Security

Last updated: 2026

Protecting customer data is a top priority at OKTee. This page describes the technical and organizational measures implemented to protect the confidentiality, integrity and availability of the data processed on our platform.

OKTee processes only the data required to provide its services, including OKTee Ops, OKTee Marketing, OKTee Logistics and future Finance modules.

1. Infrastructure and hosting

OKTee is built on a cloud infrastructure designed to host core customer data in Europe where the configuration allows it, while relying on certain technical providers that may involve controlled transfers outside the European Union.

  • Public website, legal pages and public content: hosted through Framer. The oktee.io website is used to present OKTee services, publish legal pages and provide information to customers, prospects and partners. The public website does not store customers’ operational Amazon data.
  • Application interface: hosted through Vercel when this infrastructure is used for the OKTee application. The interface is mainly used to display the application to authorized users. Background processing and primary storage of customer data are not performed in Vercel. Any transfers outside the European Union are covered by appropriate contractual safeguards.
  • Customer database: Neon, managed PostgreSQL, hosted in the European Union where the configuration allows it. Customer data, user data, catalog data, order data and Amazon data required for the operation of the platform are stored in this database.
  • Automated processing: Railway, used to run synchronization workers, automated processing and server-side tasks. The workers read, process and transmit the data required for the modules enabled by the customer.
  • Orchestration: Inngest, used to trigger and supervise certain asynchronous tasks, processing queues, scheduled runs and application workflows.
  • Application monitoring: Sentry, used to detect application errors, diagnose incidents and improve service stability. OKTee applies sensitive data filtering where possible.
  • AI-assisted analysis: OpenAI may be used for certain OKTee Marketing features, only when these features are enabled by the customer and only for data strictly necessary for product analysis.
  • Product page monitoring: Rainforest API may be used to collect certain public Amazon product page signals required for OKTee Marketing, such as visible content, prices, availability or offer signals, when such data is not available or not sufficient through official Amazon APIs.
Summary:
Core customer data is hosted in Europe where the configuration allows it. The oktee.io public website is hosted by Framer and does not store customers’ operational Amazon data. Certain technical services may involve controlled transfers outside the European Union. OKTee limits the data shared with each provider to what is strictly necessary.

The technical providers used by OKTee are covered by contractual terms, DPAs or transfer safeguards where required.

2. Data encryption

Level Applied standard
Data in transit TLS is used for communications between users, the OKTee platform and authorized external APIs.
Data at rest Stored data is encrypted where the infrastructure service used allows or requires it.
Backups Backups are protected according to the mechanisms provided by the infrastructure providers used.
Passwords OKTee never stores passwords in plain text. Authentication mechanisms apply appropriate protection standards.
Secrets and tokens Secrets, technical keys and access tokens are stored securely and are not hard-coded in the application code.

3. Access control

  • Role-based access control, RBAC: access to data and features is limited according to each user’s role.
  • Least privilege principle: each user only accesses the information required for their responsibilities.
  • Multi-tenant isolation: each customer’s data is logically isolated. Cross-customer access is not authorized.
  • Internal access: OKTee team members access a customer’s data only when necessary to provide, maintain, secure or support the service.
  • Traceability: important actions may be logged to enable technical, operational or security monitoring.
  • Secure sessions: user sessions are protected by appropriate authentication and expiration mechanisms.

4. Amazon SP-API connection security

OKTee connects to Amazon Vendor Central accounts authorized by its customers through the official Amazon APIs, SP-API. For certain OKTee Marketing features, OKTee may also collect public Amazon product page signals through specialized technical providers, when such data is not available or not sufficient through official Amazon APIs.

  • The connection to Amazon Vendor Central accounts is initiated by the customer through the official Amazon authorization flow. OKTee never directly asks customers for their Amazon credentials.
  • Amazon access tokens are stored securely and are not exposed to end users.
  • OKTee access can be revoked by the customer from its Amazon interface where this option is available.
  • Requested permissions are limited to the roles required for the modules enabled by the customer.
  • OKTee does not sell Amazon data, does not share it for advertising purposes and does not use it outside the services authorized by the customer.

5. Amazon data processed

Depending on the modules enabled and the permissions granted by the customer, OKTee may process certain data from Amazon Vendor Central.

  • order data;
  • order statuses;
  • order acknowledgements and order responses;
  • shipment data;
  • inventory and availability data;
  • catalog data;
  • pricing and offer data;
  • Brand Analytics data, when available and authorized;
  • financial data, invoices, payments, deductions, discrepancies, shortages or chargebacks, when the corresponding access rights are granted.

6. Data from customer systems

OKTee may also process complementary data from customer-authorized systems.

To date, this mainly concerns the customer’s product catalog, retrieved from the customer ERP through the OKTee API or through the customer’s API. This catalog is used to match Amazon purchase orders with the customer’s internal product references, stock rules, logistics rules and automation settings used in OKTee Command Center.

For future Finance modules, OKTee may process other customer-owned data, including ERP, accounting, invoicing, payment, deduction or financial reconciliation data, only when the relevant module is enabled and authorized by the customer.

7. Network security

  • HTTPS: all communications between the user and the application are protected via HTTPS.
  • Application protection: the infrastructures used by OKTee include protections against common attacks, including injections, unauthorized access attempts or traffic abuse.
  • Security headers: security headers may be applied to reduce browser-related risks.
  • Environment separation: production, staging and development environments are separated.
  • Secrets management: identifiers, API keys and credentials are not stored in code repositories.

8. Security incident management

OKTee has an incident response procedure covering detection, analysis, remediation and communication to affected customers where necessary.

  • Detection and qualification of the incident;
  • Assessment of potential impact;
  • Containment and corrective measures;
  • Information to affected customers when the incident affects their data;
  • Reasonable assistance to the customer in meeting its regulatory obligations;
  • Post-incident analysis and improvement of security measures.

In case of suspected data breach involving your Amazon or OKTee information, you can contact us immediately at: privacy@oktee.io

9. Secure development practices

  • Change review: important application changes are reviewed before being deployed to production.
  • Dependency management: OKTee monitors known vulnerabilities in the dependencies used by its application.
  • Secrets and credentials: no identifier, API key or password should be stored in code repositories.
  • Vulnerability remediation: critical vulnerabilities are handled as a priority.
  • Application monitoring: technical errors are monitored to detect malfunctions quickly.

10. Authentication and passwords

  • User accounts are protected by secure authentication mechanisms.
  • Passwords are never stored in plain text.
  • Internal OKTee access is limited to authorized personnel.
  • Credential sharing between team members is prohibited.
  • Additional authentication strengthening measures may be enabled depending on customer or organizational needs.

11. Sub-processors and data transfers

OKTee ensures that its technical sub-processors are used for specific purposes: public website hosting, application hosting, database management, synchronization workers, orchestration, application monitoring, AI-assisted analysis or public product page monitoring.

Certain sub-processors may involve transfers outside the European Union. Where necessary, such transfers are covered by appropriate contractual safeguards, including the European Commission Standard Contractual Clauses.

Main technical sub-processors

Sub-processor Purpose Main region Safeguards
Framer Hosting and delivery of the OKTee public website, legal pages and public content. Global infrastructure, possible transfers outside the EU. DPA or applicable contractual terms, with transfer safeguards where required. The public website does not store customers’ operational Amazon data.
Vercel Hosting and delivery of the OKTee application interface when this infrastructure is used. Global infrastructure, possible transfers outside the EU. DPA or applicable contractual terms, with transfer safeguards where required. Background processing and primary storage of customer data are not performed in Vercel.
Neon PostgreSQL database used by OKTee. European Union where the configuration allows it. DPA or applicable contractual terms, with transfer safeguards where required.
Railway Workers, synchronizations, automated processing and server-side tasks. European Union where the deployment configuration allows it. DPA or applicable contractual terms, with transfer safeguards where required.
Inngest Workflow orchestration, asynchronous tasks and technical execution tracking. Cloud infrastructure, possible transfers outside the EU. DPA or applicable contractual terms, with transfer safeguards where required.
Sentry Application monitoring, error detection and technical diagnostics. United States, with appropriate contractual safeguards where required. Standard Contractual Clauses applicable in case of transfer outside the EU. Sensitive data filtering where possible.
OpenAI AI-assisted analysis for certain OKTee Marketing features enabled by the customer. United States, with appropriate contractual safeguards where required. Use limited to OKTee features enabled by the customer. Standard Contractual Clauses where required.
Rainforest API Collection of public Amazon product page signals for OKTee Marketing. Provider infrastructure, possible transfers outside the EU. Provider contractual safeguards. OKTee prioritizes official Amazon APIs whenever the required data is available through them.

The full list of sub-processors is available on the Sub-processors page.

12. Compliance

Framework Application
GDPR, Regulation EU 2016/679 OKTee applies the principles of data protection, purpose limitation, data minimization and processing security.
Article 28 GDPR OKTee may act as a processor for its customers and provide a DPA where required.
Amazon SP-API Developer Agreement OKTee uses Amazon data only in connection with services authorized by the customer and in accordance with the roles granted.
Standard Contractual Clauses Used where required to cover certain data transfers outside the European Union.
Reversibility OKTee provides mechanisms for data return or deletion according to applicable contractual terms.

13. Vulnerability reporting

If you discover a security vulnerability in our systems, please report it responsibly to: privacy@oktee.io

OKTee commits to reviewing any report diligently and prioritizing critical vulnerabilities.

14. Security contact

KnGA SAS, OKTee
6 rue des Berceaux, 95160 Montmorency, France
privacy@oktee.io | legal@oktee.io

See also: Privacy Policy · Sub-processors · DPA · Amazon Integration

Security

Last updated: 2026

Protecting our customers' data is one of OKTee's top priorities. This page outlines the technical and organizational measures implemented to safeguard the confidentiality, integrity, and availability of data processed on our platform.

OKTee only processes data necessary to deliver its services, including OKTee Ops, OKTee Marketing, OKTee Logistics, and future Finance modules.

1. Infrastructure and Hosting

OKTee is built on a cloud infrastructure designed to store primary merchant data within Europe when configuration permits, while leveraging specific technical providers that may involve compliant transfers outside the European Union.

  • Frontend, Marketing Site, and App: Hosted via Vercel. The interface primarily serves to present the app to authorized users. Core processing and primary merchant data storage do not occur within Vercel. Any transfers outside the EU are protected by appropriate contractual safeguards.
  • Merchant Database: Neon, a managed PostgreSQL database, hosted within the EU when configuration permits. This DB stores merchant data, user data, catalog data, order details, and Amazon data required to run the platform.
  • Automated Background Processing: Railway, used to run synchronization workers, automated workflows, and server-side tasks. These workers ingestion, process, and route data required for client-enabled modules.
  • Orchestration: Inngest, utilized to trigger and monitor asynchronous tasks, messaging queues, scheduled runs, and core app workflows.
  • Application Performance Monitoring: Sentry, used to detect runtime errors, diagnose incidents, and optimize service stability. OKTee filters out sensitive data at source whenever possible.
  • AI-Powered Analytics: OpenAI may be leveraged for specific OKTee Marketing features, only when enabled by the customer and limited strictly to data required for product analysis.
  • Product Detail Page (PDP) Monitoring: The Rainforest API may be used to ingest public Amazon PDP signals needed for OKTee Marketing—such as visible content, pricing, buy box status, or offer signals—when this data is unavailable or incomplete via official Amazon APIs.
At a Glance:
Primary merchant data is hosted in Europe when configuration permits. Specific backend services may involve compliant data transfers outside the EU. OKTee restricts data shared with third-party providers to the strict minimum necessary.

All technical providers leveraged by OKTee are governed by contractual terms, DPAs, or transfer mechanisms where required.

2. Data Encryption

Level Encryption Standard
Data in Transit TLS for all communications between users, the OKTee platform, and authorized external APIs.
Data at Rest Encryption of stored data where supported or mandated by the underlying infrastructure service.
Backups Protected backups leveraging security protocols provided by our infrastructure partners.
Passwords OKTee never stores plaintext passwords. Authentication systems apply industry-standard protection algorithms.
Secrets and Tokens Secrets, API keys, and access tokens are stored securely and never hardcoded into the application source code.

3. Access Control

  • Role-Based Access Control (RBAC): Data and feature access are restricted based on user roles.
  • Principle of Least Privilege: Each user only has access to the information required to perform their specific business functions.
  • Multi-Tenant Isolation: Merchant data is logically segmented. Cross-tenant access is strictly blocked.
  • Internal Access: OKTee team members only access customer data when required to deploy, maintain, secure, or support the service.
  • Audit Trails: Critical system actions are logged to enable technical, operational, and security audits.
  • Secure Sessions: User sessions are protected with robust authentication and automated timeout mechanisms.

4. Amazon Connection and SP-API Security

OKTee connects to authorized Amazon Vendor Central and Seller Central accounts via the official Amazon Selling Partner API (SP-API). For specific OKTee Marketing features, OKTee may also ingest public Amazon PDP signals via specialized partners when official APIs do not yield sufficient data.

  • The connection to Amazon accounts is initiated by the user via Amazon’s official OAuth flow. OKTee will never ask for your direct Amazon credentials.
  • Amazon access tokens are stored securely and are never exposed to end-users.
  • OKTee's permissions can be revoked at any time by the customer directly from their Amazon seller console.
  • Requested permissions are limited to the exact SP-API scopes required to run your active OKTee modules.
  • OKTee does not resell Amazon data, share it for advertising, or use it outside the scope of authorized services.

5. Processed Amazon Data

Depending on active modules and authorized scopes, OKTee may process specific datasets from Amazon Vendor Central or Seller Central.

  • Order data;
  • Order statuses;
  • Order acknowledgments and responses;
  • Shipment details;
  • Inventory levels and availability;
  • Catalog and listing detail data;
  • Pricing and buy box data;
  • Brand Analytics data (where available and consented);
  • Financial data, invoices, payments, shortages, disputes, and chargebacks (under corresponding scopes).

6. Data from Merchant Systems

OKTee can also ingest complementary data from authorized merchant systems.

Currently, this primarily applies to the merchant's product catalog, ingested from the merchant's ERP via the OKTee API or the merchant's own API. This catalog enables OKTee to reconcile Amazon purchase orders with internal SKUs, inventory configurations, logistics workflows, and automation rules in the OKTee Command Center.

For upcoming Finance modules, OKTee may process additional datasets, including ERP, accounting, invoicing, payment, and financial reconciliation data, only when the corresponding module is enabled and authorized.

7. Network Security

  • HTTPS: All transit communications between the user and the platform are encrypted via HTTPS.
  • Application Shielding: OKTee's infrastructure integrates system protection against common vulnerabilities, including injections, unauthorized access attempts, and traffic spikes.
  • Security Headers: HTTP security headers are applied to mitigate browser-side vectors.
  • Environment Segregation: Production, testing/staging, and development environments are strictly separated.
  • Secret Management: Credentials, API keys, and access tokens are stored in secure environments outside source code repositories.

8. Incident Management

OKTee maintains a response procedure covering incident detection, analysis, remediation, and notification to affected parties when required.

  • Incident detection and triage;
  • Impact assessment;
  • Containment and mitigation protocols;
  • Merchant notification if an incident impacts client data;
  • Reasonable assistance to meet regulatory reporting requirements;
  • Post-incident review to strengthen system security.

If you suspect a data breach involving your Amazon or OKTee data, reach out immediately to: privacy@oktee.io

9. Secure Development Practices

  • Code Reviews: All significant application updates undergo thorough review before going to production.
  • Dependency Management: OKTee monitors direct and indirect dependencies for known vulnerabilities.
  • System Credentials: No credentials, API keys, or passwords are permitted inside code repositories.
  • Vulnerability Remediation: Critical security issues are treated with top priority.
  • Application Monitoring: Software errors are tracked proactively to diagnose anomalies in real time.

10. Authentication and Passwords

  • User accounts are protected by secure authentication flows.
  • Passwords are encrypted and never stored in plaintext.
  • OKTee internal administration access is limited to authorized personnel.
  • Credential sharing among users is strictly prohibited.
  • Enhanced authentication options can be enabled based on organization needs.

11. Subprocessors and Data Transfers

OKTee ensures that its subprocessors are utilized for designated operations: hosting, databases, background synchronization, orchestration, app diagnostics, AI analytics, or public product page monitoring.

Some subprocessors may involve data transfers outside the EU. Where necessary, these flows are secured under lawful transfer mechanisms, primarily the Standard Contractual Clauses (SCCs) of the European Commission.

Key Technical Subprocessors

Subprocessor Purpose Primary Region Transfer Safeguards
Vercel Hosting and delivery of the OKTee web interface. Global infrastructure (transfers outside EU possible). Applicable DPA and contract terms with transfer safeguards where required.
Neon PostgreSQL database service for OKTee. European Union (where configuration permits). Applicable DPA and contract terms with transfer safeguards where required.
Railway Background workers, synchronization, automated processing, and backend tasks. European Union (where deployment configuration permits). Applicable DPA and contract terms with transfer safeguards where required.
Inngest Workflow orchestration, asynchronous tasks, and operational queuing. Cloud infrastructure (transfers outside EU possible). Applicable DPA and contract terms with transfer safeguards where required.
Sentry Diagnostic logging, technical crash reporting, and stability analytics. United States (with appropriate contractual safeguards). Standard Contractual Clauses (SCCs). Sensitive data is filtered at source where possible.
OpenAI AI-driven product analysis for customer-enabled OKTee Marketing features. United States (with appropriate contractual safeguards). Limited strictly to features enabled by the merchant. Standard Contractual Clauses (SCCs).
Rainforest API Ingestion of public Amazon PDP data for OKTee Marketing features. Provider infrastructure (transfers outside EU possible). Provider contract terms. OKTee prioritizes official Amazon APIs where applicable.

The current subprocessor registry is available in full on our Subprocessors page.

12. Compliance

Framework Application
GDPR (Regulation EU 2016/679) OKTee adheres to principles of purpose limitation, data minimization, privacy by design, and processing security.
GDPR Article 28 OKTee operates as a Data Processor for its merchants and provides a Data Processing Agreement (DPA) where requested.
Amazon SP-API Developer Agreement OKTee accesses Amazon account data exclusively to deliver authorized operations pursuant to active developer policies.
Standard Contractual Clauses (SCCs) Implemented to secure data routes involving processors located outside the European Union.
Data Portability & Porting OKTee provides mechanisms to return or permanently delete customer datasets under contractual agreements.

13. Vulnerability Reporting

If you discover a security vulnerability in our platform, please disclose it to us responsibly at: privacy@oktee.io

OKTee evaluates all reports promptly and resolves critical vulnerabilities with priority resources.

14. Security Contact

KnGA SAS, OKTee
6 rue des Berceaux, 95160 Montmorency, France
privacy@oktee.io | legal@oktee.io

See also: Privacy Policy · Subprocessors · DPA · Amazon Integration

Signed DPA