Faktor400

Legal

Data Processing Agreement (DPA)

Last updated: March 23, 2026

Data Processing Agreement pursuant to Art. 28 GDPR between the Controller — the registered Faktor400 user (Amazon seller) who activates the SP-API integration — and the Processor BeyondWega UG (haftungsbeschränkt), Auf dem Kamp 74, 28865 Lilienthal, Germany.

§ 1 Subject Matter and Duration

  1. This DPA governs the rights and obligations of the parties in connection with the processing of personal data by the Processor on behalf of the Controller within the scope of using the SaaS platform "Faktor400".
  2. This DPA takes effect upon activation of the Amazon SP-API integration in the Controller's Faktor400 user account and applies for the duration of the contractual relationship (cf. GTC § 8). It terminates automatically upon termination of the main contract and complete deletion of all data processed on behalf.
  3. The details of processing, in particular the type, purpose, and scope, result from the following provisions and the service description in the GTC (§ 4).

§ 2 Type and Purpose of Processing

The Processor processes personal data exclusively for the following purposes:

  • Retrieval and storage of Amazon order data via the Amazon SP-API on behalf of the seller to provide Faktor400 analytics features
  • Preparation and analysis of business data (profit calculation, inventory management, PPC analytics)
  • Display in dashboards and reports within the Faktor400 platform

Processing is carried out exclusively in accordance with the Controller's instructions (cf. § 5).

§ 3 Types of Personal Data

The following personal data of Amazon buyers (end customers of the seller) may be processed as part of the SP-API data retrieval:

Data CategoryExample FieldsSource
IdentificationBuyer nameAmazon SP-API (Orders API)
ContactEmail address (often masked by Amazon), phone number where applicableAmazon SP-API (Orders API)
DeliveryDelivery address (street, postal code, city, country)Amazon SP-API (Orders API)
OrderOrder number, order date, products, quantitiesAmazon SP-API (Orders API)

Note: Payment information of buyers is not processed or stored by Faktor400.

§ 4 Categories of Data Subjects

Amazon buyers (end customers of the seller) whose orders are synchronized via the SP-API.

§ 5 Obligations and Instructions

5.1 Binding Instructions

  1. The Processor processes personal data exclusively on documented instructions from the Controller (Art. 28(3)(a) GDPR). The use of the Faktor400 platform including the configuration of the SP-API integration constitutes the Controller's instruction.
  2. If the Processor is of the opinion that an instruction violates data protection regulations, it shall inform the Controller without delay (Art. 28(3) sentence 3 GDPR).

5.2 Obligations of the Controller

  1. The Controller is responsible for the lawfulness of data processing and ensures that it is entitled to transmit the Amazon SP-API data to Faktor400.
  2. The Controller shall inform the Processor without delay of any errors or irregularities in data processing.

§ 6 Technical and Organizational Measures (TOMs)

The Processor implements the following measures pursuant to Art. 32 GDPR:

Confidentiality

  • Physical access control: Server infrastructure hosted by Hetzner Online GmbH (certified data centers, ISO 27001) in Falkenstein, Germany
  • Logical access control: Authentication via Supabase Auth (PKCE-based), passwords bcrypt-hashed, MFA-capable
  • Data access control: Role-based authorization concept, multi-tenant data separation (each seller can only see their own data)
  • Separation control: Logical tenant separation at database level (organization IDs)

Integrity

  • Transfer control: TLS encryption (TLSv1.2/1.3) for all data transfers, HSTS enabled
  • Input control: Audit logging of relevant data changes

Availability and Resilience

  • Availability control: Regular database backups, monitoring via Prometheus/Grafana
  • Recoverability: Backup-restore procedures documented, recovery tests

Regular Review Procedures

Regular review of TOMs and adaptation to the state of the art.

§ 6a Confidentiality Obligation

The Processor ensures that persons authorized to process personal data are bound by confidentiality obligations or are subject to an appropriate statutory obligation of secrecy (Art. 28(3)(b) GDPR).

§ 7 Sub-Processors

The Processor engages the following sub-processors:

Sub-ProcessorPurposeLocationTransfer Basis
Hetzner Online GmbHServer hosting, databaseFalkenstein, DeutschlandNot required (EU)
Supabase, Inc.AuthenticationUSAEU-US Data Privacy Framework
Resend, Inc.Transactional emailsUSAEU-US Data Privacy Framework
PostHog, Inc.Product analytics (EU instance)USA (EU data processing)Not required (EU processing)
  1. The Controller agrees to the use of the above-mentioned sub-processors.
  2. The Processor shall inform the Controller in advance of any intended change regarding the addition or replacement of sub-processors. The Controller has the right to object for good cause within 14 days of notification.
  3. The Processor contractually ensures that sub-processors comply with the same data protection obligations set out in this DPA (Art. 28(4) GDPR).

§ 8 Notification Obligations for Data Breaches

  1. The Processor shall inform the Controller without delay (generally within 24 hours) after becoming aware of a personal data breach (Art. 33(2) GDPR).
  2. The notification shall contain at least:
    • Nature of the breach
    • Affected data categories and approximate number of affected data records
    • Likely consequences
    • Measures taken or proposed to remedy the breach
  3. The Processor shall assist the Controller in fulfilling its notification obligations to the supervisory authority (Art. 33 GDPR) and to the data subjects (Art. 34 GDPR).

§ 9 Support Obligations

The Processor shall assist the Controller, taking into account the nature of processing:

  1. In responding to requests from data subjects exercising their rights (Art. 15–22 GDPR)
  2. In carrying out data protection impact assessments (Art. 35, 36 GDPR), where required

§ 10 Deletion and Return

  1. Upon termination of the main contract, the Processor shall, at the Controller's choice, either return or delete within 30 days all personal data processed on behalf, unless a statutory retention obligation prevents this (Art. 28(3)(g) GDPR; cf. GTC § 9). If the Controller does not make a choice within the deadline, the data will be deleted.
  2. Within the 30-day period, the Controller may request a data export (return) via the Faktor400 platform.
  3. Amazon DPP-compliant PII deletion: Personal buyer data (name, address) is automatically anonymized within 30 days after shipment of the respective order. Aggregated business data (revenue, ASIN metrics) is not affected by this.
  4. Deletion will be confirmed upon request from the Controller.

§ 11 Audit and Accountability Obligations

  1. The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR.
  2. The Processor shall allow and contribute to audits — including inspections — conducted by the Controller or an auditor mandated by the Controller (Art. 28(3)(h) GDPR). The Controller shall announce on-site audits with reasonable notice (at least 14 days).
  3. Suitable certifications or current audit reports from independent bodies may also serve as proof.

§ 12 Liability

The liability of the parties is governed by the statutory provisions of Art. 82 et seq. GDPR in conjunction with the liability provisions of the GTC (§ 11).

§ 13 Final Provisions

  1. In the event of contradictions between this DPA and the GTC or other agreements, this DPA shall prevail insofar as the subject matter concerns data protection.
  2. The laws of the Federal Republic of Germany shall apply. The place of jurisdiction is governed by § 15 of the GTC.
  3. Amendments to this DPA require text form.

Contact

Questions about data protection or this DPA: datenschutz@faktor400.com

Language Versions

In the event of discrepancies between the German and any English version of this DPA, the German version shall prevail.