Data Processing Agreement (DPA)
Effective Date: February 17, 2026
Last Updated: February 17, 2026
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Headless Commerce (“Processor”, “we”, “us”) and the Merchant (“Controller”, “you”, “your”) and governs the processing of personal data by the Processor on behalf of the Controller.
This DPA is designed to comply with the EU General Data Protection Regulation (GDPR), the Korean Personal Information Protection Act (개인정보 보호법), and other applicable data protection laws.
1. Definitions
- Controller — The Merchant who determines the purposes and means of processing end-customer personal data.
- Processor — Headless Commerce, which processes personal data on behalf of the Controller.
- Sub-processor — A third-party service provider engaged by the Processor to process personal data.
- Personal Data — Any information relating to an identified or identifiable natural person (data subject).
- Data Subject — The end-customer or individual whose personal data is processed.
- Processing — Any operation performed on personal data, including collection, storage, retrieval, use, transmission, and deletion.
2. Scope & Roles
2.1 Roles
- You (Merchant) are the Controller for all end-customer data submitted through your store via our API.
- We (Headless Commerce) are the Processor, acting solely on your documented instructions.
2.2 Data Processed
| Category | Data Elements |
|---|
| Customer identity | Name, email address, phone number |
| Addresses | Shipping address, billing address |
| Order data | Order details, order history, fulfillment status |
| Cart data | Cart contents, session identifiers |
| Payment references | Payment method type, Stripe/TossPayments payment ID (NOT card numbers) |
| Customer account | Hashed password, account preferences |
We do not process or store payment card numbers, CVV, or other sensitive payment data. All card data is handled directly by the payment processor (Stripe/TossPayments) and never touches our servers.
3. Controller’s Obligations
As the Controller, you are responsible for:
- Lawful basis — Ensuring you have a valid legal basis (consent, contract, etc.) for collecting and processing end-customer data
- Privacy policy — Providing your end-customers with a clear privacy policy (see our Storefront Privacy Policy Template)
- Data accuracy — Ensuring the accuracy of data submitted to our API
- Data subject requests — Responding to data subject requests from your end-customers (we will assist as described in Section 5.4)
- Consent management — Obtaining and managing end-customer consent where required
4. Processor’s Obligations
4.1 Processing Instructions
We process personal data only in accordance with:
- Your documented instructions (API calls, Dashboard actions)
- The Terms of Service
- This DPA
- Applicable law (where legal obligations require additional processing)
4.2 Confidentiality
All personnel authorized to process personal data are bound by confidentiality obligations.
4.3 Security
We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
- Encryption of data in transit (TLS 1.3) and at rest (AES-256)
- Role-based access control (RBAC)
- API key scoping (per-store isolation)
- Rate limiting and DDoS protection
- Regular security assessments
See Annex A (Security Measures) for full details.
4.4 Data Subject Assistance
We will assist you in responding to data subject requests (access, rectification, erasure, portability, restriction) by:
- Providing API endpoints for data export and deletion
- Responding to your requests within 5 business days
- Implementing technical measures to facilitate compliance
4.5 Breach Notification
In the event of a personal data breach, we will:
- Notify you within 72 hours of becoming aware of the breach
- Provide details including: nature of the breach, categories and approximate number of affected data subjects, likely consequences, and measures taken or proposed
- Cooperate with your investigation and regulatory notification obligations
- Maintain records of all breaches
4.6 Data Protection Impact Assessments
We will provide reasonable assistance for Data Protection Impact Assessments (DPIAs) and prior consultations with supervisory authorities, where required.
5. Sub-processors
5.1 Current Sub-processors
| Sub-processor | Processing Activity | Location |
|---|
| Neon | Database hosting (PostgreSQL) | US/EU |
| Upstash | Caching and rate limiting (Redis) | Regional |
| Stripe | Payment processing | US (global) |
| Resend | Transactional email delivery | US |
| Sentry | Error monitoring | US |
| AWS S3 | File/media storage | Regional |
| Cloudflare | CDN, WAF, DDoS protection | Global |
| Inngest | Background job processing | US |
5.2 Authorization
You provide general written authorization for us to engage the sub-processors listed above. This authorization extends to replacement sub-processors that provide equivalent or better data protection.
5.3 New Sub-processors
Before engaging a new sub-processor, we will:
- Notify you at least 14 days in advance via email
- Provide the name, location, and processing activities of the new sub-processor
- Allow you to object within the 14-day period
- If you object with reasonable grounds, we will work with you to find an alternative or you may terminate the affected Service
5.4 Liability
We remain fully liable for the acts and omissions of our sub-processors to the same extent as if we performed the processing directly.
6. International Data Transfers
6.1 EU/EEA Transfers
For transfers of personal data outside the EEA, we rely on:
- Standard Contractual Clauses (SCCs) — Module 2 (Controller to Processor) as approved by the European Commission
- Supplementary measures as necessary based on transfer impact assessments
6.2 Korean Transfers
In accordance with the Personal Information Protection Act (개인정보 보호법):
- We ensure that overseas recipients maintain data protection standards equivalent to Korean law (제28조의2)
- Cross-border transfer details are documented in the sub-processor table above
- You may request additional information about transfer safeguards at any time
7. Data Retention & Deletion
7.1 During the Agreement
We retain personal data for the duration of the Terms of Service, processing it only as necessary to provide the Service.
7.2 Upon Termination
Upon termination of the Terms of Service:
- You have 30 days to export all data via the API
- After 30 days, we will permanently delete all personal data from our active systems
- Data in backups will be overwritten within 90 days through normal backup rotation
- We will certify deletion upon your request
7.3 Legal Retention
Where we are required by applicable law to retain certain data beyond termination (e.g., billing records for tax compliance), we will:
- Isolate such data from active processing
- Process it only for the legally required purpose
- Delete it promptly when the retention obligation expires
8. Audits
8.1 Right to Audit
You have the right to audit our compliance with this DPA. Audits may be conducted:
- By you or an independent third-party auditor bound by confidentiality
- With reasonable advance notice (at least 30 days)
- During normal business hours
- No more than once per year (unless required by a supervisory authority or following a breach)
8.2 Audit Reports
As an alternative to on-site audits, we may provide:
- SOC 2 Type II reports (available for Enterprise tier)
- Third-party security assessment reports
- Responses to reasonable written questionnaires
We will make such reports available upon request.
9. Liability
9.1 Each Party’s Liability
Each party is liable for damages caused by its own violation of applicable data protection law or this DPA.
9.2 Cap
Liability under this DPA is subject to the limitation of liability provisions in the Terms of Service.
Annex A: Security Measures
A.1 Encryption
| Layer | Method |
|---|
| In transit | TLS 1.3 for all communications |
| At rest | AES-256 encryption via Neon (database) and AWS S3 (files) |
| Secrets | API secret keys stored as hashed values; OAuth tokens encrypted |
| Passwords | bcrypt hashing with appropriate cost factor |
A.2 Access Control
| Control | Implementation |
|---|
| Authentication | Email/password with bcrypt, OAuth (Google, GitHub) |
| Authorization | Role-based (Owner, Admin, Staff, Viewer) per organization |
| API isolation | Each Store has separate API keys; data is row-level isolated by store_id |
| Admin access | Minimal personnel with production database access; all access logged |
A.3 Network Security
| Control | Implementation |
|---|
| WAF | Cloudflare Web Application Firewall |
| DDoS protection | Cloudflare DDoS mitigation |
| Rate limiting | Redis-based per-key rate limiting |
| API gateway | Request validation, input sanitization |
A.4 Incident Response
| Step | Timeline |
|---|
| Detection | Automated monitoring via Sentry and infrastructure alerts |
| Assessment | Within 24 hours of detection |
| Controller notification | Within 72 hours of confirmed breach |
| Regulatory notification | Assist Controller within legally required timeframes |
| Post-incident review | Within 14 days of resolution |
A.5 Backup & Disaster Recovery
| Measure | Detail |
|---|
| Database backups | Point-in-time recovery (PITR) via Neon, 30-day retention |
| Geographic redundancy | Multi-region database replicas |
| Recovery testing | Quarterly backup restoration tests |
| RTO/RPO | Recovery Time Objective: 4 hours; Recovery Point Objective: 1 hour |
