Amazon Data Protection Policy
This policy is to ensure that Perimeter Technologies, Inc. (hereinafter called as Developer) are compliant to the Amazon policies listed hereinafter and governs the receipt, storage, usage, transfer and disposal of the data vended and retrieved from Amazon Selling Partner APIs. This policy is applicable to to all systems that store, process or otherwise handle data vended and retrieved from the Selling Partner APIs. This policy supplements the Amazon Selling Partner API Developer Agreement and the Acceptable Use Policy. Failure to comply may result in suspension or termination of Selling Partner API access.
Acceptable Use Policy
Data Protection Policy
Definitions:
“Application” Refers to the Developer’s software applications as it interfaces with the Amazon Marketplace APIs or the API materials.
“Amazon Information” means that any information that is exposed by Amazon through the Marketplace APIs, Seller Central, or Amazon’s public-facing websites. This data includes both public, non-public, and Personally Identifiable Information about Amazon customers.
“Authorized User” means a user of Amazon’s systems or services who has been specifically authorized by Amazon to use the applicable systems or services.
“Customer” means any person or entity who has purchased items or services from Amazon’s public-facing websites.
“Developer” means any person or entity that uses the Amazon Services API or the API Materials for a Permitted Use on behalf of an Authorized User.
“Personally Identifiable Information (PII)” means information that can be used on its own or with other information to identify, contact or locate an individual (e.g Customer or Authorized user) or to identify an individual in context. This includes, but is not limited to a Customer or a Authorized use’s name, address, email address, phone number, gift message content, survey response, payment details, purchases, cookies, digital fingerprint (e.g browser, user device) IP address, geo-location, or Internet connected device product identifier.
“Security Incident” means any actual or suspected unauthorized access, collection, acquisition, use, transmission, disclosure, corruption, or loss of Amazon Information, or breach of any environment:
(I) containing Amazon Information, or,
(ii) managed by Developer with controls substantially similar to those protecting Amazon information
1. General Security Policies
Consistent with the industry leading security standards and other requirements specified by Amazon based on the classification and sensitivity of Amazon Information, the Developer maintains physical, administrative, and technical safeguards, and other security measures (I) to maintain the security and confidentiality of Amazon Information accessed, collected, used, stored, or transmitted by the Developer, and (ii) to protect that information from known or reasonably anticipated threats
or hazards to its security and integrity, accidental loss, alteration, disclosure, and all other unlawful forms or processing. Without limitation, the Developer complies with the following requirements:
1.1. Network Protection
All the Developer servers implement network protection controls including network firewalls. Public access is not allowed and access is only allowed to specific systems based on IP address.
1.2. Access Management
Access to Amazon Information is strictly limited to users who require access to perform specific required tasks, and access is limited where ever possible, to only the required data. All users that have access to the Information are assigned with unique ID. Under no circumstances do we create or use generic, shared, or default login credentials or user accounts.
The list of people and services with access to Information is reviewed every 90 days and the accounts that no longer require access are removed. Storing Information on personal devices is strictly restricted. Upon leaving the company by an employee Access and User Permissions are immediately revoked.
We maintain and enforce “account lockout” by detecting suspicious activity such as multiple failed logins or large number of requests. Account permissions are revoked immediately and investigated by IT administrators.
1.3. Encryption in Transit
All the Amazon Information data is encrypted in transit, when the data traverses a network, or is otherwise sent between hosts using HTTP over TLS (HTTPS). This security control is enforced on all applicable internal and external endpoints. The Developer uses data message-level encryption where channel encryption (using TLS) terminates in untrusted multi-tenant hardware (e.x. untrusted proxies)
1.4. Incident Response Plan
The Developer maintains an incident response plan to deal with security incidents, interruption to or degradation of services or systems.
The incident response procedures for specific incident types are defined and based on the based on the impact and urgency of incidents, an escalation path and procedures to escalate Security incidents to Amazon is defined.
The Developer reviews the Incident Response Plan every 6 months as well as after any major infrastructure or system change. The Developer investigates each Security Incident and document the incident description, remediation actions, and associated corrective process/system controls implemented to prevent future recurrence (if applicable). Additionally, the Developer maintains the chain of custody for all the records collected, and such documentation (if applicable) is made available to Amazon upon request.
As part of the Incident Response Plan, and per Amazon’s written Data Protection Policy requirements, the Developer will inform Amazon (via email to [email protected]) within 24 hours of detecting any Security Incidents.
The Developer will not notify any regulatory authority, nor any customer, on behalf of Amazon unless Amazon specifically requests in writing that we do so. Amazon has the right to review and
approve the form and content of any notification before it is provided to any third party, unless such notification is required by law, in which case Amazon has the right to review the form and content of any notification before it is provided to any party. The Developer will inform Amazon within 24 hours when their data is being sought in response to legal process or by applicable law.
1.5. Request for Deletion or Return
Within 72 hours of Amazon’s request, the developer will permanently and securely delete (in accordance with NIST 800-88 industry standard sanitization processes) or return Amazon Information in accordance with Amazon’s notice requiring deletion and/or return. The Developer will also permanently and securely delete all live (online or network accessible) instances of Amazon Information within 90 days after Amazon’s notice. If requested by Amazon the Developer will certify in writing that all Amazon Information has been securely destroyed.
1.6. Password Management
The Developer will establish minimum password requirements for personal and systems with access to information. The password requirement will be a minimum of 12 characters, not include any part of the user’s name mix of mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each. The Developer will establish a minimum password age of 1-day and a maximum 365-day password expiration for all users.
1.7. Least Privilege Principle
The Developer will implement fine-grained access control mechanisms to allow granting rights to any party using the Application and the Application’s authorized operators following the principle of least privilege. Access to Information will be granted on a “need-to-know” basis.
2. Additional Security Policies Specific to Personally Identifiable Information
The following additional Security Policies apply to all Personally Identifiable Information (PII). The Developer application as it pertains to the Amazon Seller central API contains both PII and non-PII, therefore the entire Amazon data store complies with the following policies:
2.1. Data Retention
The Developer retains the PII only for the purpose of fulfilling orders. This retention period is no more than 30 days (Hold Period) from shipment and online confirmation of delivery to customer. The Developer may retain the data for over 30 days after order delivery only if required by law and only for the purpose of complying with that law. Per sections 1.3 (Encryption in Transit) and 2.3 (Encryption at Rest) at no point the PII will be transmitted or stored unprotected.
2.2. Data Governance
The Developer has an asset management policy defining how the software and physical assets are kept in an inventory and how this is updated as the assets are reassigned or added. The policy also specifies the procedures for data cleansing as the assets are re-assigned or removed from the inventory which is reviewed every 6 months and a full asset inventory is performed. The Developer also has a publicly available privacy policy stating our compliance to all applicable data privacy regulations.
2.3. Data Access
The Developer will grant access to data on a “need-to-know” basis within the organization, to any individual employed or contracted by the organization, and among the Application users. The developer will inform Amazon ([email protected]) within 30 days of any organizational changes or events that changes the organization’s need for or use of Information.
2.4. Encryption and Storage
All PII is encrypted at rest using the AES-256 industry standards. All the cryptographic materials (encryption/decryption keys) and cryptographic capabilities used for encryption of PII at rest are only accessible to the Developer’s system processes and services. The Developer does not store PII in removable media (USB, Flash Drives, etc.) or unsecured public cloud applications (Google Drive, Drop Box, etc.). No documents containing PII are ever printed on paper.
2.5. Secure Coding Practices
The Developer does not hardcode sensitive credentials in their code, including the encryption keys, secret access keys or passwords. Sensitive credentials are not exposed in public code repositories. The Developer maintains separate test and production environments.
2.6. Logging and Monitoring
The Developer gather logs to detect security-related events to its Application and systems including success or failure of the event, date and time, access attempts, data changes and system errors. The logging mechanism is implemented on all channels providing access to Amazon Information. The logs will be accessible only to the authorized personnel. The logs will be reviewed using a SIEM tool in a real time or on a bi-weekly basis. The logs do not contain the PII and are retained for 90 days as reference in the case of any Security Incident. In addition to regular review, the monitoring tool includes real time notifications via email in the event of the suspicious action (multiple unauthorized calls, unexpected request rate, etc) triggering an alert. In the event of an alert, the Developer will follow the procedures as per Incident Response Plan.
2.7. Vulnerability Management
The Developer will create and maintain a plan or a runbook to detect and remediate vulnerabilities. The Developer will protect physical hardware containing PII from technical vulnerabilities by performing vulnerability scans every 180 days scan code for vulnerabilities prior to each release.
2.8. Asset Management
Developer will maintain baseline standard configuration for the information system and keep inventory of software and physical assets (e.g. computers, mobile devices) with access to PII, and update quarterly. Physical assets that store, process, or otherwise handle PII will abide by all of the requirements set forth in this policy. Developer will not store PII in removable media, personal devices, or unsecured public cloud applications (e.g., public links made available through Google Drive) unless it is encrypted using at least AES-128 or RSA-2048 bit keys or higher.
Audit and Assessment
The Developer maintains all the appropriate books and records reasonably required to verify compliance with Amazon’s Acceptable Use Policy, Data Protection Policy and the Amazon Selling Partner API Developer Agreement during the period of this agreement and for 12 months thereafter. Upon Amazon’s written request, the Developer will certify in writing to Amazon that it is in compliance with these policies.