Data Processing Agreement — Ecomstone Solutions

01Parties and Scope

This Data Processing Agreement ("DPA") is entered into between:

Ecomstone Vietnam JSC ("Processor," "we," "Ecomstone"), the data processor handling client data on behalf of the Controller; and
The Client ("Controller"), the Amazon Selling Partner who authorizes Ecomstone to access and process data via SP-API on their behalf.

This DPA supplements the Service Agreement and Terms of Service between the parties, forming an integral part of the contractual relationship. It incorporates by reference the obligations set out in Amazon's Data Protection Policy for Selling Partner API developers.

02Nature and Purpose of Processing

Ecomstone processes Client data obtained via SP-API solely for the purpose of delivering the managed services contracted between the parties. This includes:

Advertising campaign management, optimization, and reporting
Product listing analysis and optimization
Inventory planning and FBA shipment coordination
Account health monitoring and incident response
Performance analytics and strategic recommendations

We do not process Client data for any other purpose, including but not limited to: AI model training, cross-client benchmarking, aggregated market research for third parties, or resale.

03Categories of Data Processed

We access only the SP-API roles strictly necessary to deliver the contracted services. Typical roles include:

SP-API Role	Data Processed	Purpose
Advertising	Campaign metrics, spend, ACOS, impressions, clicks	Campaign management & reporting
Brand Analytics	Search query data, market basket, repeat purchase	Keyword strategy & market intelligence
Product Listing	Titles, bullets, descriptions, images, keywords	Listing audits & optimization
Pricing	Product prices, Buy Box, fees	Profit analysis & pricing strategy
Inventory	Stock levels, FBA inventory, storage metrics	Stock planning & FBA forecasting

Personally Identifiable Information (PII) of Amazon customers is explicitly excluded from processing. Ecomstone does not access or retrieve end-customer names, shipping addresses, order-level PII, or payment information via SP-API.

04Ecomstone's Obligations as Data Processor

Ecomstone commits to the following obligations consistent with Amazon's Data Protection Policy and applicable data protection laws:

✓ Process Client data only on documented instructions from the Client, except where required by applicable law
✓ Ensure all personnel authorized to process Client data are bound by strict confidentiality obligations
✓ Implement appropriate technical and organizational security measures (detailed in Section 05)
✓ Not engage sub-processors without prior written authorization from the Client, and impose equivalent data protection obligations on any authorized sub-processors
✓ Assist the Client in responding to requests from data subjects exercising their rights
✓ Notify the Client without undue delay upon becoming aware of any personal data breach or security incident
✓ Delete or return all Client data at the end of the engagement, in accordance with Section 07
✓ Make available information necessary to demonstrate compliance with this DPA and allow for audits upon reasonable request

05Security Measures

Ecomstone implements the following technical and organizational measures to protect Client data:

Encryption in Transit

All API calls and data transfers use TLS 1.3 with modern cipher suites.

Encryption at Rest

Stored data is encrypted using AES-256 on managed cloud infrastructure.

Access Controls

Role-based access with multi-factor authentication for all team members. Principle of least privilege.

Client Isolation

Per-client data partitions. No shared databases or cross-client processing.

Audit Logs

All access to Client data is logged with timestamps, user IDs, and actions performed. Logs retained for 12 months.

Credential Protection

SP-API refresh tokens and credentials stored in encrypted secret managers, never in source code or logs.

Vulnerability Management

Regular security updates and dependency scanning. Vulnerabilities patched within defined SLAs.

Incident Response

Documented incident response procedures. Client notification within 72 hours of confirmed incidents.

06Sub-Processors

Ecomstone may engage the following categories of sub-processors to deliver services:

Cloud infrastructure providers (data hosting, compute)
Analytics and reporting platforms
Customer communication tools (email, CRM)
Payment processors (for billing only)

All sub-processors are bound by contractual data protection obligations equivalent to those in this DPA. A current list of sub-processors is available to active Clients upon request.

Clients will be notified at least thirty (30) days in advance of any material change to the sub-processor list and may object in good faith. If an objection cannot be resolved, the Client may terminate the engagement without penalty.

07Data Deletion and Return

Upon termination of the engagement, or at any time upon written request from the Client:

Ecomstone will cease all processing of Client data within 24 hours of termination notice
Ecomstone will revoke its own SP-API access to the Client's Amazon account
Client data will be deleted from Ecomstone's systems within thirty (30) days of termination
Backup copies will be purged within the next backup rotation cycle (typically 90 days)
Upon request, Ecomstone will provide written confirmation of deletion

Exceptions apply only where retention is strictly required by applicable law (e.g., invoices for tax compliance); such retention is limited to the minimum data and period required.

08Amazon Data Protection Policy Compliance

Amazon Policy Alignment Ecomstone complies with Amazon's Data Protection Policy for SP-API developers, including restrictions on data use, mandatory security controls, and reporting obligations. In case of any conflict between this DPA and Amazon's Data Protection Policy, the more stringent obligation applies.

Specifically, Ecomstone commits to:

Using SP-API data solely to benefit the authorizing Amazon Selling Partner
Not combining SP-API data with data from other sources without explicit Client authorization
Not using SP-API data for competitive analysis across clients or for AI training
Not creating derivative datasets from SP-API data that could identify individual sellers or customers
Reporting any security incident affecting SP-API data to Amazon as required by the Developer Agreement

09Client's Right to Audit

The Client has the right to audit Ecomstone's compliance with this DPA. Audits may take the form of:

Written questionnaires regarding security and data protection practices
Review of audit reports from independent third parties (where available)
On-site or remote audits with reasonable advance notice

Audits are conducted no more than once per year except in case of a confirmed security incident, and at the Client's expense unless the audit reveals material non-compliance.

10Liability and Indemnification

Each party shall be liable for damages caused by its breach of this DPA. Liability limitations set out in the Terms of Service apply, except that such limits do not apply to breaches of confidentiality, data protection obligations, or Amazon policy compliance.

11Term and Termination

This DPA remains in effect for the duration of the Service Agreement and survives termination to the extent necessary to fulfill post-termination obligations (data deletion, audit rights, confidentiality).

12Governing Law

This DPA is governed by the laws of the Socialist Republic of Vietnam. Disputes arising under this DPA are subject to the dispute resolution provisions of the Terms of Service.

13Contact

For questions about this DPA, to report incidents, or to exercise audit rights, contact:

Ecomstone Vietnam JSC — Data Protection

4th Floor, Esymed Building
No. 8 LK29, Duong Noi Urban Area
Ha Dong District, Hanoi, Vietnam

Email: [email protected]
Phone: +84 334 999 811
Security incidents: [email protected] (subject line: "Security Incident")