Data Processing Agreement

1. Definitions and scope

• —"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
• —"Personal Data" has the meaning given in Article 4(1) GDPR.
• —"Data Subject" means the natural person whose Personal Data is processed — in this context, the end customers who send messages to the Controller's connected Meta platform accounts.
• —"Meta Messaging Data" means Personal Data contained in messages processed by SocialHook for webhook delivery.
• —"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses adopted by the European Commission in Decision 2021/914.
• —"Sub-processor" means any third party engaged by SocialHook to process Personal Data under this DPA.

2. Subject matter and duration

SocialHook processes Personal Data on behalf of the Customer solely for the purpose of providing the SocialHook service — receiving messages from Meta's APIs on the Customer's connected platform accounts and delivering them to the Customer's designated webhook endpoint.

This DPA commences on the date the Customer accepts the Terms of Service and continues until the termination of the Customer's SocialHook subscription.

3. Nature and purpose of processing

SocialHook acts as an automated relay — receiving structured message data from Meta's APIs, normalizing it into a consistent JSON payload, signing it with HMAC-SHA256, and delivering it to the Customer's webhook endpoint. SocialHook performs no independent analysis, profiling, or further processing of Personal Data beyond what is necessary for delivery.

4. Obligations of the processor (SocialHook)

1. 1.Process only on documented instructions — SocialHook will process Personal Data only in accordance with the Customer's documented instructions, as represented by the Customer's webhook and event configuration settings.
2. 2.Confidentiality — SocialHook will ensure that persons authorised to process Personal Data are subject to appropriate confidentiality obligations.
3. 3.Security — SocialHook will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
4. 4.Sub-processor restrictions — SocialHook will not engage sub-processors without prior general or specific written authorisation of the Customer.
5. 5.Assist with data subject rights — SocialHook will assist the Customer in fulfilling its obligations to respond to requests from Data Subjects, to the extent technically feasible.
6. 6.Deletion upon termination — Upon termination, SocialHook will delete or return all Personal Data to the Customer.
7. 7.No independent purposes — SocialHook will not use Personal Data for any purpose other than providing the SocialHook service. SocialHook will not sell, rent, or otherwise commercially exploit Personal Data.

5. Obligations of the controller (Customer)

1. 1.Ensuring it has a valid lawful basis under GDPR Article 6 for processing Personal Data through SocialHook
2. 2.Providing adequate privacy notices to its end customers regarding the processing of their message data
3. 3.Ensuring that any instructions given to SocialHook comply with applicable data protection law
4. 4.Maintaining the security of its webhook endpoint and secret key
5. 5.Handling any data subject rights requests received from its end customers

6. Sub-processors

The Customer hereby grants SocialHook general authorisation to engage the following sub-processors:

SocialHook will notify the Customer of any intended changes to sub-processors with at least 14 days' written notice.

7. Security measures

• —Encryption in transit — TLS 1.2 or higher for all data in transit
• —Encryption at rest — AES-256 encryption for stored data including any temporarily buffered payloads
• —Access controls — Role-based access control with multi-factor authentication for all internal system access
• —Payload buffer TTL — Failed-delivery payload buffers automatically deleted after maximum 24 hours
• —No message content in logs — Application logs configured to exclude message body content
• —Payload signing — HMAC-SHA256 signature on every delivery
• —Infrastructure security — AWS infrastructure with ISO 27001, SOC 2 certification

8. Data breach notification

In the event of a Personal Data breach, SocialHook will notify the Customer within 48 hours of becoming aware (to allow the Customer sufficient time to comply with its own 72-hour GDPR Article 33 notification obligation). SocialHook will provide the nature of the breach, categories of Data Subjects affected, and measures taken to address it.

9. Data subject rights

The Customer, as data controller, is primarily responsible for handling data subject rights requests. SocialHook will promptly notify the Customer of any requests received directly, and will assist the Customer in responding to the extent technically feasible.

Given that SocialHook does not permanently store message content, the scope of SocialHook's assistance is limited to: (a) deletion of any payload data in the 24-hour retry buffer, and (b) deletion of delivery metadata logs relating to the relevant Data Subject.

10. Retention and deletion

Upon termination of the service, SocialHook will delete all Customer account data and any associated Personal Data within 30 days of termination, unless applicable law requires longer retention. SocialHook will provide written confirmation of deletion upon request.

11. International transfers

SocialHook is based in the United States. To the extent that SocialHook processes Personal Data from the EU/EEA, such transfers are made on the basis of Standard Contractual Clauses (SCCs) as adopted by the European Commission in Decision 2021/914. The SCCs are incorporated by reference into this DPA and are available in full upon request.

12. Audits and inspections

SocialHook will make available all information reasonably necessary to demonstrate compliance with obligations under Article 28 GDPR. Audits may be conducted by the Customer or a third-party auditor designated by the Customer, subject to at least 30 days' advance written notice, during normal business hours, and not more than once per year absent a specific cause.

13. Termination

This DPA terminates automatically upon the termination of the Customer's SocialHook subscription. Either party may terminate this DPA immediately if the other party materially breaches data protection obligations and fails to remedy the breach within 30 days of written notice.

14. Governing law and disputes

This DPA is governed by the laws of the State of Arizona, United States, without prejudice to any mandatory provisions of EU data protection law that may apply to the Customer as a data controller established in the EU/EEA.

15. Annex — Details of processing

Categories of Data Subjects

End customers and contacts who send messages to the Controller's connected Facebook Pages, Instagram Business accounts, or WhatsApp Business numbers.

Categories of Personal Data

• —Identifiers: phone numbers (WhatsApp), Facebook Page-Scoped IDs (Facebook), Instagram user IDs and usernames (Instagram)
• —Message content: text, media type indicators, and media URLs
• —Metadata: timestamps, conversation IDs, platform account IDs

Nature and purpose of processing

Automated normalization, signing, and delivery of inbound Meta platform messages to the Controller's webhook endpoint. No manual review, profiling, or independent use of Personal Data.

Duration of processing

For the duration of the Customer's SocialHook subscription. Message content is processed transiently — maximum retention of 24 hours for failed deliveries. Delivery metadata retained for 30 days.