1. Policy Overview

This "Amazon Data Protection and Processing Policy" (hereinafter referred to as "this Policy") is established in accordance with Amazon's Data Protection Policy (DPP) and applies to all Amazon data obtained through SP-API. It regulates our organization's processes for collecting, processing, storing, using, sharing, and deleting Amazon seller data to ensure data security, privacy, and compliance with relevant requirements.

2. Data Types and Collection

2.1 Data Types

The following data is obtained through Amazon SP-API:

Order information (including recipient address, product name, SKU, quantity, selling price, discounts, order creation time, order status, latest ship date and delivery date, transaction information)
Advertising data (ad traffic, conversion rate, ACOS)
Product listing data (ASIN, price, inventory, status, title, product description, other product attributes)
Order/advertising/sales reports

2.2 Collection Methods

All data is obtained exclusively through Amazon's official interfaces (SP-API/MWS). The use of crawlers or other unauthorized methods to collect data is prohibited.
Only the minimum amount of data necessary for business operations is collected. Collection of Amazon data unrelated to business needs is prohibited.

2.3 Data Transmission

All data transmission channels must be encrypted using TLS 1.2 or higher.The use of unencrypted protocols such as FTP or HTTP to transmit Amazon data is prohibited.

2.4 Data Storage

All stored Amazon data must be encrypted using AES-256 encryption algorithm.
AWS KMS is used to manage encryption keys, with keys rotated every 90 days.
Data is stored in AWS European regions.
Storage of Amazon data on removable media (e.g., USB drives), unauthorized public cloud storage, or other servers is prohibited.

2.5 Access Control

All users must set passwords with:

Minimum length of 12 characters
No inclusion of any part of the username
Combination of uppercase and lowercase letters, numbers, and special characters
Mandatory password updates every 90 days
Role-Based Access Control (RBAC) is implemented, granting only the minimum permissions required to perform operations.
Multi-Factor Authentication (MFA) is required for all access.
All access activities are timestamped, logged, and regularly audited.

3. Processing and Usage

3.1 Usage Restrictions

Data is used only for explicitly authorized purposes, including:

Order retrieval
Order fulfillment
Advertising data statistics and analysis
Product inventory management
Performance reporting
Use of Amazon data for machine learning training or other unauthorized analytical purposes is prohibited.

3.2 Data Anonymization

Development and testing environments must use anonymized data. The use of real PII data and Amazon data is prohibited.
When displaying order information, partial addresses and contact details are hidden by default (e.g., only showing the city and first initial of the last name).

3.3 Third-Party Sharing

Logistics providers: Only the minimum dataset necessary for delivery (e.g., shipping address, contact information) is shared.
Financial audits: Only de-identified aggregate data is provided.
All third-party data sharing must be governed by a Data Processing Agreement (DPA) that clearly defines security responsibilities.

3.4 Data Retention and Deletion

PII data: Retained for only 7 days after order delivery.

Log data:

Operational logs retained for 4 months
Security logs retained for 1 year
Deletion operations are performed using secure deletion scripts with secondary confirmation and are timestamped and logged.
Paper documents are destroyed using shredders.
Storage media is securely wiped before physical destruction.

3.5 Deletion Requests

If Amazon issues a notice requiring deletion of information within 30 days of the request, such information must be permanently and securely deleted in accordance with the notice, unless retention is required by law (including tax or regulatory requirements).
Secure deletion must be performed in accordance with NIST 800-88 industry-standard sanitization processes.

4. Auditing and Monitoring

4.1 Logging

All data access, modification, and deletion operations are logged.
Logs must include:
Operator
Timestamp
Operation type
Affected data identifiers
Logs must not contain PII data.

4.2 Monitoring

A SIEM system is used to analyze security events in real time.
Alerts are configured for anomalous behavior (e.g., bulk data exports, access during non-business hours, unauthorized access).

4.3 Audit Mechanisms

Quarterly internal security audits are conducted.
Annual third-party security audits are performed by Amazon-approved security agencies.

5. Organizational Management

5.1 Responsibilities

Data Protection Officer (DPO): Oversees policy implementation and handles data subject requests.
Security team: Implements technical controls and responds to security incidents.
Development team: Follows secure development practices.
Operations team: Manages daily data operations and monitors system performance.

5.2 Employee Management

Background checks: All employees with access to Amazon data must undergo background checks.
Non-Disclosure Agreements (NDAs): All employees must sign NDAs.
Security training: Annual data protection training and security training for new hires.

5.3 Incident Response

5.3.1 Incident Classification:

Level 1: Data breaches, system intrusions
Level 2: Unauthorized access, policy violations
Level 3: Configuration errors, minor violations

5.3.2 Response Process:

Incident confirmation within 2 hours.
Reporting of major incidents to Amazon's security team (via email to security@amazon.com) within 24 hours.
Preliminary investigation report provided within 72 hours.

5.3.3 Remediation Measures:

Immediate isolation of affected systems.
Reset of potentially compromised credentials.
Notification of affected data subjects (if applicable).

5.4 Vulnerability Management

Vulnerability scans are conducted every 180 days.
Penetration testing is performed at least every 365 days.
Vulnerabilities are assessed and classified based on impact to business and third parties to determine response priority.
Critical vulnerabilities: Remediated within 3 days
Medium vulnerabilities: Remediated within 30 days
Low vulnerabilities: Remediated within 60 days
Vulnerabilities are closed only after confirmation of remediation.

6. Third-Party Management

6.1 Vendor Assessment

All third-party service providers must pass security assessments before engagement.
Contracts must include data protection clauses.

6.2 Ongoing Oversight

Annual on-site or remote security audits are conducted for critical vendors.
Vendors must report security incidents within 4 hours of discovery.