A single place for everything that governs how we build, operate, and protect DataDoe — the policies you agree to, how we handle your data, who we work with to deliver the service, and the controls that keep it all together.
Concrete controls and commitments, not marketing language. Every claim below maps to a specific clause in our Terms of Service, Privacy Policy, or DPA.
Plain English where possible, legal precision where it matters. Each document is versioned and timestamped; material changes are emailed to you in advance.
The contract governing use of DataDoe — billing, acceptable use, subprocessors, security, AI outputs, and liability.
What we collect, how we use it, who else sees it, and the rights you have under GDPR, UK GDPR, and CCPA. We don't sell your data.
GDPR Article 28 DPA for customers acting as data controllers. Incorporates EU SCCs and the UK IDTA. Downloadable as PDF.
Cookies and similar technologies we use, the categories, and how to control them — including GPC and DNT signals.
If something isn't covered here, email contact@datadoe.com. Security questionnaires and bespoke compliance questions are welcomed.
All customer data — including Amazon Information — is stored and processed on AWS and GCP infrastructure located in the United States.
Encryption: AES-256-GCM at rest, TLS 1.3 in transit. Secrets and API keys are stored in AWS Secrets Manager and never hardcoded in source.
No. DataDoe does not sell, rent, or license customer data or Amazon Information for any purpose.
We share data only with vetted subprocessors — AWS, GCP, Stripe, AWS RUM, and AI inference providers (Anthropic, OpenAI, Google) — each contractually bound to use it only to deliver the specific service we contract for. The full list is in our Privacy Policy.
No. Your data is never used to train AI/ML models — not our own, and not those of any third-party AI provider we route inference through.
AI inference is per-request and ephemeral. Prompts and responses are not retained by inference providers for model improvement.
Yes. Our DPA is GDPR Article 28-compliant and incorporates the EU Standard Contractual Clauses (Module 2, Controller-to-Processor) and the UK International Data Transfer Addendum.
You can read or download the DPA directly — no sales gating. Counter-signed copies are available on request to contact@datadoe.com.
Customer data: retained for the duration of your subscription plus 30 days after termination, after which it is permanently deleted from our active systems. Backups are overwritten on standard rotation.
Buyer PII from Amazon orders: retained no longer than 30 days after order delivery, in line with Amazon's SP-API Data Protection Policy.
Security & audit logs: retained for a minimum of 12 months, scrubbed of PII where not legally required.
By default, DataDoe accounts do not receive buyer PII from Amazon's APIs. PII fields (customer names, shipping addresses) are only retrieved when you explicitly enable the Amazon PII access add-on.
When enabled, PII is retained no longer than 30 days after order delivery, in line with Amazon's SP-API Data Protection Policy. PII is tagged at the source for data attribution and isolated per tenant.
DataDoe maintains a documented Incident Management Plan covering detection, classification, containment, eradication, recovery, and post-incident review. The plan is reviewed every six months and after any material infrastructure change.
If we become aware of a confirmed security incident affecting your data, we notify you without undue delay — within 48 hours of confirmed awareness — with information sufficient for you to meet your own notification obligations (such as the 72-hour GDPR deadline).
AWS (hosting, storage, secrets), Google Cloud Platform (BigQuery dataset sharing), Stripe (payments), AWS RUM (observability), and Anthropic, OpenAI, and Google for AI model inference. All based in the United States.
List in our Privacy Policy and DPA Annex C. The list is updated when a change occurs; customers can monitor it directly and have a right to object under the DPA.
At rest: AES-256-GCM on all AWS and GCP storage. In transit: HTTPS with TLS 1.3 on internal and external networks.
Secrets, API keys, and database credentials are stored in AWS Secrets Manager — never hardcoded in source. S3 buckets enforce Secure Transport; public access is blocked at the account level.
Email contact@datadoe.com with the right you want to exercise: access, correction, deletion, restriction, portability, opt-out of sale or sharing, or withdrawal of consent.
We respond to verified requests within the timeframes required by applicable law. Full details of your rights are in our Privacy Policy. Customers acting as data controllers should also see the DPA Section 8.
For anything related to these policies, your data, security questionnaires, or vendor due diligence, reach out below. We respond to legitimate security and compliance requests within two business days.
We use cookies to improve your experience and analyze traffic. By clicking "Accept", you agree to our use of cookies. Read the Privacy Policy.
