall not combine Personal Data received from Customer with personal information that it receives from or on behalf of another person, or that it collects from its own interactions with Data Subjects, except as permitted by the CCPA/CPRA for service providers;
(f) HookFeed shall comply with applicable provisions of the CCPA/CPRA and shall assist Customer in responding to verifiable consumer requests, to the extent reasonably possible;
(g) HookFeed shall notify Customer if it determines that it can no longer meet its obligations under the CCPA/CPRA;
(h) HookFeed grants Customer the right to take reasonable and appropriate steps to ensure that HookFeed uses Personal Data in a manner consistent with Customer's obligations under the CCPA/CPRA.

10.2 Other US State Privacy Laws

To the extent that HookFeed processes Personal Data subject to other US State Privacy Laws:

(a) HookFeed shall process such Personal Data only as instructed by Customer and in accordance with the Agreement;
(b) HookFeed shall assist Customer in meeting its obligations under applicable US State Privacy Laws, including with respect to consumer rights requests, data protection assessments, and security requirements;
(c) HookFeed shall provide the level of privacy protection required by the applicable US State Privacy Law and shall notify Customer if it determines that it can no longer meet its obligations under such law.

11. GENERAL

11.1 Order of Precedence

In the event of a conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data. In the event of a conflict between this DPA and the SCCs, the SCCs shall prevail.

11.2 Liability

Each party's total aggregate liability under this DPA shall be subject to the limitations of liability set out in the Agreement. Nothing in this Section shall limit either party's liability for breaches of Applicable Data Protection Law to the extent such limitation is not permitted by law.

11.3 Amendments

HookFeed may update this DPA from time to time to reflect changes in Applicable Data Protection Law or HookFeed's processing practices. Material changes will be communicated to Customer with at least thirty (30) days notice. Customer's continued use of the Services after the effective date of such changes constitutes acceptance of the updated DPA. If Customer does not agree with a material change, Customer may terminate the Agreement by providing written notice within thirty (30) days of receiving notice of the change.

11.4 Contact

Questions about this DPA may be directed to privacy@hookfeed.com.

APPENDIX A — DETAILS OF PROCESSING

This Appendix forms part of the SCCs (Annex I).

A. List of Parties

Data Exporter (Controller):

Name: The Customer entity identified in the Agreement
Activities relevant to the data transferred: Use of HookFeed's webhook visibility platform
Role: Controller

Data Importer (Processor):

Name: HookFeed LLC
Address: 8605 Santa Monica Blvd #74803, West Hollywood, CA 90069
Contact: privacy@hookfeed.com
Activities relevant to the data transferred: Provision of webhook ingestion, event processing, dashboard, alerting, and analytics services
Role: Processor

B. Description of Transfer

Categories of Data Subjects: Customer's customers, users, subscribers, contacts, employees, or other individuals whose Personal Data is contained within Inbound Data.
Categories of Personal Data: Determined by Customer based on what Customer transmits via webhook payloads. May include names, email addresses, IP addresses, transaction identifiers, user identifiers, and other data present in webhook payloads from Customer's configured third-party services.
Sensitive Data Transferred: None, unless Customer transmits such data contrary to the Agreement. No special safeguards beyond those described in this DPA are applied for sensitive data.
Frequency of Transfer: Continuous, event-driven (as webhook events are transmitted by Customer's configured data sources).
Nature of Processing: Ingestion, storage, extraction, filtering, transformation, analysis (including AI-powered analysis), display, alerting, notification delivery, and dashboard sharing.
Purpose of Processing: To provide the Services described in the Agreement, including webhook visibility, dashboards, alerts, digests, and related analytics.
Retention Period: As specified in the Agreement based on Customer's plan tier (30 days to unlimited). Upon termination, data is deleted within 90 days unless Customer requests return of data.

APPENDIX B — TECHNICAL AND ORGANIZATIONAL MEASURES

This Appendix forms part of the SCCs (Annex II).

HookFeed implements and maintains the following technical and organizational measures for the protection of Personal Data:

Encryption:

All data in transit encrypted via TLS/HTTPS
All data at rest encrypted at the disk level
Sensitive configuration data (webhook secrets, API keys) encrypted with additional application-level encryption

Access Controls:

Employee access to Personal Data limited to authorized personnel on an as-needed basis
Two-factor authentication required for infrastructure access
Magic link authentication for customer accounts (no passwords stored)
Role-based access controls within the application

Data Minimization:

Data retention in accordance with plan-tier retention schedules
Customer-configurable filtering; customers should configure sources to exclude sensitive data
Automatic data deletion per plan-tier retention schedules

Network Security:

CDN and DDoS protection via Cloudflare
Rate limiting on webhook ingestion endpoints
Webhook signature verification support

Infrastructure:

Cloud-hosted infrastructure with disk-level encryption and redundancy
Regular encrypted backups
Disaster recovery procedures

Organizational Measures:

Employee background checks
Security training for all employees
Annual penetration testing by independent third party
Continuous delivery with code review, CI, and automated testing
Vulnerability disclosure program (security@hookfeed.com)
Sensitive data scrubbed from application logs

AI Processing:

AI service providers (Anthropic) contractually prohibited from using customer data for model training
AI processing occurs only when customer uses AI-powered features
Data transmitted to AI providers via TLS-encrypted connections

APPENDIX C — LIST OF SUB-PROCESSORS

This Appendix forms part of the SCCs (Annex III).

Sub-processor	Purpose	Location
Amazon Web Services, Inc.	Cloud infrastructure and data storage	United States
Anthropic PBC	AI-powered event analysis and dashboard auto-configuration	United States
Cloudflare, Inc.	CDN, DDoS protection, network security	United States (global edge network)
Help Scout, Inc.	Customer support and help desk	United States
Heroku (Salesforce, Inc.)	Application hosting platform	United States
Hex Technologies, Inc.	Data collaboration and analytics	United States
PostHog, Inc.	Product analytics and session replay	United States
Postmark (ActiveCampaign, LLC)	Transactional email delivery	United States
Sentry (Functional Software, Inc.)	Error tracking and application monitoring	United States
Stripe, Inc.	Payment processing	United States

The current list is maintained at our sub-processors page. Customer may subscribe to change notifications by emailing privacy@hookfeed.com.