This DPA describes controller and processor obligations for data handled by Header Specter.
1. Parties and Roles
For subscription operations, the customer is generally the controller and Header Specter acts as processor for data needed to provide the service.
2. Processing Scope
- Subscription identity and entitlement metadata.
- Encrypted customer email for restore and support workflows when available.
- Security and audit records required for abuse prevention and incident response.
3. Processor Commitments
- Process data only to deliver contracted service and security controls.
- Apply technical and organizational measures appropriate to risk.
- Support export and deletion workflows for data-subject requests.
- Use subprocessors only for necessary platform functionality.
4. Security Measures
- TLS in transit and hardened response header policy.
- Nonce-based CSP, API request signing, and rate-limit enforcement.
- Encrypted email storage and hashed lookups.
- Webhook idempotency and security audit logging.
5. Subprocessors
- Polar: billing and subscription lifecycle.
- Neon: managed database hosting.
- Vercel: app hosting and runtime infrastructure.
Additional details are provided on Third-Party Services.
6. International Transfers
Data may be processed in regions used by these infrastructure providers. Where applicable, transfer safeguards are based on provider contractual frameworks and applicable law.
7. Data Subject Requests
- Export route:
/api/privacy/export - Deletion route:
/api/privacy/delete