Data Processing Agreement

Controller: You (the customer) determine the purposes and means of processing personal data by choosing to send webhook payloads through the Service.

Processor: EmitHQ processes personal data contained in webhook payloads solely on your documented instructions for the purpose of delivering webhooks to your configured endpoints.

The Processor shall process personal data only on documented instructions from the Controller. Your use of the API constitutes documented instructions. The Processor shall not process personal data for any purpose other than delivering webhook events and providing the Service as described in the Terms of Service.

The Processor ensures that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

The Processor implements the following technical and organizational measures:

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• PostgreSQL Row-Level Security for tenant data isolation
• API key authentication with SHA-256 hashing (no plaintext storage)
• Timing-safe signature verification (HMAC-SHA256)
• Access controls limiting personnel access to production data
• Infrastructure provider certifications (SOC 2 via Cloudflare, Railway, Neon)

The Controller provides general authorization for the Processor to engage subprocessors. The current list of subprocessors is published in our Privacy Policy (Section 5).

The Processor shall notify the Controller of any intended changes to subprocessors at least 30 days in advance. The Controller may object to a new subprocessor within 14 days of notification. If the objection cannot be resolved, the Controller may terminate the affected Service.

The Processor shall assist the Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, objection) by providing technical capabilities via the API and dashboard to search, export, and delete event data.

The Processor shall notify the Controller of any personal data breach without undue delay and no later than 72 hours after becoming aware of the breach. The notification shall include:

• Nature of the breach, including categories and approximate number of records affected
• Contact details of the data protection point of contact
• Likely consequences of the breach
• Measures taken or proposed to address the breach

Upon termination of the Service, the Processor shall, at the Controller's choice, delete or return all personal data within 30 days. The Controller may export data via the API before termination. After the 30-day period, remaining data is permanently deleted and cannot be recovered.

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA. The Controller may conduct audits, including inspections, no more than once per year with 30 days advance notice. The Processor may satisfy audit requests by providing relevant certifications, audit reports, or summaries from independent third-party auditors.

Where personal data is transferred outside the European Economic Area, the Processor relies on Standard Contractual Clauses (SCCs) as approved by the European Commission. The SCCs are incorporated by reference into this DPA.

This DPA remains in effect for the duration of the Service agreement. Obligations relating to confidentiality and data deletion survive termination.