Data Protection Policy
Welcome to the Data Protection Policy (“DPP”), which establishes the requirements for Solution Providers – third party Developers and Service Providers (collectively, “Solution Providers”) – regarding the receipt, storage, usage, transfer, and disposal of Information, including all data accessed through the Amazon Services API.
This policy governs how Solution Providers must handle data to ensure the protection of Amazon sellers and vendors (“Amazon Partners”) and their customers’ information.
This policy is applicable to all systems that store, process, or otherwise handle data vended and retrieved from the Amazon Services API. This Policy supplements the Amazon Solution Provider Agreement and the Acceptable Use Policy.
Failure to comply with this DPP may result in suspension or termination of Amazon Services API access in accordance with the Amazon Services API Developer Agreement.
1. General Security Requirements
Consistent with industry-leading security, Solution Provider will maintain physical, administrative, and technical safeguards, and other security measures:
(i) to maintain the security and confidentiality of Information accessed, collected, used, stored, or transmitted by a Solution Provider, and
(ii) to protect that Information from known or reasonably anticipated threats or hazards to its security and integrity, accidental loss, alteration, disclosure, and all other unlawful forms of processing.
Without limitation, the Solution Provider will comply with the following requirements:
1.1 Network Protection
Solution Provider must implement network protection controls including network firewalls and network access control lists to deny access to unauthorized IP addresses.
Solution Provider must implement network segmentation, intrusion detection and prevention mechanisms (including defense in depth methods to complement a firewall’s rulesets, and using IDS and/or IPS signature pattern-based mechanisms to identify and prevent malicious behavior transiting the network), and anti-virus and anti-malware tools periodically (at least monthly).
Solution Provider must implement controls to prevent employees from disabling anti-virus software on their systems.
Solution Provider must restrict systems access only to approved internal employees who have coding and development responsibilities, and who have previously completed data protection and IT security awareness trainings (“Approved Users”).
Solution Provider must maintain secure coding practices, and conduct data protection and IT security awareness trainings for Approved Users on at least an annual basis.
1.2 Access Management
Solution Provider must establish a formal user access registration process to assign access rights for all user types and services by ensuring that a unique ID is assigned to each person with computer access to Information.
Solution Provider must not create or use generic, shared, or default login credentials or user accounts and must prevent user accounts from being shared.
Solution Provider must implement baselining mechanisms to ensure that at all times only the required user accounts access Information.
Solution Provider must restrict employees and contractors from storing Information on personal devices.
Solution Provider will maintain and enforce “account lockout” by detecting anomalous usage patterns and log-in attempts, and disabling accounts with access to Information.
User accounts must be locked out after 10 or fewer unsuccessful login attempts.
Solution Provider must review the list of people and services with access to Information at least quarterly.
Solution Provider must ensure that access is disabled and/or removed within 24 hours for terminated employees.
1.3 Least Privilege Principle
Solution Provider must implement fine-grained access control mechanisms to allow granting rights to any party using the Application and the Application’s authorized operators following the principle of least privilege.
Access to Information must be granted on a “need-to-know” basis.
1.4 Credential Management
Solution Provider must establish minimum password requirements for personnel and systems with access to Information.
Password requirements must be a minimum of twelve (12) characters, not include any part of the user’s name, and must include a mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each.
Solution Provider must establish a minimum password age of 1-day and a maximum 365-day password expiration for all users.
Password history must be maintained to prevent reuse of the last 10 passwords.
Solution Provider must ensure that Multi-Factor Authentication (MFA) is required for all user accounts.
Solution Provider must ensure that API keys provided by Amazon are encrypted and only required employees have access to them.
API keys and associated credentials must be rotated at minimum once every 12 months.
1.5 Encryption in Transit
Solution Provider must encrypt all Information in transit with secure protocols such as TLS 1.2+, SFTP, and SSH-2.
Solution Provider must enforce this security control on all applicable internal and external endpoints.
Solution Provider must use data message-level encryption where channel encryption (e.g., using TLS) terminates in untrusted multi-tenant hardware (e.g., untrusted proxies).
1.6 Risk Management and Incident Response Plan
Solution Provider must have a risk assessment and management process that is reviewed by the Solution Provider’s senior management annually, which includes, but is not limited to, assessment of potential threats and vulnerabilities as well as likelihood and impact in order to track known risks.
Solution Provider must create and maintain a plan and/or runbook to detect and handle Security Incidents.
Such plans must:
- Identify the incident response roles and responsibilities
- Define incident types that may affect Amazon
- Define incident response procedures for defined incident types
- Define an escalation path and procedures to escalate Security Incidents to Amazon
Solution Provider must review and verify the plan every six (6) months and after any major infrastructure or system change, including changes to the system, controls, operational environments, risk levels, and supply chain.
Solution Provider must notify Amazon (via email to security@amazon.com) within 24 hours of detecting a Security Incident.
It is the Solution Provider’s sole responsibility to inform relevant government or regulatory agencies as required by applicable local laws.
Solution Provider must investigate each Security Incident, and document:
- The incident description
- Remediation actions
- Corrective process/system controls implemented to prevent future recurrence
Solution Provider must maintain the chain of custody for all evidences or records collected, and such documentation must be made available to Amazon upon request (if applicable).
If a Security Incident has occurred, Solution Provider cannot represent or speak on behalf of Amazon to any regulatory authority or customers unless Amazon specifically requests in writing that the Solution Provider do so.
Solution Provider should identify and designate an Incident Management Point of Contact (IMPOC) who can be reached out to in the event of any incident, such as a data leakage or security breach.
1.7 Request for Deletion
Solution Provider must permanently and securely delete Information upon and in accordance with Amazon’s notice requiring deletion within 30 days of Amazon’s requests unless the data is necessary to meet legal requirements, including tax or regulatory requirements.
Solution Provider must delete non-PII data within 18 months unless required for longer retention by applicable laws or regulations.
Secure deletion must occur in accordance with industry-standard sanitization processes such as NIST 800-88.
Solution Provider must also permanently and securely delete all live (online or network accessible) instances of Information 90 days after Amazon’s notice.
If requested by Amazon, the Solution Provider will certify in writing that all Information has been securely destroyed.
1.8 Data Attribution
Solution Provider must store Information in a separate database or implement a mechanism to tag and identify the origin of all data in any database that contains Information.
2. Additional Security Requirements Specific to Personally Identifiable Information
The following additional Security Requirements must be met for Personally Identifiable Information (“PII”).
PII is granted to Solution Provider for select tax and merchant fulfilled purposes…shipping purposes, on a must-have basis.
If an Amazon Services API contains PII, or PII is combined with non-PII, then the entire data store must comply with the following requirements:
2.1 Data Retention
Solution Provider will retain PII for no longer than 30 days after order delivery and only for the purpose of, and as long as is necessary to:
(i) fulfill orders,
(ii) calculate and remit taxes,
(iii) produce tax invoices and other legally required documents, and
(iv) meet legal requirements, including tax or regulatory requirements.
Solution Provider may retain data for over 30 days after order delivery only if required by law and only for the purposes of complying with that law.
Per sections 1.5 (“Encryption in Transit”) and 2.4 (“Encryption at Rest”), at no point should PII be transmitted or stored unprotected.
2.2 Data Governance
Solution Provider must create, document, and abide by a privacy and data handling and classification policy for their Applications or services, which govern the appropriate conduct and technical controls to be applied in managing and protecting information assets.
A record of data processing activities such as specific data fields and how they are collected, processed, stored, used, shared, and disposed for all PII should be maintained to establish accountability and compliance with regulations.
Solution Provider must establish a process to detect and comply with privacy and security laws and regulatory requirements applicable to their business and retain documented evidence of their compliance.
Solution Provider must establish and abide by their privacy policy for customer consent and data rights to access, rectify, erase, or stop sharing/processing their information where applicable or required by data privacy regulation.
Solution Provider must have technical and organizational processes and systems in place for assisting Authorized Users with data subject access requests.
Solution Provider must include contractual provisions in employment contracts with employees that process PII to maintain confidentiality of PII.
2.3 Asset Management
Solution Provider must maintain baseline standard configuration for information systems and install patches, updates, defect fixes, and upgrades on a regular basis.
Solution Provider must maintain, and update quarterly, an accurate inventory of software and physical assets (e.g., computers, mobile devices) with access to PII, which should include all devices in the Solution Provider’s environment along with the status of maintenance of each device to ensure compliance against the baseline.
Solution Provider must maintain a change management process for all information systems, such that software and hardware with access to PII are tested, verified, and approved, with a segregation of duties between change approvers and those testing the changes before implementation.
Physical assets that store, process, or otherwise handle PII must abide by all of the requirements set forth in this policy.
Solution Provider must not store PII in removable media, personal devices, or unsecured public cloud applications (e.g., public links made available through Google Drive) unless it is encrypted using at least AES-128 or RSA-2048 bit keys or higher.
Solution Provider must securely dispose of any printed documents containing PII.
Solution Provider must implement data loss prevention (DLP) controls in place to monitor and detect unauthorized movement of data.
2.4 Encryption at Rest
Solution Provider must encrypt all PII at rest using at least AES-128 or RSA with 2048-bit key size or higher.
The cryptographic materials (e.g., encryption/decryption keys) and cryptographic capabilities (e.g., daemons implementing virtual Trusted Platform Modules and providing encryption/decryption APIs) used for encryption of PII at rest must be only accessible to the Solution Provider’s processes and services.
Solution Provider must implement a Key Management System (KMS) that covers the complete key lifecycle management including key generation, exchange, secure storage, and processes for key revocation and rotation in accordance with industry best practices.
2.5 Secure Coding Practices
Solution Provider must not hardcode sensitive credentials in their code, including encryption keys, secret access keys, or passwords.
Sensitive credentials must not be exposed in public code repositories.
Solution Provider must maintain separate test and production environments.
2.6 Logging and Monitoring
Solution Provider must gather logs to detect security-related events to their Applications and systems including success or failure of the event, date and time,access attempts, data changes, and system errors.
Solution Provider must implement this logging mechanism on all channels (e.g., service APIs, storage-layer APIs, administrative dashboards) providing access to Information.
Solution Provider must review logs in real-time (e.g., SIEM tool) or on a bi-weekly basis.
All logs must have access controls to prevent any unauthorized access and tampering throughout their lifecycle.
Logs must not contain PII unless the PII is necessary to meet legal requirements, including tax or regulatory requirements.
Unless otherwise required by applicable law, logs must be retained for at least 12 months for reference in the case of a Security Incident.
Solution Provider must build mechanisms to monitor the logs and all system activities to trigger investigative alarms on suspicious actions (e.g., multiple unauthorized calls, unexpected request rate and data retrieval volume, and access to canary data records).
Solution Provider must implement monitoring alarms and processes to detect if Information is extracted from or can be found beyond its protected boundaries (e.g., Dark Web).
Solution Provider should perform an investigation when monitoring alarms are triggered, and this should be documented in the Solution Provider’s Incident Response Plan.
2.7 Vulnerability Management
Solution Provider must create and maintain a plan and/or runbook to detect and remediate vulnerabilities.
Solution Provider must protect physical hardware containing PII from technical vulnerabilities by performing vulnerability scans and remediating appropriately.
Solution Provider must conduct:
- Vulnerability scanning at least every 30 days
- Penetration tests at least every 365 days
- Code vulnerability scans prior to each release
Critical risk impact vulnerabilities must be remediated within 7 days, and high-risk impact vulnerabilities must be remediated within 30 days of discovery.
Solution Provider must have appropriate procedures and plans to restore availability and access to PII in a timely manner in the event of a physical or technical incident.
Solution Provider must maintain a geographically separated secondary/backup site to ensure timely restoration (RTO/RPO) of PII access and availability in the event of a physical or technical incident.
2.8 Subcontractors
Solution Provider must conduct regular third-party risk assessments on an annual basis of vendors or subcontractors before granting them access to Amazon data.
3. Audit and Assessment
Solution Provider must maintain all appropriate books and records reasonably required to verify compliance with the Acceptable Use Policy, this DPP, and Amazon Services API Developer Agreement during the period of this agreement and for 12 months thereafter.
Upon Amazon’s written request, Solution Provider must certify in writing to Amazon that they are in compliance with these policies.
Upon reasonable request, Amazon may, or may have an independent certified public accounting firm selected by Amazon, audit, assess, and inspect the books, records, facilities, operations, and security of all systems that are involved with a Solution Provider’s Application in the retrieval, storage, or processing of Information.
Amazon, its Affiliates, agents, representatives, contractors, or subcontractors will keep confidential any non-public information disclosed by a Solution Provider as part of this audit, assessment, or inspection that is designated as confidential or that, given the nature of the information or the circumstances surrounding its disclosure, reasonably should be considered confidential.
Solution Provider must cooperate with Amazon or Amazon’s Affiliates, agents, representatives, contractors, or subcontractors in connection with the audit or assessment, which may occur at the Solution Provider’s facilities and/or subcontractor facilities.
If the audit or assessment reveals deficiencies, breaches, and/or failures to comply with terms, conditions, or policies, the Solution Provider must, at its sole cost and expense, take all actions reasonably necessary to remediate those deficiencies within an agreed-upon time frame.
Upon request, the Solution Provider must provide remediation evidence in the form requested by Amazon (which may include but not be limited to policy, documents, screenshots, or screen sharing of application or infrastructure changes) and obtain written approval on submitted evidence from Amazon before audit or assessment closure.
4. Definitions
“Affiliate” means, with respect to any entity, any other entity that directly or indirectly controls, is controlled by, or is under common control with that entity.
“Amazon Partners” means any Amazon sellers, vendors, supply chain partners, enterprise buyers, and off-Amazon merchants.
“Amazon Services API” means any application programming interface (API) offered by Amazon for the purpose of helping Amazon Authorized Users to programmatically exchange data.
“API Materials” means Materials made available in connection with the Amazon Services API, including APIs, documentation, specifications, software libraries, software development kits, and other supporting materials, regardless of format.
“Application” means a software application or website that interfaces with the Amazon Services API or the API Materials.
“Authorized User” means a user of Amazon’s systems or services who has been specifically authorized by Amazon to use the applicable systems or services.
“Content” means copyrightable works under applicable law and content protected under applicable law.
“Customer” means any person or entity who has purchased items or services from Amazon’s public-facing websites.
“Developer” means any person or entity (including you, if applicable) that uses the Amazon Services API or the API Materials for a permitted use on behalf of an Authorized User.
“Information” means any information that is exposed through the Amazon Services API, Amazon Portals, or Amazon’s public-facing websites. This data can be public or non-public, including Personally Identifiable Information about Amazon Customers.
“Materials” means software, data, text, audio, video, images, or other Content.
“Personally Identifiable Information” (PII) means information that can be used on its own or with other information to identify, contact, identify in context, or locate an Amazon Customer or Authorized User. This includes, but is not limited to, a Customer or Authorized User’s name, address, e-mail address, phone number, gift message content, survey responses, payment details, purchases, cookies, digital fingerprint (e.g., browser, user device), IP Address, geo-location, postal code, or Internet-connected device product identifier.
“Security Incident” means any actual or suspected unauthorized access, collection, acquisition, use, transmission, disclosure, corruption, or loss of Information, or breach of any environment containing Information.
“Service Provider” means an individual or entity (including you, your employees, agents, and contractors, if applicable) that provides services to Amazon Partners.
“Solution Provider” means any third-party Developer who uses the Amazon Services API or API Materials for a permitted use on behalf of an Authorized User, or a Service Provider who provides services or solutions to support Amazon sellers and vendors (collectively, “Amazon Partners”) in their business operations on Amazon’s platforms.