Data Processing Agreement (DPA)
Last updated: March 10, 2026
This Data Processing Agreement (hereinafter "DPA") is entered into between the Client (hereinafter "the Data Controller") and the company PISKEE, publisher of SEEGEA (hereinafter "the Data Processor"), in accordance with Article 28 of the General Data Protection Regulation (GDPR).
This DPA is an integral part of the Terms of Use and the General Terms of Sale of the SEEGEA Service.
1. Definitions
- Personal data : any information relating to an identified or identifiable natural person, within the meaning of Article 4 of the GDPR.
- Processing : any operation performed on personal data (collection, recording, storage, modification, consultation, transmission, deletion).
- Data Controller : the Client who determines the purposes and means of processing data from their e-commerce store.
- Data Processor : PISKEE/SEEGEA, which processes data on behalf of the Data Controller within the scope of the Service.
2. Subject Matter and Scope of Processing
2.1 Nature of Processing
Within the scope of the SEEGEA Service, the Data Processor carries out the following processing on behalf of the Data Controller:
- Import and synchronization of e-commerce catalog data
- Temporary storage of product, collection, and variant data
- Display and editing of data through the user interface
- Transmission of modifications to the Client's CMS
- Versioning and modification history
- Data export in CSV format
2.2 Types of Data Processed
| Category | Data types |
|---|---|
| Catalog data | Titles, descriptions, prices, SKUs, images, metafields, variants, collections |
| Order data | Order numbers, amounts, statuses (read-only) |
| Store data | Store name, URL, currency, settings |
| Access data | OAuth tokens (encrypted) |
2.3 Data Subjects
The data processed primarily concerns the Client's commercial data (product catalog). It may incidentally contain personal data of end customers in orders (names, addresses) viewed in read-only mode.
3. Obligations of the Data Processor
The Data Processor undertakes to:
- Process data only on documented instructions from the Data Controller, unless otherwise required by law
- Ensure confidentiality: ensure that persons authorized to process the data are committed to confidentiality
- Implement appropriate security measures in accordance with Article 32 of the GDPR (see section 5)
- Not engage another sub-processor without prior written authorization from the Data Controller (see section 4)
- Assist the Data Controller in fulfilling its obligations (data subject rights, impact assessments, breach notifications)
- Delete or return all data at the end of the service, at the Data Controller's choice
- Make available all information necessary to demonstrate compliance with obligations and allow audits to be conducted
4. Sub-processors
The Data Controller authorizes the Data Processor to engage the following sub-processors:
| Sub-processor | Processing | Location | Safeguards |
|---|---|---|---|
| Supabase Inc. | Database, auth, storage | EU (Frankfurt) | Supabase DPA, encryption at rest |
| Vercel Inc. | Application hosting | US (global CDN) | Vercel DPA, Data Privacy Framework |
| Stripe Inc. | Payment | US / EU | PCI DSS, Stripe DPA |
| Resend Inc. | Transactional emails | US | Resend DPA, Standard Contractual Clauses |
In the event of adding or replacing a sub-processor, the Data Controller will be notified by email at least 30 days in advance and may object on legitimate grounds.
5. Security Measures
The Data Processor implements the following technical and organizational measures:
5.1 Technical Measures
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- CMS access tokens encrypted in the database
- Passwords hashed (bcrypt / argon2)
- Row Level Security (RLS) on all tables
- Data isolation per account (multi-tenant with account_id)
- Automatic daily backups
- Access and modification logging
5.2 Organizational Measures
- Restricted access to production data (principle of least privilege)
- Strong authentication for administrator access
- Security incident management procedures
- Staff training on data protection
6. Breach Notification
In the event of a personal data breach, the Data Processor undertakes to:
- Notify the Data Controller within a maximum of 48 hours after becoming aware of the breach
- Provide all necessary information: nature of the breach, categories of data concerned, number of individuals affected, measures taken and proposed
- Cooperate with the Data Controller to remedy the breach
7. International Transfers
Data is primarily hosted in the European Union (Supabase EU). For transfers to the United States (Vercel, Stripe, Resend), the following safeguards are in place:
- EU-US Data Privacy Framework (for certified entities)
- European Commission Standard Contractual Clauses (SCCs)
- Additional measures: encryption, pseudonymization where applicable
8. Data Subject Rights
The Data Processor assists the Data Controller in managing requests from data subjects (access, rectification, erasure, portability, objection, restriction). Requests received directly by the Data Processor are forwarded to the Data Controller within 5 business days.
9. Duration and End of Processing
This DPA is in effect for the entire duration of use of the Service. At the end of the contractual relationship:
- The Data Controller has 30 days to export their data
- After this period, the Data Processor deletes all data within an additional 30 days
- A deletion certificate may be issued upon request
10. Audits
The Data Controller may conduct or commission audits to verify compliance with this DPA, subject to 30 days' notice and in compliance with confidentiality. Audit costs are borne by the Data Controller.
11. Applicable Law
This DPA is governed by French law and the GDPR. In the event of a dispute, the courts of Compiegne shall have exclusive jurisdiction.
12. Contact
For any question regarding this DPA:
dpo@seegea.com