Data Processing Agreement (DPA)

Article 28 GDPR processor agreement for agencies, healthcare vendors, EU businesses and enterprise customers.

Version 1.0.0Effective May 30, 2026Form available on request
Plain-English summary. Our DPA is the contract that lets you (the data controller) use HookPilot (the processor) to process personal data under GDPR / UK GDPR / Swiss FADP / CCPA. It is auto-incorporated for Enterprise plans, available on request for Pro/Agency, and pre-signed by HookPilot — you countersign and send back.

1. Who Needs This

If you process personal data of individuals in the EEA, UK, Switzerland or California through HookPilot — for example, an agency processing client subscriber data, a healthcare vendor processing PHI under a BAA, an EU SaaS using HookPilot Caption Studio to draft customer-facing copy — you need a DPA in place with us. Free-plan use that does not process other people's personal data does not strictly require a DPA, but you may still request one.

2. Roles

Under GDPR Article 28 / UK GDPR equivalent / Swiss FADP / and the CCPA "service provider" model: Customer is the controller. HookPilot Caption Studio LLC is the processor. HookPilot is permitted to engage sub-processors per Section 6.

3. Subject Matter, Duration, Nature and Purpose

  • Subject matter: personal data that Customer submits to or generates inside the HookPilot AI Workforce Operating System.
  • Duration: the term of the Customer's HookPilot subscription, plus the 30-day soft-delete window and any legal-hold carve-out per the Data Retention Policy.
  • Nature: hosting, AI inference routing, agent execution, caption / video generation, dashboards, audit logging, customer support.
  • Purpose: providing the Service the Customer subscribed to and complying with documented Customer instructions.

4. Categories of Data Subjects and Personal Data

  • Data subjects: Customer's employees, contractors, end users, marketing audience, and any individuals named in Customer Content.
  • Personal data: contact details, identifiers, content metadata, demographic information the Customer chooses to upload, any AI-output metadata; and, where Customer has enabled HIPAA-enabled workspaces, PHI under the BAA.
  • Special-category data: only if the Customer chooses to submit it and has lawful basis to do so under Art. 9 GDPR.

5. Customer Instructions

HookPilot processes personal data only on documented Customer instructions, including the instructions reflected in the Customer's configuration of the Service. The Terms of Service, the Privacy Policy, and the executed order form together constitute the Customer's documented instructions. HookPilot will inform the Customer if, in its opinion, an instruction infringes applicable data-protection law.

6. Sub-Processors

The Customer authorises HookPilot to engage the sub-processors listed at Privacy §8. HookPilot will give Customer at least 30 days' notice of any new or replacement sub-processor that processes Customer's personal data and the Customer may object on reasonable data-protection grounds. If the parties cannot resolve the objection, the Customer may terminate the affected service for the remainder of the prepaid term.

7. International Transfers

Where personal data is transferred from the EEA, UK or Switzerland to a third country not deemed adequate, the parties incorporate the European Commission's Standard Contractual Clauses (Decision 2021/914), Module Two (controller → processor), with Annex I (parties, processing, transfer details) and Annex II (technical and organisational measures) populated by reference to this DPA. The UK International Data Transfer Addendum applies to UK transfers; the Swiss FADP supplementary terms apply to Swiss transfers.

8. Technical and Organisational Measures (Annex II)

HookPilot maintains the security controls described in the Cybersecurity Policy, the Internal Security Access Policy and the Device Policy. These include encryption in transit and at rest, tenant isolation, RBAC with JIT elevation, MFA on consoles, vulnerability management, the SOC operated by the HookPilot Internal Security (-HPS) department, and incident response runbooks aligned to GDPR 72-hour, SEC 4-day, HIPAA 60-day and U.S. state thresholds.

9. Breach Notification and Assistance

HookPilot will notify the Customer without undue delay (and in any case within 72 hours) of becoming aware of a personal-data breach affecting the Customer's data, and will provide the information required by Art. 33(3) GDPR to the extent then known. HookPilot will assist the Customer with: data-subject rights requests forwarded to it; DPIAs and consultations with supervisory authorities; and any prior consultations required by law, all within reasonable scope.

10. Audit

The Customer's audit rights are satisfied by: (a) HookPilot's then-current SOC 2 report when available (see SOC 2 Readiness); (b) responses to industry-standard security questionnaires; and (c) a once-yearly remote audit on reasonable advance notice, subject to confidentiality and HookPilot's reasonable security restrictions. Where law (e.g., Article 28(3)(h) GDPR) requires more, the parties will agree on a proportionate audit method.

11. Return / Deletion at End of Service

On expiry or termination, HookPilot will, at the Customer's choice, return or delete personal data per the Data Retention Policy. The 30-day soft-delete window applies; backups age out within 90 days. HookPilot may retain personal data where required by law, in which case it remains under the protection of this DPA.

12. How to Sign

Email dpo@hookpilot.co from a verifiable corporate email with: legal entity name, registered address, billing email, HookPilot workspace ID(s) covered, and any required Annex details specific to your jurisdiction. We send back a pre-signed PDF for countersignature. Enterprise customers can request the DPA in DocuSign / Ironclad / equivalent.