Data Processing Agreement (GDPR)
Effective: May 11, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer", "Controller") and Nahook ("Processor") and governs the processing of personal data under the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, and the Swiss Federal Act on Data Protection.
1. Definitions
- "Customer Personal Data" means any personal data processed by Nahook on behalf of the Customer in connection with the Service.
- "Sub-processor" means any third party engaged by Nahook to process Customer Personal Data.
- All other terms have the meanings given in the GDPR.
2. Roles and Scope
The Customer acts as the Controller of Customer Personal Data. Nahook acts as the Processor, processing data solely on the Customer's documented instructions to provide the Service.
Nahook acts as a Controller for its own administrative data (account contacts, billing, support inquiries) as described in our Privacy Policy.
2.1 Categories of Data
| Category | Data Elements |
|---|---|
| Account Data | Name, email, workspace details |
| Webhook Payloads | Customer-defined payload content transmitted through the Service |
| Delivery Metadata | Timestamps, status codes, endpoint URLs, delivery IDs, latency |
2.2 Processing Purposes
Nahook processes Customer Personal Data exclusively to:
- Deliver webhook events to configured endpoints
- Retry failed deliveries according to configured policies
- Provide delivery logs and analytics within the dashboard
- Operate and maintain the Service infrastructure
3. Customer Obligations
The Customer is responsible for:
- Ensuring a lawful basis for processing personal data through the Service
- Providing any required notices to and obtaining any necessary consents from data subjects
- Ensuring that webhook payloads do not include personal data beyond what is necessary for the intended purpose
4. Processor Obligations
Nahook shall:
- Process Customer Personal Data only on documented instructions from the Customer, unless required by law
- Ensure that personnel authorized to process Customer Personal Data are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures (see Section 7)
- Assist the Customer in responding to data subject requests
- Assist the Customer in ensuring compliance with obligations regarding security, breach notification, and data protection impact assessments
- Delete or return all Customer Personal Data upon termination, at the Customer's choice, unless retention is required by law
- Make available information necessary to demonstrate compliance and allow for audits
5. Sub-processors
The Customer authorizes Nahook to engage the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Edge network, CDN & static hosting provider | CDN, edge proxy, static site hosting, and object storage for large webhook payloads | United States (global edge network) |
| Cloud compute provider | Compute infrastructure and managed cache | United States |
| Managed database provider | Managed database for customer accounts, configuration, and delivery records | United States |
| Managed message-streaming provider | Message queue for the webhook delivery pipeline | United States |
| Stripe | Payment processing and subscription billing | United States |
| Transactional email provider | Transactional email delivery | United States |
Nahook also engages a small number of operational service providers (such as observability, error tracking, product analytics, and fraud-prevention tools) that may incidentally process limited Customer Personal Data. A complete current list is available on request at [email protected].
Nahook will notify the Customer at least 14 days before adding or replacing a sub-processor. The Customer may object within 7 days of receiving notice. If the objection cannot be resolved, the Customer may terminate the affected Service.
Nahook remains fully liable for the acts and omissions of its sub-processors.
6. International Data Transfers
Where Customer Personal Data is transferred outside the EEA, UK, or Switzerland, Nahook ensures appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) as adopted by the European Commission (Module 2: Controller to Processor)
- UK International Data Transfer Addendum where applicable
- Swiss Federal Act on Data Protection addendum where applicable
The Service currently operates in a single United States region. Multi-region support (including EU and APAC) is planned and will be subject to the safeguards above when introduced.
7. Security Measures
Nahook implements the following technical and organizational measures:
- Encryption: TLS/HTTPS for data in transit; AES-256-GCM for sensitive data at rest (e.g., webhook signing secrets)
- Access control: Role-based access, API key authentication with hashed secrets (SHA-256)
- Infrastructure isolation: Workspace-level data isolation with regional deployment architecture
- Monitoring: Automated alerting for security events and anomalous activity
- Incident response: Documented procedures for security incident detection, containment, and notification
8. Data Breach Notification
Nahook will notify the Customer without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach affecting Customer Personal Data. The notification will include:
- Nature of the breach, including categories and approximate number of affected data subjects
- Contact point for further information
- Likely consequences of the breach
- Measures taken or proposed to address the breach
9. Data Subject Rights
Nahook will assist the Customer in fulfilling its obligations to respond to data subject requests (access, rectification, erasure, portability, restriction, objection) by:
- Providing data export functionality through the dashboard and API
- Deleting data upon Customer request
- Redirecting any direct data subject requests to the Customer, unless legally compelled to respond
10. Audits
Nahook will make available to the Customer, upon reasonable request and no more than once per year, information necessary to demonstrate compliance with this DPA. The Customer may conduct an audit, or appoint a qualified third-party auditor, subject to reasonable notice and confidentiality obligations.
11. Term and Termination
This DPA remains in effect for the duration of the Terms of Service. Upon termination:
- The Customer may request return of Customer Personal Data within 30 days
- After 30 days, Nahook will delete all Customer Personal Data, except where retention is required by law
- Nahook will certify deletion upon Customer request
12. Contact
For questions about this DPA, contact us at [email protected].