We’d rather tell you our compliance posture straight than have you discover a gap in a questionnaire.
Here it is.
What we have
- A GDPR Article 28 Data Processing Agreement (DPA) and Standard Contractual Clauses (SCCs) —
see the DPA.
- A published sub-processors list (in the DPA), so you know who touches your data.
- A tamper-evident, verifiable audit log.
- The engineering described in security & architecture — encryption, sealed
secrets, database-enforced tenant isolation, SSRF-safe egress.
What we don’t have — and won’t pretend to
webhook.co holds no SOC 2, ISO 27001, HIPAA, or PCI certification. We are not end-to-end
encrypted, and we store request bodies and headers unredacted because inspecting them is the
product.
If your risk assessment requires any of those, we’re not the right processor for that workload yet.
Please don’t use webhook.co for data that legally requires those certifications — for example regulated
health (HIPAA) or cardholder (PCI) data.
Need a specific statement?
The DPA and privacy policy are the
authoritative documents. If your evaluation needs a compliance statement not covered there,
contact us rather than inferring one from the defenses above.