Data Processing Addendum
How HookWatch processes personal data on your behalf. A transparency template for beta — not yet a signed agreement.
Last updated: 6 July 2026
DPA status notice
Parties and roles
This addendum is between you (the “Customer”, acting as data controller for the personal data in your webhook payloads and account) and the individual developer who operates HookWatch (“HookWatch”, acting as data processor). For some data — such as your own account and security logs — HookWatch acts as a controller; this addendum concerns the data HookWatch processes on your behalf.
Subject matter
The subject matter is HookWatch's processing of personal data contained in the webhook deliveries and configuration you route through the service, for the purpose of providing webhook capture, forwarding, retry, replay, and monitoring.
Categories of personal data
Determined by what you send. This may include identifiers, contact details, and any other personal data present in your webhook headers and payloads. You control what is included and should avoid sending unnecessary sensitive data.
Categories of data subjects
Determined by your use — typically your end users, customers, or systems referenced in the webhook payloads you send to HookWatch.
Processing activities
Receiving, storing, forwarding, retrying, replaying, displaying, and deleting webhook deliveries and related metadata, plus operating, securing, and supporting the service.
Customer instructions
HookWatch processes personal data on your documented instructions, which include your use of the service's features (for example, configuring an endpoint or triggering a replay). We will not use your payload data for unrelated purposes.
Confidentiality
Personnel authorised to process personal data are subject to appropriate confidentiality obligations.
Security measures
HookWatch applies the technical and organisational measures described on the Security page, including workspace isolation, write-only secrets, encryption of notification secrets at rest, and SSRF-guarded forwarding. We do not claim certification under SOC 2, HIPAA, ISO, or GDPR.
Subprocessors
HookWatch uses the subprocessors listed on the Subprocessors page. We will maintain that list and update it as our infrastructure is confirmed.
International transfers
Where personal data is transferred across borders, appropriate safeguards will apply. Standard Contractual Clauses are not represented as executed at this stage; this will be addressed with legal review before general availability.
Assistance with data subject requests
Taking into account the nature of the processing, HookWatch will provide reasonable assistance to help you respond to data subject requests relating to data we process on your behalf.
Deletion / return of data
On termination, or on your request where supported, HookWatch will delete or return the personal data it processes on your behalf, subject to backups and legal retention requirements. Retention details: it depends on the Customer's subscription plan; per-plan windows are published when paid plans launch.
Audit / help requests
HookWatch will make available information reasonably necessary to demonstrate compliance with this addendum and will respond to reasonable questions. Formal audit rights are to be addressed with legal review before general availability.
Contact
DPA requests: legal@hookwatch.dev. See also Legal Contact.