Infrastructure
Unheadless is built on modern, enterprise-grade cloud infrastructure. We do not operate our own data centers — instead, we rely on industry-leading providers with established security programs.
| Component | Provider | Details |
|---|---|---|
| Application Hosting | Vercel | Edge-optimized serverless deployment with automatic TLS, DDoS protection, and global CDN |
| Database | Neon (PostgreSQL) | Serverless PostgreSQL in AWS US West 2 (Oregon). SOC 2 Type II compliant. |
| Authentication | Auth.js (self-hosted) | Open-source authentication framework running within our application — no external auth data sharing |
| Payments | Stripe | PCI DSS Level 1 certified. We never store card numbers. |
| Resend | Transactional email delivery for reports and notifications |
Encryption
- In transit: All connections to Unheadless are encrypted with TLS 1.3. We enforce HTTPS on all endpoints with no fallback to unencrypted connections. HSTS headers are set on all responses.
- At rest:All database data is encrypted at rest using AES-256 encryption, managed by Neon's infrastructure on AWS. Backups are also encrypted.
- Passwords: User passwords are hashed using bcrypt with an appropriate cost factor. We never store plaintext passwords. Password reset tokens are single-use and time-limited.
Authentication & Access Control
- Session management: JWT-based sessions with secure, HttpOnly, SameSite cookies. CSRF tokens protect all state-changing operations.
- Role-based access control (RBAC): Three organizational roles — Owner, Admin, and Member — with granular permissions. Configuration and team management are restricted to Owner and Admin roles.
- Invitation-only onboarding: New team members can only join an organization via a secure, time-limited invitation link sent by an existing Owner or Admin.
- SSO (Enterprise): Single Sign-On is available for Enterprise tier customers, enabling centralized authentication through your identity provider.
- Multi-factor authentication (MFA): All users can enable TOTP-based two-factor authentication via any authenticator app. Enterprise organizations can enforce MFA for all team members at the organization level. Backup codes are provided for account recovery.
Multi-Tenant Data Isolation
Unheadless is a multi-tenant application. Every piece of data is scoped to a specific organization (tenant) through foreign key relationships enforced at the database level.
- All database queries are scoped by organization ID — there is no mechanism to query across organizations
- CMS API keys are stored per-organization and encrypted. One organization cannot access another organization's CMS connections
- Scheduled reports, saved queries, and exported data are all strictly scoped to the owning organization
- Administrative impersonation (used for customer support) is logged in the audit trail and restricted to platform administrators
CMS Data Handling
Unheadless is a read-onlyplatform. We access your CMS content through API keys that you provide. While some CMS API keys (e.g., Prismic's Custom Types API key) may carry write permissions, Unheadless uses all keys solely for read operations — no write functions are ever executed.
- We never write, edit, publish, or delete content in your CMS
- Content metadata is stored for the duration of your active subscription to power queries, reports, and content inventory features. We do not store full content body data (e.g., rich text slices).
- You can disconnect a CMS repository at any time, which immediately revokes our access
- API keys are stored encrypted and are never exposed in the UI after initial configuration
- We act as a responsible API citizen — all CMS requests are rate-limited to stay within provider fair-use policies
Audit Logging
All significant actions within Unheadless are recorded in an immutable audit trail:
- Team management: member invitations, role changes, removals
- Configuration changes: CMS connection additions/removals, organization settings
- Administrative actions: impersonation sessions, tier overrides
- Audit logs are retained for 12 months and are accessible to organization Owners and Admins via the Team Audit Trail
Data Residency
All customer data is stored in the United States, specifically:
- Database: AWS US West 2 (Oregon) via Neon PostgreSQL
- Application:Vercel's global edge network with serverless functions executing in the US
- Backups: Stored in the same AWS region as the primary database
For EU customers, data transfers are covered by Standard Contractual Clauses (SCCs). See our Data Processing Agreement for details.
Vulnerability Disclosure
We welcome responsible security research. If you discover a vulnerability in the Unheadless platform:
- Email security@unheadless.com with a detailed description
- Allow us reasonable time to investigate and remediate before public disclosure
- Do not access, modify, or delete data belonging to other users
We will not take legal action against researchers who follow this responsible disclosure process in good faith.
Subprocessor List
The following third parties process customer data on our behalf. We notify customers of material changes to this list at least 30 days in advance.
| Subprocessor | Purpose | Location |
|---|---|---|
| Vercel Inc. | Application hosting, edge network, serverless compute | USA |
| Neon Inc. | PostgreSQL database hosting, backups | AWS US West 2, Oregon, USA |
| Stripe Inc. | Payment processing, subscription management | USA |
| Resend Inc. | Transactional email, scheduled report delivery | USA |
Last updated: June 2, 2026
Compliance & Certifications
Unheadless is committed to meeting industry-standard compliance requirements:
- GDPR: We comply with the General Data Protection Regulation for all EU customer data. See our Privacy Policy and Data Processing Agreement
- CCPA/CPRA: We comply with California privacy regulations. We do not sell personal data.
- Infrastructure certifications: Our infrastructure providers maintain SOC 2 Type II (Neon, Vercel), PCI DSS Level 1 (Stripe), and ISO 27001 (AWS) certifications
Contact
For security questions or to report a vulnerability:
- Security: security@unheadless.com
- Privacy: privacy@unheadless.com
- Enterprise inquiries: sales@unheadless.com