Hooki Pro Logo
HookiPro.

Data Processing Agreement (DPA)

Version 1.0 · Updated May 2026

This Data Processing Agreement (DPA) governs the processing of personal data carried out by Hooki Pro de Daniele Pisu (info@hooki.pro) as Data Processor, on behalf of the Customer as Data Controller, in connection with the use of the Hooki Pro platform.

1. Subject and Duration

This DPA applies to all personal data processed by Hooki Pro in delivering the service and remains in force for the entire contractual period, automatically ceasing upon termination or expiry of the subscription.

2. Nature of Data Processed

  • Phone numbers and WhatsApp JIDs of recipients
  • Content of WhatsApp messages sent/received via the platform
  • Media attached to messages (images, documents, audio)
  • Account data (email, encrypted credentials)
  • Technical logs and session metadata

3. Purpose of Processing

Data is processed solely to deliver the Hooki Pro service: WhatsApp session management, message routing, webhook delivery, conversation history storage and related features.

4. Data Retention

  • Messages and media: 90 days from receipt/sending
  • Account data post-termination: deleted within 30 days of contract cessation
  • Technical logs: 30 days (automatic rotation)

5. Security Measures

  • LUKS2 at-rest encryption on the PostgreSQL database
  • AES-256-GCM encryption for WhatsApp credentials (Baileys)
  • Row Level Security (RLS) on PostgreSQL — multi-tenant isolation
  • Two-factor authentication (2FA TOTP) available for all roles
  • Encrypted off-site backups on EU storage (Scaleway, Paris)
  • SSH access with RSA key to the server, no passwords

6. Sub-processors

Hooki Pro uses the following sub-processors, all operating within the European Union or with adequate transfer safeguards (SCC/DPF):

IONOS SE

Germany (EU)

DPA

VPS hosting, PostgreSQL database, Redis, MinIO object storage — main platform infrastructure

Legal basis: EU-based — no extra-EEA transfer

Data categories: Account data, WhatsApp messages, media, technical logs

Vercel Inc.

USA (edge EU — Frankfurt, Germany)

DPA

Frontend hosting (login.hooki.pro, admin.hooki.pro, hooki.pro) and global CDN

Legal basis: Standard Contractual Clauses (SCC) + EU-US Data Privacy Framework (DPF)

Data categories: Navigation data, IP, user agent of frontend visitors

MailerSend

Lithuania (EU)

DPA

Transactional email delivery (notifications, password reset, onboarding)

Legal basis: EU-based — ISO 27001

Data categories: Recipient email address, transactional email content

Scaleway SAS

France (EU)

DPA

Encrypted off-site PostgreSQL database backups (fr-par bucket, Paris)

Legal basis: EU-based — ISO 27001, no extra-EEA transfer

Data categories: Full database backup (all platform data in encrypted form)

7. Extra-EEA Transfers

Data is processed primarily within the European Union. Vercel Inc. (USA) processes only frontend navigation metadata, with adequate SCC safeguards and EU-US Data Privacy Framework (DPF) adherence.

8. Data Subject Rights

The Customer (Controller) is responsible for managing data subject requests. Hooki Pro supports the exercise of such rights by providing data export and deletion tools available in the control panel or upon request at info@hooki.pro.

9. Breach Notification

In the event of a personal data breach, Hooki Pro will notify the Customer within 72 hours of becoming aware, providing the information necessary to meet GDPR notification obligations (Art. 33-34).

10. Contact

For any matters relating to this DPA: info@hooki.pro