Data Processing Agreement

DATA PROCESSING AGREEMENT

Version

3.0

Effective Date

November 17, 2025

Last Updated

November 17, 2025

This Data Processing Agreement ("DPA") forms part of the Terms of Service or other written or electronic agreement between PatternHooks Ltd. ("Processor", "we", "us") and the entity or person agreeing to these terms ("Controller", "Customer", "you") for the provision of webhook infrastructure services (the "Services").

This DPA reflects the parties' agreement with respect to the Processing of Personal Data by Processor on behalf of Controller in connection with the Services, in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK General Data Protection Regulation, the California Consumer Privacy Act ("CCPA"), and other applicable data protection laws.

1. DEFINITIONS

In this DPA, the following terms shall have the meanings set out below. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement or applicable Data Protection Laws.

"Applicable Data Protection Laws"

All laws and regulations applicable to the Processing of Personal Data under the Agreement, including GDPR, UK GDPR, CCPA, Swiss Federal Act on Data Protection, and any other applicable privacy laws.

"Controller"

The entity which determines the purposes and means of the Processing of Personal Data.

"Data Subject"

An identified or identifiable natural person whose Personal Data is Processed.

"EEA"

The European Economic Area, consisting of EU member states plus Iceland, Liechtenstein, and Norway.

"Personal Data"

Any information relating to an identified or identifiable natural person that is Processed by Processor on behalf of Controller in connection with the Services.

"Personal Data Breach"

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed.

"Processing" / "Process"

Any operation or set of operations performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.

"Processor"

An entity which Processes Personal Data on behalf of the Controller.

"Services"

The webhook infrastructure services provided by PatternHooks as described in the Agreement.

"Standard Contractual Clauses" or "SCCs"

The contractual clauses adopted by the European Commission in Decision 2021/914 for the transfer of personal data to third countries.

"Sub-processor"

Any third party engaged by Processor to Process Personal Data on behalf of Controller.

"Supervisory Authority"

An independent public authority established by an EU Member State, the UK, or other jurisdiction pursuant to applicable Data Protection Laws.

2. SCOPE AND APPLICABILITY

2.1 Scope of Processing

This DPA applies to the Processing of Personal Data by Processor on behalf of Controller in connection with the provision of the Services. The subject matter, duration, nature, and purpose of Processing, as well as the types of Personal Data and categories of Data Subjects, are described in Annex A.

2.2 Roles of the Parties

The parties acknowledge and agree that:

Controller is the Controller of Personal Data and determines the purposes and means of Processing;
Processor is a Processor acting on behalf of Controller and shall Process Personal Data only in accordance with Controller's documented instructions;
Each party shall comply with its respective obligations under Applicable Data Protection Laws.

2.3 Controller Responsibilities

Controller represents and warrants that:

It has obtained all necessary consents or has another lawful basis for the Processing of Personal Data;
It has provided appropriate notices to Data Subjects regarding the Processing;
Its instructions to Processor comply with Applicable Data Protection Laws;
It has implemented appropriate technical and organizational measures to ensure security of Personal Data prior to transmission to Processor.

2.4 Duration

This DPA shall remain in effect for the duration of the Agreement and shall automatically terminate upon termination or expiration of the Agreement, subject to Section 11 (Data Deletion).

3. DATA PROCESSING

3.1 Processing Instructions

Processor shall Process Personal Data only:

In accordance with Controller's documented instructions, including with regard to transfers of Personal Data to a third country or international organization;
As necessary to provide the Services under the Agreement;
As required by applicable law to which Processor is subject, in which case Processor shall inform Controller of that legal requirement before Processing (unless prohibited by law).

3.2 Nature of Processing

In connection with the Services, Processor will Process Personal Data for the following purposes:

Receiving, storing, and forwarding webhook payloads containing Personal Data;
Providing retry and replay functionality for failed webhook deliveries;
Logging and monitoring webhook events for debugging and analytics;
Applying transformations to webhook payloads as configured by Controller;
Maintaining audit trails and compliance records.

3.3 Prohibited Processing

Controller shall not submit to Processor, and Processor shall not be required to Process, any of the following categories of data unless expressly agreed in writing:

Special categories of Personal Data as defined in Article 9 of GDPR (data revealing racial or ethnic origin, political opinions, religious beliefs, etc.);
Personal Data relating to criminal convictions and offenses;
Financial account numbers, payment card industry data, or similar financial information (except as necessary for billing);
Government-issued identification numbers (Social Security numbers, passport numbers, etc.);
Protected health information subject to HIPAA (unless a BAA is in place).

⚠️ Important Notice

If Controller submits prohibited categories of data without prior written agreement, Controller assumes all risk and liability associated with such Processing.

4. PROCESSOR OBLIGATIONS

4.1 Confidentiality

Processor shall ensure that persons authorized to Process Personal Data:

Have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
Process Personal Data only on documented instructions from Controller;
Are informed of the confidential nature of the Personal Data and their obligations under this DPA.

4.2 Personnel

Processor shall:

Limit access to Personal Data to personnel who require such access to perform the Services;
Ensure all personnel are subject to written confidentiality agreements;
Conduct background checks on personnel with access to Personal Data, to the extent permitted by law;
Provide regular data protection training to personnel who Process Personal Data.

4.3 Documentation

Processor shall maintain written records of all categories of Processing activities carried out on behalf of Controller, including:

The name and contact details of the Processor and Controller;
The categories of Processing carried out;
Where applicable, transfers to third countries and the documentation of suitable safeguards;
A general description of technical and organizational security measures.

4.4 Assistance to Controller

Taking into account the nature of Processing, Processor shall assist Controller by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Controller's obligations to respond to requests for exercising Data Subject rights.

5. SECURITY MEASURES

5.1 Technical and Organizational Measures

Processor shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including as appropriate:

The pseudonymization and encryption of Personal Data;
The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of Processing systems and services;
The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures.

5.2 Specific Security Controls

Without limiting the generality of Section 5.1, Processor has implemented and shall maintain the security measures described in Annex B, which include:

Encryption: AES-256 encryption at rest; TLS 1.3 for data in transit
Access Control: Role-based access control; multi-factor authentication; principle of least privilege
Network Security: Firewalls, intrusion detection systems, DDoS protection
Physical Security: SOC 2 Type II certified data centers with 24/7 monitoring
Monitoring: Real-time security monitoring, logging, and alerting
Incident Response: Documented incident response procedures
Business Continuity: Regular backups, disaster recovery procedures

5.3 Security Certifications

Processor maintains the following security certifications and compliance attestations:

SOC 2 Type II (annually audited)
ISO 27001:2022
GDPR compliance (self-assessed and verified)
PCI DSS (for payment processing components)

5.4 Security Assessments

Processor shall:

Conduct annual penetration testing by qualified third parties;
Perform regular vulnerability assessments and remediate identified issues;
Maintain a bug bounty program for responsible disclosure;
Provide security assessment reports to Controller upon reasonable request.

6. SUB-PROCESSORS

6.1 Authorization

Controller provides general authorization for Processor to engage Sub-processors to Process Personal Data on Controller's behalf, subject to the requirements of this Section 6.

6.2 Current Sub-processors

The current list of Sub-processors is set forth in Annex C and is also available at patternhooks.com/legal/subprocessors. Controller acknowledges and agrees to the use of these Sub-processors.

6.3 Sub-processor Changes

Processor shall:

Provide Controller with at least 30 days' prior written notice before engaging a new Sub-processor or replacing an existing Sub-processor;
Notify Controller via email to the address associated with Controller's account and by updating the Sub-processor list;
Provide Controller with information about the new Sub-processor, including the entity name, location, and Processing activities.

6.4 Objection Right

If Controller has a legitimate objection to a new Sub-processor based on data protection grounds:

Controller must notify Processor in writing within 14 days of receiving notice;
The parties shall negotiate in good faith to resolve the objection;
If resolution is not possible, Controller may terminate the affected Services without penalty;
Absence of objection within the 14-day period shall be deemed acceptance.

6.5 Sub-processor Agreements

Processor shall:

Enter into a written agreement with each Sub-processor imposing data protection obligations materially similar to those in this DPA;
Remain fully liable to Controller for the performance of Sub-processors' obligations;
Ensure Sub-processors provide sufficient guarantees regarding security measures.

7. INTERNATIONAL DATA TRANSFERS

7.1 Transfer Mechanisms

Personal Data may be transferred to, and Processed in, countries outside the EEA, UK, or Switzerland. Processor shall ensure that any such transfer is subject to appropriate safeguards as required by Applicable Data Protection Laws, including:

Transfers to countries with an adequacy decision by the European Commission or UK;
Standard Contractual Clauses (Module Two: Controller to Processor);
UK International Data Transfer Agreement or UK Addendum to SCCs;
Other approved transfer mechanisms under applicable law.

7.2 Standard Contractual Clauses

The parties agree that the Standard Contractual Clauses are incorporated into this DPA by reference and shall apply to transfers of Personal Data from the EEA to third countries. For purposes of the SCCs:

Module Two (Controller to Processor) applies;
Clause 7 (docking clause) applies;
Option 2 of Clause 9(a) applies, with 30 days' notice for Sub-processor changes;
The optional language in Clause 11 is deleted;
For Clause 17, the laws of Ireland shall govern;
For Clause 18, disputes shall be resolved by the courts of Ireland;
Annexes I and II are completed as set forth in Annexes A and B of this DPA.

7.3 UK Transfers

For transfers of Personal Data from the UK, the UK Addendum to the SCCs shall apply. The parties agree that:

Table 1 is completed with party details from this DPA;
Table 2 refers to the SCCs with selected modules as described above;
Table 3 refers to Annexes A and B of this DPA;
Table 4: Neither party may end the UK Addendum as set out in Section 19 of the UK Addendum.

7.4 Transfer Impact Assessments

Processor has conducted transfer impact assessments for transfers to countries without adequacy decisions and maintains documentation of appropriate supplementary measures. Controller may request a summary of such assessments.

8. DATA SUBJECT RIGHTS

8.1 Assistance with Requests

Processor shall assist Controller in responding to requests from Data Subjects exercising their rights under Applicable Data Protection Laws, including:

Right of access
Right to rectification
Right to erasure ("right to be forgotten")
Right to restriction of Processing
Right to data portability
Right to object
Rights related to automated decision-making and profiling

8.2 Data Subject Request Procedure

If Processor receives a request from a Data Subject:

Processor shall promptly, and in any event within 5 business days, notify Controller and provide details of the request;
Processor shall not respond directly to the Data Subject unless authorized by Controller or required by law;
Processor shall assist Controller in responding within the timeframes required by law;
Controller shall reimburse Processor for reasonable costs incurred in providing assistance beyond standard functionality.

8.3 Self-Service Functionality

The Services include self-service functionality enabling Controller to access, correct, delete, or export Personal Data without Processor's assistance. Controller is responsible for using this functionality to respond to Data Subject requests where appropriate.

9. PERSONAL DATA BREACH

9.1 Notification

Processor shall notify Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Controller's data. Notification shall be made to the security contact designated by Controller.

9.2 Notification Contents

The notification shall include, to the extent known:

A description of the nature of the Personal Data Breach, including categories and approximate number of Data Subjects and records affected;
The name and contact details of the data protection officer or other contact;
A description of the likely consequences of the Personal Data Breach;
A description of measures taken or proposed to address the breach, including measures to mitigate possible adverse effects.

9.3 Cooperation

Processor shall:

Cooperate with Controller in investigating and mitigating the Personal Data Breach;
Provide additional information as it becomes available;
Assist Controller in meeting its notification obligations to Supervisory Authorities and Data Subjects;
Document the Personal Data Breach, including facts, effects, and remedial actions;
Not make public announcements regarding the breach without Controller's prior written approval, except where required by law.

9.4 Incident Response

Processor maintains documented incident response procedures, including:

24/7 on-call security team;
Defined escalation paths and response timelines;
Forensic investigation capabilities;
Regular tabletop exercises and procedure testing.

10. AUDIT RIGHTS

10.1 Audit Information

Processor shall make available to Controller all information necessary to demonstrate compliance with this DPA and Applicable Data Protection Laws, including:

SOC 2 Type II audit reports (annually updated);
ISO 27001 certification;
Penetration test executive summaries;
Completed security questionnaires (upon request);
Sub-processor due diligence documentation.

10.2 On-Site Audits

Controller may conduct audits of Processor's facilities and practices, subject to the following:

Controller shall provide at least 30 days' prior written notice;
Audits shall be conducted during normal business hours;
Audits shall not unreasonably interfere with Processor's business operations;
Controller (or its auditor) shall execute appropriate confidentiality agreements;
Controller shall bear the costs of the audit, except where the audit reveals material non-compliance;
Audits shall be limited to once per year, unless a Personal Data Breach or demonstrated non-compliance occurs.

10.3 Third-Party Audits

Controller may appoint a qualified third-party auditor, subject to Processor's reasonable approval (not to be unreasonably withheld) and execution of appropriate confidentiality agreements.

10.4 Regulatory Audits

Processor shall permit and contribute to audits and inspections by Supervisory Authorities or their appointed auditors, to the extent required by Applicable Data Protection Laws.

11. DATA DELETION AND RETURN

11.1 Upon Termination

Upon termination or expiration of the Agreement, Processor shall, at Controller's election:

Return: Return all Personal Data to Controller in a commonly used, machine-readable format; and/or
Delete: Delete all Personal Data and certify such deletion in writing.

11.2 Timeline

Controller must make an election within 30 days of termination;
If no election is made, Processor shall delete all Personal Data;
Deletion shall be completed within 90 days of termination;
Upon request, Processor shall provide written certification of deletion.

11.3 Retention Exceptions

Processor may retain Personal Data to the extent required by applicable law, provided that:

Processor notifies Controller of the legal requirement (unless prohibited);
Processor limits retention to the minimum required;
Processor maintains confidentiality and security of retained data;
Processor deletes retained data when no longer legally required.

11.4 Backup Copies

Personal Data in backup systems shall be deleted in accordance with Processor's standard backup rotation schedule, not to exceed 90 days from deletion of production data.

12. LIABILITY AND INDEMNIFICATION

12.1 Liability Cap

Each party's liability under this DPA shall be subject to the limitations of liability set forth in the Agreement, except that such limitations shall not apply to:

Either party's breach of Section 4.1 (Confidentiality);
Processor's failure to comply with Applicable Data Protection Laws;
Either party's indemnification obligations below.

12.2 Controller Indemnification

Controller shall indemnify and hold harmless Processor from and against any claims, damages, losses, costs, and expenses arising from:

Controller's breach of this DPA;
Controller's violation of Applicable Data Protection Laws;
Processing carried out in accordance with Controller's instructions that violates Applicable Data Protection Laws.

12.3 Processor Indemnification

Processor shall indemnify and hold harmless Controller from and against any claims, damages, losses, costs, and expenses arising from:

Processor's breach of this DPA;
Processor's violation of Applicable Data Protection Laws;
Processing carried out by Processor contrary to Controller's instructions.

ANNEX A: DETAILS OF PROCESSING

A.1 Subject Matter and Duration

The Processing concerns the provision of webhook infrastructure services for the duration of the Agreement.

A.2 Nature and Purpose of Processing

Processing Activity	Purpose
Webhook reception	Receiving and validating incoming webhook payloads
Webhook storage	Temporarily storing webhook payloads for retry and replay
Webhook delivery	Forwarding webhook payloads to configured endpoints
Transformation	Applying configured transformations to payloads
Logging	Recording delivery attempts for debugging and audit
Analytics	Aggregating delivery metrics and statistics

A.3 Categories of Data Subjects

Controller's customers and end users
Controller's employees and contractors
Third parties whose data is included in webhook payloads

A.4 Types of Personal Data

The types of Personal Data depend on the webhook payloads sent by Controller and may include:

Identifiers (names, email addresses, user IDs)
Contact information (phone numbers, addresses)
Transaction data (order details, purchase history)
Technical data (IP addresses, device information)
Any other Personal Data included in webhook payloads

A.5 Retention Period

Plan	Event Log Retention	Payload Retention
Starter	7 days	7 days
Pro	30 days	30 days
Business	90 days	90 days
Enterprise	Custom	Custom

ANNEX B: TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

B.1 Encryption

AES-256 encryption for data at rest
TLS 1.3 for data in transit (minimum TLS 1.2)
HMAC-SHA256 for webhook signature verification
Hardware Security Modules (HSMs) for key management
Regular key rotation (annually or upon compromise)

B.2 Access Control

Role-based access control (RBAC)
Multi-factor authentication for all administrative access
Principle of least privilege
Unique user accounts (no shared accounts)
Automatic session timeout
Strong password requirements
Access reviews quarterly

B.3 Network Security

Web Application Firewall (WAF)
DDoS protection
Network segmentation
Intrusion Detection/Prevention Systems (IDS/IPS)
Regular vulnerability scanning
IP allowlisting capabilities

B.4 Physical Security

SOC 2 Type II certified data centers
24/7/365 security personnel
Biometric and badge access controls
Video surveillance
Environmental controls (fire, flood, temperature)

B.5 Operational Security

Change management procedures
Security logging and monitoring
Security Information and Event Management (SIEM)
24/7 on-call security response
Regular security training for employees

B.6 Business Continuity

Multi-region deployment with automatic failover
Regular backups with encryption
Documented disaster recovery procedures
Recovery Time Objective (RTO): 4 hours
Recovery Point Objective (RPO): 1 hour
Annual disaster recovery testing

ANNEX C: AUTHORIZED SUB-PROCESSORS

The following Sub-processors are authorized to Process Personal Data on behalf of Controller:

Sub-processor	Location	Processing Activity	Safeguards
Amazon Web Services, Inc.	USA, EU, APAC	Cloud infrastructure and hosting	SCCs, DPF certified
Google Cloud Platform	USA, EU	Cloud infrastructure and hosting	SCCs, DPF certified
Cloudflare, Inc.	USA, Global	CDN, DDoS protection	SCCs, DPF certified
Stripe, Inc.	USA	Payment processing	SCCs, DPF certified
Datadog, Inc.	USA	Infrastructure monitoring	SCCs, DPF certified
PagerDuty, Inc.	USA	Incident alerting	SCCs, DPF certified
Intercom, Inc.	USA	Customer support	SCCs, DPF certified

The current list of Sub-processors is maintained at: patternhooks.com/legal/subprocessors

Updates are notified via email to Controller's designated contact.

EXECUTION

This DPA is incorporated into and forms part of the Agreement. By using the Services, Controller agrees to be bound by this DPA.

Controller (Customer)

Signature

Name and Title

Date

Processor (PatternHooks)

Signature

Name and Title

Date

📧 Questions About This DPA?

Contact our Data Protection Officer at dpo@patternhooks.com or write to: PatternHooks Ltd, Attn: Legal Department, 347 Wilmslow Rd, Manchester, M14 6SS, United Kingdom.