Back to Home

Data Processing Addendum (DPA)

Effective Date: January 8, 2026

This Data Processing Addendum (“Addendum”) forms part of the Terms of Service between Zhook (“Processor”) and the user or entity subscribing to the service (“Controller”).

1. Subject Matter and Duration

Subject Matter: The processing of MQTT and Webhook data payloads and associated metadata.

Duration: For the term of the Controller’s subscription.

Standard Tiers: Payloads are retained for 30 days.

Compliance Tiers: Payloads are stored in an encrypted vault for up to two (2) years.

2. Nature and Purpose of Processing

The Processor will collect, route, and store data payloads to provide automation, debugging, and audit services (HistoryBundles) as configured by the Controller.

3. Categories of Data and Data Subjects

Data Subjects: The Controller’s end-users, employees, or IoT devices.

Data Types: Names, emails (account info), and any personal data contained within MQTT/Webhook payloads (e.g., location data, sensor readings).

4. Obligations of the Processor (Zhook)

Zhook agrees to:

  • Process only on instructions: Process data only as directed by the Controller via the Zhook dashboard or API.
  • Confidentiality: Ensure all Zhook personnel with access to data are bound by strict confidentiality agreements.
  • Security (Article 32): Implement AES-256 encryption at rest, TLS 1.3 in transit, and regular vulnerability scans.
  • Sub-processors: Zhook uses Upstash (Redis/Kafka) and AWS/Google Cloud for infrastructure. We will notify you of any changes to our sub-processor list 30 days in advance.
  • Data Breaches: Notify the Controller without undue delay (maximum 72 hours) after becoming aware of a personal data breach.

5. Obligations of the Controller (The User)

The Controller (You) agrees:

  • That you have a legal basis (consent or contract) to process the data you send to Zhook.
  • Not to send "Sensitive Data" (health/financial) unless specifically agreed upon in a custom Enterprise DPA.

6. Data Deletion and Return

At the end of the service, or upon the Controller’s request via the "Delete Account" feature, Zhook will permanently delete all stored payloads within 30 days, unless required by law to retain them.

7. International Transfers

If data is transferred outside the EEA (e.g., to a US-based cloud region), Zhook will utilize Standard Contractual Clauses (SCCs) to ensure high-level data protection.

Back to Home