Article 28 GDPR · Amazon DPP Aligned

Data Processing Agreement

Last updated: 2026-05-10 · Version 1.3

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Mirox, LDA ("Mirox", "Processor") and the customer ("Controller") and governs the processing of personal data and "Amazon Information" by Mirox on the Controller's behalf in accordance with Article 28 of Regulation (EU) 2016/679 ("GDPR") and Amazon's Data Protection Policy.

1. Definitions

  • "Amazon Information" has the meaning given in Amazon's Data Protection Policy and includes, without limitation, any data sourced from a Selling Partner API or Advertising API call: orders, order items, buyer Personally Identifiable Information, shipping addresses, catalog items, inventory levels, pricing, search-query performance, and advertising metrics.
  • "Buyer PII" means buyer-side Personally Identifiable Information made available by Amazon SP-API restricted endpoints, including buyer name, email, shipping address, county, and tax information.
  • "Personal Data" has the meaning given in Article 4(1) GDPR.

2. Subject matter and duration

The subject matter of the processing is the operation of the Mirox autonomous PPC platform on the Controller's Amazon Seller Central or Vendor account. Processing continues for the duration of the Terms of Service and ends on termination, subject to the deletion timelines in Section 12.

3. Nature and purpose of processing

Mirox processes Personal Data and Amazon Information only to: (a) ingest advertising and sales data from the Amazon Selling Partner API and Amazon Advertising API; (b) operate the multi-agent system that analyses, recommends, and (in non-Shadow modes) executes bid and keyword changes within constraints set by the Controller; (c) provide decision traces, audit logs, and dashboards to the Controller; and (d) provide support to the Controller.

4. Categories of data subjects and personal data

  • Data subjects: the Controller's authorised users (employees, agents) who access the Mirox dashboard.
  • Personal Data of authorised users: name, email, role, IP address, session identifiers, audit-log events.
  • Amazon Information: as defined in Section 1. Mirox does not retrieve buyer-side Personally Identifiable Information at all — see the callout below for the technical mechanism.
  • No special categories of Personal Data under Article 9 GDPR are processed. The Service is not designed for and must not be used to process such data.

Amazon Information — specific commitments

Amazon Information is processed strictly in accordance with Amazon's Data Protection Policy. Mirox does not, and shall not: (i) sell or share Amazon Information with third parties for advertising; (ii) use Amazon Information to derive consumer profiles for purposes other than operating the agents on the Controller's behalf; (iii) retain Amazon Information beyond the windows in Section 12; or (iv) make Amazon Information available to LLM sub-processors. Buyer PII is not requested at all — Mirox calls only non-PII order endpoints and omits the dataElements parameter, so Amazon returns only order summaries (identifier, total, status, marketplace, purchase date). This is GDPR data-minimisation in its strongest form: a field that is never received cannot be leaked.

5. Controller obligations

  • Provide documented, lawful instructions for processing through the Mirox dashboard configuration and the Terms of Service.
  • Ensure the lawful basis under Article 6 GDPR for the processing is established before instructing Mirox.
  • Inform data subjects of processing as required under Articles 13 and 14 GDPR.
  • Maintain Article 30 records of processing for the activities Mirox performs on the Controller's behalf.

6. Processor obligations (Article 28(3) GDPR)

Mirox shall:

  • (a) process Personal Data and Amazon Information only on documented instructions from the Controller, including transfers outside the EEA, unless required to do so by Union or Member State law (in which case Mirox will inform the Controller before processing, unless prohibited).
  • (b) ensure persons authorised to process Personal Data are bound by confidentiality.
  • (c) implement appropriate technical and organisational measures under Article 32 GDPR — see Section 8.
  • (d) respect the conditions in paragraphs 2 and 4 of Article 28 for engaging sub-processors.
  • (e) assist the Controller, as far as possible, in fulfilling its obligation to respond to data-subject requests under Articles 15-22 GDPR.
  • (f) assist the Controller in ensuring compliance with Articles 32-36 GDPR (security, breach notification, DPIA, prior consultation).
  • (g) at the choice of the Controller, delete or return all Personal Data and Amazon Information after the end of the provision of services, and delete existing copies unless Union or Member State law requires storage.
  • (h) make available to the Controller all information necessary to demonstrate compliance with Article 28, and allow for and contribute to audits including inspections (subject to Section 9 below).

7. Sub-processors

The Controller grants Mirox general authorisation to engage sub-processors. The current list is published in the Privacy Policy at /legal/privacy and includes:

  • Hostinger International Ltd — managed VPS hosting in the EU (Lisbon, Portugal).
  • Netlify, Inc. — static hosting for the customer dashboard on the global CDN. No customer data is stored at the Netlify edge; all dynamic data comes from the EU-hosted API.
  • Stripe Payments Europe Ltd — payment processing (PCI-DSS compliant).
  • Resend, Inc. — transactional email (sign-in, billing, security notifications).
  • Google LLC (Gemini API) — LLM inference under zero-retention contract terms; no Amazon Information beyond keyword/product strings is sent.

Mirox will notify the Controller of intended changes concerning the addition or replacement of sub-processors at least 30 days in advance. The Controller may object on legitimate data-protection grounds; if no resolution is reached, the Controller may terminate the affected portion of the Service.

Technical and organisational measures (Article 32)

AES-256-GCM at-rest encryption of seller OAuth tokens; TLS 1.2+ in transit with HSTS preload and OCSP stapling; least-privilege access controls with mandatory MFA for cross-tenant administrators; tenant-scoped query enforcement on every API endpoint; append-only audit log of every read of Amazon Information; documented incident response with a 24-hour Amazon notification commitment; quarterly key rotation; automated CI security scanning (pip-audit, bandit, trivy) gating every production deploy. Full detail at /legal/security.

8. Security of processing

Mirox implements measures appropriate to the risk under Article 32 GDPR, summarised in the box above and detailed at /legal/security. Measures are reviewed at least every six months and updated to reflect the state of the art.

9. Audit rights

On reasonable written notice (no less than 30 days, except where required earlier by a supervisory authority), and no more than once per year except in the case of a personal-data breach, the Controller may audit Mirox's compliance with this DPA. Audits are conducted at the Controller's expense by the Controller or a mutually agreed independent auditor bound by confidentiality, during business hours, in a manner that does not unreasonably interfere with Mirox's operations. Mirox may satisfy audit requests by providing recent third-party assessment reports (including the most recent independent penetration-test executive summary) where available.

10. International transfers

Personal Data and Amazon Information are hosted within the European Economic Area (Lisbon, Portugal). Where a sub-processor processes data outside the EEA — for example, US-based LLM inference or Amazon SP-API endpoints whose backend is operated globally — transfers are governed by the European Commission's Standard Contractual Clauses (Decision 2021/914), Module Three (processor to sub-processor) or Module Two (controller to processor) where applicable, with supplementary measures including encryption and access controls. The Controller hereby authorises Mirox to enter into the SCCs on the Controller's behalf with sub-processors where Module Three applies.

Breach notification clocks

For breaches involving Amazon Information, Mirox will additionally notify Amazon within 24 hours of confirmation, in line with Amazon's Data Protection Policy. For breaches affecting Controller Personal Data only, Mirox notifies the Controller within 72 hours in line with GDPR Article 33. Where both apply, the Amazon clock takes precedence.

11. Personal-data breach

Mirox notifies the Controller without undue delay and in any event within 72 hours of becoming aware of a personal-data breach affecting the Controller's data. For breaches involving Amazon Information, Mirox additionally notifies Amazon within 24 hours of confirmation. Notifications include (where known) the nature of the breach, categories and approximate number of data subjects, likely consequences, and measures taken or proposed to address it, in line with Article 33(3) GDPR and Amazon's Data Protection Policy.

12. Return or deletion of data on termination

On termination of the Terms of Service, the Controller may request export of its data within 30 days. After 30 days, all Personal Data and Amazon Information is hard-deleted from production systems via an automated, idempotent purge that cascades across every table holding tenant-scoped data. The Controller may request immediate deletion (skipping the 30-day clock) by emailing privacy@mirox.pt; immediate-deletion requests are processed within 5 business days. Backup snapshots are overwritten on a 7-day rolling cycle. Mirox certifies deletion in writing on request, except where Portuguese tax or accounting law requires longer retention of specific records.

13. Liability and order of precedence

Liability under this DPA is governed by the limitations in the Terms of Service, except where Article 82 GDPR or mandatory law provides otherwise. In the event of a conflict between this DPA and the Terms, this DPA prevails on data-protection matters. This DPA is governed by Portuguese law; the courts of Lisbon, Portugal have exclusive jurisdiction.

14. Contact

Data-protection contact: privacy@mirox.pt
Security vulnerabilities: security@mirox.pt
Postal: Mirox, LDA — Rua Poço do Moleiro, n.º 241, piso intermédio esq. — frente, 6000-412 Castelo Branco, Portugal (NIPC PT517994160 — see Legal Notice)

A counter-signed copy of this DPA on Mirox letterhead is available on request via privacy@mirox.pt.