Data Processing Agreement
For Agency-tier customers processing EU client data
SpecShot is GDPR-conscious by design. This Data Processing Agreement (DPA) governs how Scayver Graphix ("Processor") processes personal data on behalf of you ("Controller") when you use the Service to support your clients' projects.
Request signed DPA copy1. Roles
You are the data Controller. Scayver Graphix is the data Processor. We process personal data solely on your documented instructions.
2. Subject matter and duration
We process personal data contained in your captures, prompts, and account records for the duration of your subscription, plus a 30-day grace period after termination.
3. Nature and purpose
Storage, retrieval, generation of AI-ready development briefs, and presentation through the web portal and Chrome extension.
4. Categories of data subjects
Your team members, your clients (when you capture their websites or share branded capture pages with them).
5. Sub-processors
We use the following sub-processors:
- Clerk, authentication (clerk.com)
- Stripe, billing (stripe.com)
- Supabase, database and file storage (self-hosted on our infrastructure)
- Hostinger, server infrastructure
6. Security measures
- Encryption in transit (TLS 1.2+) and at rest.
- Row-level security on all multi-tenant database tables.
- Workspace-scoped file access controls on storage.
- Audit log of every super-admin support action.
- No payment card data ever touches our servers.
7. Data subject rights
We will assist you in responding to data subject requests (access, rectification, deletion, portability). Reach out to hello@specshot.cc.
8. Breach notification
We will notify you within 72 hours of becoming aware of a personal data breach affecting your data.
9. International transfers
Where personal data is transferred outside the EEA, transfers are governed by the European Commission's Standard Contractual Clauses.
10. Termination
On termination, we delete all personal data within 30 days unless retention is required by law.