Data Processing Addendum

Effective date: March 20, 2026

This Data Processing Addendum ("DPA") is part of the Posthook Terms of Service or other agreement between Posthook, Inc. ("Posthook") and the customer ("Customer") for the Services (the "Agreement").

1. Roles and Scope

1.1 Posthook processes Customer Data on behalf of Customer as a processor (or service provider) under applicable data protection laws.

1.2 Customer is the controller (or business) of Customer Data.

1.3 This DPA does not apply to personal information that Posthook processes as a controller (for example, billing, sales, and marketing data), which is described in the Privacy Policy.

2. Processing Details

Posthook will process Customer Data to provide the Services in accordance with the Agreement and Customer's documented instructions, including Customer's use of the Services. Processing details are in Annex A.

3. Confidentiality

Posthook will ensure that personnel authorized to process Customer Data are bound by confidentiality obligations.

4. Security

Posthook will implement and maintain reasonable administrative, technical, and physical safeguards to protect Customer Data.

5. Subprocessors

5.1 Customer authorizes Posthook to use subprocessors to provide the Services. Posthook will require subprocessors to be bound by data protection obligations no less protective than those in this DPA.

5.2 Current subprocessors are listed in Annex B. Posthook may update subprocessors and will use reasonable efforts to provide notice before engaging a new subprocessor, including by updating Annex B. Where feasible, Posthook will provide at least 15 days' notice. Customer may object as permitted by applicable law. The notice period may be shorter where required to address urgent security, operational, or legal requirements.

If Customer objects to a new subprocessor on reasonable data protection grounds, the parties will work in good faith to address the objection. If the parties cannot resolve the objection, Customer may terminate the affected Services by providing written notice, without penalty, effective as of the date the new subprocessor would begin processing Customer Data for those affected Services.

6. Data Subject Rights

Posthook will assist Customer, as required by law, with data subject requests and regulatory inquiries, considering the nature of processing and information available.

7. Data Breach Notification

Posthook will notify Customer without undue delay and, where feasible, within 72 hours after becoming aware of a personal data breach affecting Customer Data, and will provide information reasonably necessary for Customer to meet its obligations.

8. Deletion and Return

Upon termination of the Services, Posthook will delete or anonymize Customer Data from active systems within a reasonable period, generally within 30 days after the end of any applicable grace period, and from backups on a rolling basis, typically within 90 days, unless required by law to retain it. Customer may delete Customer Data via the Services at any time.

9. Cross-Border Transfers

For transfers of Customer Data from the EEA/UK to countries that have not been deemed to provide adequate protection, the parties incorporate by reference:

  • The EU Standard Contractual Clauses (Module Two: Controller to Processor).
  • The UK International Data Transfer Addendum to the EU SCCs.

Posthook will make available further information about these transfer mechanisms upon request.

10. Audits

Upon reasonable written request, Posthook will provide information and documentation reasonably necessary to demonstrate compliance with this DPA (for example, security policies and summaries of technical and organizational measures). Customer is not entitled to on-site audits of Posthook systems.

If an audit is required by applicable law or following a material security incident affecting Customer Data, the parties will agree on a scope, timing, and confidentiality protections. Any such audit will be limited to once per year unless required by law.

11. Conflict

If this DPA conflicts with the Agreement, this DPA controls with respect to data protection obligations.

Annex A: Processing Details

Subject Matter

Provision of the Services, including webhook scheduling, delivery, and analytics.

Duration

For the term of the Agreement and thereafter as described in the Privacy Policy retention section. Retention may vary by plan and settings (for example, as described in an Order or shown in the Services) and may depend on when a webhook reaches a terminal state.

Categories of Data Subjects

Customer's end users, customers, and account users.

Categories of Personal Data

  • Account identifiers (name, email)
  • Authentication data
  • Webhook payloads and metadata (which may include personal data depending on Customer's use)
  • IP addresses and device/browser data (where collected)
  • Support communications

Processing Activities

  • Hosting and storage of Customer Data
  • Transmission of webhooks to customer endpoints
  • Analytics and reporting
  • Authentication and account management
  • Support and troubleshooting
  • Real-time delivery via WebSocket connections
  • Dispatch of notifications to customer-configured channels

Annex B: Subprocessors

The following subprocessors may process Customer Data:

  • Google/Firebase — authentication and hosting
  • Crisp — chat support
  • Mailgun — transactional email

Contact

Posthook, Inc.
169 Madison Ave STE 38542
New York, NY 10016
United States
Email: legal@posthook.io