Data Processing Addendum, DPA

Last updated: 2026

For customers subject to the GDPR or to specific contractual obligations regarding data protection, OKTee may provide a Data Processing Addendum, DPA.

This DPA sets out the conditions under which OKTee processes personal data and certain operational data on behalf of its customers in connection with the provision of OKTee services.

In this context, the customer generally acts as data controller, and OKTee acts as data processor, within the meaning of Article 28 of the GDPR.

What the OKTee DPA covers

The OKTee DPA governs the processing carried out in connection with OKTee Ops, OKTee Marketing, OKTee Logistics and future Finance modules.

• Subject matter, duration and purpose of the processing carried out by OKTee;
• Categories of data processed as part of the OKTee services;
• Respective roles and responsibilities of the customer and OKTee;
• Technical and organizational security measures;
• Access management, authentication and user permission controls;
• Processing of data from Amazon Vendor Central or Seller Central when access has been authorized by the customer;
• Processing of data from customer systems, including ERP, customer API or product catalog data;
• Governance of the technical sub-processors used by OKTee;
• Notification of security incidents or personal data breaches where required;
• Reasonable assistance to the customer in meeting its GDPR obligations;
• Procedure for deletion or return of data at the end of the contract;
• Audit rights under reasonable and contractually defined conditions.

Data concerned

Depending on the modules enabled and the authorizations granted by the customer, OKTee may process different categories of data required for the operation of the platform.

• Professional identification data of authorized users;
• Connection, usage and logging data;
• Customer organization and configuration data;
• Catalog data and product references;
• Order data, order statuses and order responses;
• Inventory, availability, shipment and receipt data;
• Pricing, offer, Buy Box or Featured Offer data where available and authorized;
• Brand Analytics data where available and authorized;
• Financial data, invoices, payments, deductions, discrepancies, shortages or chargebacks where the corresponding access rights have been granted;
• ERP data, customer API data or internal customer data provided by the customer to enable reconciliation with Amazon data.

Amazon data

OKTee may process certain data from Amazon SP-API only when the customer has explicitly authorized access to its Amazon Vendor Central or Seller Central account.

This data is used only to provide the OKTee services enabled by the customer: operational automation, order monitoring, catalog analysis, marketing analysis, product page monitoring, logistics tracking, financial reconciliation, alerts, dashboards and audit logs.

OKTee does not sell Amazon data, does not share it for advertising purposes and does not use it outside the services authorized by the customer.

Data from customer systems

OKTee may also process complementary data from customer-authorized systems.

To date, this mainly concerns the customer’s product catalog, retrieved from the customer ERP through the OKTee API or through the customer’s API. This catalog is used to match Amazon purchase orders with the customer’s internal product references, stock rules, logistics rules and automation settings used in OKTee Command Center.

For future Finance modules, OKTee may process other customer-owned data, including ERP, accounting, invoicing, payment, deduction or financial reconciliation data, only when the relevant module is enabled and authorized by the customer.

Sub-processors

OKTee uses certain technical sub-processors to host, synchronize, monitor, secure and improve its services.

These sub-processors may be used for hosting, database management, synchronization workers, task orchestration, application monitoring, AI-assisted analysis or collection of public product page signals.

The full list of sub-processors is available on the Sub-processors page.

Transfers outside the European Union

Certain sub-processors or technical services may involve transfers of data outside the European Union.

Where necessary, OKTee ensures that such transfers are covered by appropriate safeguards, including the European Commission Standard Contractual Clauses or any other mechanism recognized by applicable regulations.

Specific clauses or annexes may be included in the DPA where required by the customer’s situation, including for customers located in the United Kingdom or Switzerland.

Technical and organizational measures

OKTee applies technical and organizational measures designed to protect the data processed by the platform, including:

• role-based access control;
• access limited to authorized users;
• logical separation of customer data;
• encryption of data in transit;
• encryption of sensitive data at rest where necessary;
• secure storage of secrets, keys and tokens;
• logging of important actions;
• application monitoring and error detection;
• limitation of data shared with sub-processors;
• incident management procedures;
• possible revocation of Amazon access by the customer.

Credentials, secrets, access tokens and technical keys are stored securely and are not hard-coded in the application code.

Incident notification

In the event of a security incident affecting personal data processed on behalf of a customer, OKTee will inform the customer without undue delay after becoming aware of it, in accordance with the obligations set out in the DPA and applicable regulations.

Where applicable, OKTee will provide the reasonably available information required to help the customer assess the impact of the incident and comply with its own regulatory obligations.

Deletion or return of data

At the end of the contractual relationship, the customer may request the deletion or return of the data processed by OKTee, under the conditions set out in the contract and the DPA.

Certain data may be temporarily retained where necessary to comply with a legal obligation, ensure service security, manage a dispute, maintain technical logs or complete an ongoing contractual operation.

How to obtain the OKTee DPA

To obtain the OKTee DPA, please send a request to:

Please specify:

• the name of your legal entity;
• the address of your registered office;
• the name and email address of your legal, GDPR or DPO contact;
• where applicable, any contractual constraints specific to your organization.

OKTee will provide an adapted version of the DPA as soon as reasonably possible.

Already a customer?

If you are already an OKTee customer, the DPA may be attached to your existing contract. You may contact your usual OKTee representative or write directly to legal@oktee.io.

Contact

See also: Privacy Policy · Sub-processors · Security · Amazon Integration