Hooki Pro Logo
HookiPro.

Data Processing Agreement (DPA)

Version 1.1 · Updated June 2026

This Data Processing Agreement (DPA) governs the processing of personal data carried out by Hooki Pro de Daniele Pisu (info@hooki.pro) as Data Processor, on behalf of the Customer as Data Controller, in connection with the use of the Hooki Pro platform.

1. Subject and Duration

This DPA applies to all personal data processed by Hooki Pro in delivering the service and remains in force for the entire contractual period, automatically ceasing upon termination or expiry of the subscription.

2. Nature of Data Processed

  • Phone numbers and WhatsApp identifiers of recipients
  • Content of WhatsApp messages sent/received via the platform
  • Media attached to messages (images, documents, audio)
  • Account data (email, encrypted credentials)
  • Billing data (Stripe Customer ID, subscription ID, invoice metadata — card data never passes through Hooki)
  • Technical logs and session data

3. Purpose of Processing

Data is processed solely to deliver the Hooki Pro service: WhatsApp session management, message routing, webhook delivery, conversation history storage, subscription management and billing via Stripe, and related features.

4. Data Retention

  • Messages and media: 90 days from receipt/sending
  • Account data post-termination: deleted within 30 days of contract cessation
  • Technical logs: 30 days (automatic rotation)

5. Security Measures

  • Database encryption at rest (encrypted disk on servers)
  • Industry-standard strong encryption for WhatsApp credentials
  • Per-client data isolation enforced at the database engine level
  • Two-factor authentication (2FA) available for all roles
  • Encrypted off-site backups at a certified European Union provider
  • Administrative server access only via cryptographic keys, never passwords

6. Sub-processors

Hooki Pro uses the following sub-processors, all operating within the European Union or with adequate transfer safeguards (SCC/DPF):

IONOS SE

Germany (EU)

DPA

VPS hosting, PostgreSQL database, Redis, MinIO object storage — main platform infrastructure

Legal basis: EU-based — no extra-EEA transfer

Data categories: Account data, WhatsApp messages, media, technical logs

Vercel Inc.

USA (edge EU — Frankfurt, Germany)

DPA

Frontend hosting (login.hooki.pro, admin.hooki.pro, hooki.pro) and global CDN

Legal basis: Standard Contractual Clauses (SCC) + EU-US Data Privacy Framework (DPF)

Data categories: Navigation data, IP, user agent of frontend visitors

MailerSend

Lithuania (EU)

DPA

Transactional email delivery (notifications, password reset, onboarding)

Legal basis: EU-based — ISO 27001

Data categories: Recipient email address, transactional email content

Scaleway SAS

France (EU)

DPA

Encrypted off-site PostgreSQL database backups (fr-par bucket, Paris)

Legal basis: EU-based — ISO 27001, no extra-EEA transfer

Data categories: Full database backup (all platform data in encrypted form)

Stripe Payments Europe Ltd.

Irlanda (EU) + USA

DPA

Payment processing and subscription management for agencies/makers. Card data never passes through Hooki systems — it is held directly by Stripe (PCI-DSS Level 1).

Legal basis: Standard Contractual Clauses (SCC) + EU-US Data Privacy Framework (DPF) — PCI-DSS Level 1

Data categories: Ragione sociale agenzia, email di contatto, dati della carta di pagamento (custoditi da Stripe), metadati fatturazione

7. Extra-EEA Transfers

Data is processed primarily within the European Union. Extra-EEA transfers occur for: (a) frontend navigation metadata (Vercel, USA) and (b) payment processing via Stripe Payments Europe Ltd. (Ireland, with transfers to the USA covered by SCC + EU-US Data Privacy Framework). Payment card data never passes through Hooki and is held exclusively by Stripe (PCI-DSS Level 1 certified). The full list of sub-processors is available on the Subprocessors page.

8. Data Subject Rights

The Customer (Controller) is responsible for managing data subject requests. Hooki Pro supports the exercise of such rights by providing data export and deletion tools available in the control panel or upon request at info@hooki.pro.

9. Breach Notification

In the event of a personal data breach, Hooki Pro will notify the Customer within 72 hours of becoming aware, providing the information necessary to meet GDPR notification obligations (Art. 33-34).

10. Contact

For any matters relating to this DPA: info@hooki.pro