Skip to content
soonThe webhook.co MCP server — turn any webhook into an agent event. See the roadmap

Data Processing Agreement

Last updated: 11 July 2026

In short (this summary isn't the agreement, but it's honest): the webhooks you capture may contain other people's personal data. For that data you are the controller and we are your processor: we only handle it to run the Service for you, on your instructions. This document is the GDPR Article 28 contract that says so — what we do with it, how we protect it, who else touches it, how it leaves the EU, and what happens when you leave. It applies automatically when you use the Service; you don't need to sign anything.

1. What this is, and when it applies

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between you (“Controller”) and webhook.co, operated by Sourabh Choraria, a sole trader based in Porto, Portugal (“Processor”, “we”, “us”).

It applies whenever we process personal data (as defined in the GDPR, and in the UK GDPR where relevant) on your behalf. It is incorporated automatically — using the Service is acceptance, and you do not need to sign or return a copy. If your procurement process requires a countersignature, email sourabh@webhook.co.

Terms defined in the GDPR (controller, processor, personal data, processing, data subject, personal data breach, supervisory authority) have the same meaning here.

2. The two roles — and which data this covers

  • The webhooks you capture — we are your processor. Request bodies, headers, and the verification and delivery metadata around them may contain personal data belonging to your users or to third parties. You decide what to send through us and why. This DPA governs that data.
  • Your account data — we are the controller. Your name, email, sign-in identity, organisation, billing details, and usage counts. We decide how to handle that, and our Privacy Policy — not this DPA — governs it.

3. Scope of the processing (Article 28(3))

  • Subject matter: providing the hosted webhook.co Service — receiving, verifying, storing, inspecting, searching, replaying, and delivering the webhooks you capture, and triggering the automated or agent workflows you configure.
  • Duration: for as long as your account is open, and thereafter as set out in §10 (return and deletion).
  • Nature and purpose: receipt, signature verification, deduplication, storage, retrieval, retry, replay, onward delivery, and deletion — all of it automated, and all of it in order to run the Service for you.
  • Types of personal data: whatever your webhooks happen to contain. We do not choose it and cannot predict it. In practice it is commonly identifiers, names, email addresses, postal and IP addresses, transaction and order details, and any other field the sending system puts in the payload.
  • Categories of data subjects: your users, customers, employees, and anyone else whose data appears in the webhooks you route through us.
  • Special categories: the Service is not designed for special-category data (Article 9) and we do not solicit it. If you send it, you do so on your own assessment and at your own risk — see §4 of our Acceptable Use Policy.

4. Our obligations

We process only on your documented instructions. Your instructions are: this DPA, the Terms, and the configuration you set through the dashboard, API, CLI, or MCP server. We will not process the data for any other purpose — in particular we do not sell it, do not use it for advertising, and do not use it to train machine-learning models.

If we are required by EU or Member State law to process it otherwise, we will tell you before doing so unless that law forbids us from telling you.

If we think an instruction is unlawful, we'll tell you rather than quietly comply.

Confidentiality. Access is limited to people who need it to run the Service and who are bound by confidentiality. Today that is a very short list: webhook.co is operated by one person.

5. Security measures (Article 32)

These are the measures actually in place. We've deliberately kept this list to what is true, rather than what sounds reassuring.

  • Encryption in transit: TLS on every external interface — ingestion, API, dashboard, and outbound delivery.
  • Encryption at rest: payload bodies and metadata are stored encrypted at rest by our infrastructure providers. This is provider-managed encryption, not a customer-managed key over your payloads — we don't claim otherwise. Our own high-value secrets (provider signing secrets, your signing keys, sealed ingest tokens) are additionally protected by a key management service.
  • Tenant isolation: customer data is separated at the database level by row-level security, enforced by the database rather than by application code, so a bug in a query cannot return another tenant's rows. Stored payload objects are additionally fenced to the owning organisation.
  • Signature verification:inbound webhooks can be cryptographically verified against the sending provider's signature, and outbound deliveries are signed following the Standard Webhooks specification.
  • Credential handling: API keys are stored only as one-way hashes. We never store passwords — sign-in is via Google, GitHub, or an emailed link.
  • Audit logging: security-relevant actions are written to an append-only, hash-chained audit log, so tampering with the record is detectable.
  • Automated deletion:captured webhooks expire automatically at the end of your plan's retention window, and deletion removes the stored payload body, not just the index entry.
  • Egress protection: outbound delivery and replay refuse to send to private and internal network ranges, so the Service cannot be turned into a probe of internal infrastructure.
  • Resilience: the Service runs on managed, redundant infrastructure with automated retries and durable queues. Data is backed up; residual copies in backups age out on the normal rotation cycle.

What we do not have, and won't pretend to: we hold no SOC 2, ISO 27001, HIPAA, or PCI certification; we do not offer EU-only data residency (see §7); we are not end-to-end encrypted; and we store request bodies and headers unredacted, because inspecting them is the product. If your risk assessment needs any of those, we are not the right processor for that workload yet — and we'd rather tell you now than in a questionnaire later.

6. Sub-processors (Article 28(2) and (4))

You give us general written authorisation to engage sub-processors to help run the Service. The current list — who they are, what each one handles, and where they are — is maintained at webhook.co/sub-processors.

We impose data-protection obligations on each sub-processor that are no less protective than those in this DPA, and we remain fully liable to you for what they do.

Changes. Before we add or replace a sub-processor we will update that page and give you at least 30 days' notice. To receive that notice by email, ask us at sourabh@webhook.coand we'll add you to the list. If you reasonably object on data-protection grounds within that window, tell us and we'll try to find a way through; if we can't, you may terminate the affected Service and we'll refund any prepaid, unused fees for it (an exception to the no-automatic-refunds rule in §6 of the Terms).

7. International transfers

Your data is currently hosted primarily in the United States. We do not offer EU data residency. Say so plainly, because it's the first thing an EU buyer needs to know.

Where we transfer personal data out of the EEA, UK, or Switzerland, we rely on the European Commission's Standard Contractual Clauses (Decision 2021/914), which are incorporated into this DPA by reference:

  • Module Two (controller to processor) applies between you and us, with you as data exporter and us as data importer;
  • Module Three (processor to processor) applies where you are yourself a processor for someone else;
  • docking clause: applicable. Clause 9: Option 2, general written authorisation, with the 30-day notice period in §6 above. Clause 17: governed by the law of Portugal. Clause 18: the courts of Portugal. Annexes I, II, and III are supplied by §§3, 5, and 6 of this DPA and by the sub-processors page, respectively.

For the UK, the ICO's International Data Transfer Addendum applies to the SCCs. For Switzerland, references to the GDPR are read as references to the FADP and the Swiss Federal Data Protection and Information Commissioner is the competent authority.

We rely on the SCCs as the backbone rather than on any single adequacy framework, so that our transfer basis does not evaporate if a framework is struck down.

8. Assisting you

Data-subject requests.The dashboard, API, CLI, and MCP server let you search, export, and delete the data you've captured, which is normally enough to answer an access, rectification, erasure, restriction, or portability request yourself. If it isn't, we'll help you — at no charge for a reasonable volume of requests. If a data subject comes to usdirectly about data we hold as your processor, we won't answer them on the substance; we'll tell them to come to you, and tell you it happened.

DPIAs and prior consultation.We'll give you the information you reasonably need for a data-protection impact assessment or a consultation with a supervisory authority, to the extent it concerns our processing and you can't get it elsewhere.

9. Personal data breaches

If we become aware of a personal data breach affecting the data we process for you, we will notify you without undue delay, and in any event within 72 hours of becoming aware of it.

The notice will describe what happened, the categories and approximate volume of data and data subjects affected so far as we know them, the likely consequences, and what we are doing about it. If we can't give you all of that at once, we'll send what we have and follow up — we won't sit on a partial picture to make the first message tidier.

Notifying you is not an admission of fault. Reporting to a supervisory authority or to affected individuals is yourcall as controller, and we'll help you make it.

10. Return and deletion

You can delete your data at any time from your account, and captured webhooks expire automatically at the end of your plan's retention window without you doing anything.

When your account closes, we delete the personal data we process for you — including the stored payload bodies — within 30 days, unless EU or Member State law requires us to keep it. Export what you need before you close the account: after that window we can't get it back for you.

Residual copies in encrypted backups are removed on the normal backup-rotation cycle, and remain subject to this DPA until they are.

11. Audits (Article 28(3)(h))

On reasonable request, and no more than once a year unless a supervisory authority or a breach requires otherwise, we will give you the information you need to verify that we're meeting this DPA — normally by answering a security questionnaire and providing whatever documentation we have.

Being straight with you:webhook.co is operated by one person and we hold no third-party audit report to hand you. We are not going to pretend an on-site audit of a serverless platform is a thing we can offer. If your compliance process strictly requires a SOC 2 report, we don't have one — and you should factor that in before you build on us.

12. Liability, and how this fits the Terms

Each party's liability under this DPA is subject to the limitations and exclusions in the Terms of Service — except where the GDPR or other applicable law does not permit that, in which case the law wins. Nothing here limits any right a data subject has directly against either of us.

If anything in this DPA conflicts with the Terms, this DPA wins for the personal data we process on your behalf.

13. Changes

We may update this DPA — to reflect a change in the law, in our sub-processors, or in the Service. If a change materially reduces your protection we'll give you reasonable advance notice by email or in the dashboard. The date at the top always reflects the current version.

Questions, or a countersignature request: sourabh@webhook.co.