Amazon Data Protection Policy
This Data Protection Policy ("DPP") governs the treatment (e.g., collect, process, store, use, share and dispose) of the data collected and retrieved by https://sellersoft.com (Sellersoft S2).
Data Governance
Sellersoft's Privacy and Data Processing Policy sets forth the appropriate behavioral and technical controls to be applied when managing and protecting information assets.Sellersoft maintains an inventory of software and physical assets (e.g., computers, mobile devices) that have access to PII and updates it regularly. Records of data processing activities, such as specific data fields and how all PII information is collected, processed, stored, used, shared and disposed of, should be maintained to establish accountability and regulatory compliance. In accordance with the Privacy Policy, Sellersoft's may correct, delete, or stop sharing/processing customer information (as applicable).
Encryption and Storage
All PII is encrypted at rest using industry best practice standards (AES-128, AES-256, or RSA with 2048-bit key size (or higher)), depending on the specific server configuration. The cryptographic material (e.g., encryption/decryption keys) and encryption capabilities used for static PII encryption can only be accessed by processes and services.PII is not stored on removable media (e.g., USB) or insecure public cloud applications (e.g., public links provided through Google Drive). Any printed files containing PII should be disposed of securely.
Least Privilege Principle
Sellersoft has implemented fine-grained access control mechanisms that allow rights to be granted on a least privilege basis to any party using the application (e.g., access to a specific data set in its custody) and to the application's operators (e.g., access to specific configuration and maintenance APIs, such as kill switches). Trafficking in PII parts or functions of the application must be protected under a unique access role and access rights should be granted on a "need to know" basis.
Logging and Monitoring
Sellersoft collects logs to detect security-related events (e.g., access and authorization, intrusion attempts, configuration changes) for applications and systems.Sellersoft implements this logging mechanism on all channels that provide access to Amazon information (e.g., service APIs, storage tier APIs, management dashboards). All logs must have access controls to prevent any unauthorized access and tampering throughout their lifecycle. The logs themselves should not contain PII and must be retained for at least 90 days for reference in the event of a security incident.Sellersoft has mechanisms to monitor the logs and all system activity to trigger investigative alerts for suspicious behavior (e.g., multiple unauthorized calls, unexpected request rates and data retrieval volumes, and access to canary data records). When a monitoring alert is triggered, Sellersoft should investigate, and this should be documented in the incident response plan.
Network Protection
Sellersoft has implemented network protection controls to deny access to unauthorized IP addresses, and public access must be restricted to approved users only.
Access Management
Sellersoft assigns a unique ID to each person with computer access to Amazon information. people with access to data do not create or use generic, shared or default login credentials or user accounts. Sellersoft periodically (at least quarterly) reviews the list of people and services with access to Amazon information and removes accounts that no longer require access. Sellersoft Restrict employees from storing Amazon data on their personal devices. Sellersoft will maintain and enforce "account lockdown" by detecting unusual usage patterns and login attempts, and disable accounts that have access to Amazon information as needed.
Encryption in Transit
Sellersoft encrypts all Amazon messages during transmission (e.g., when data traverses the network, or is otherwise sent between hosts). This is done using HTTP over TLS (HTTPS).Sellersoft enforces this security control on all applicable external endpoints used by customers as well as internal communication channels (e.g., data propagation channels between storage tier nodes, connections to external dependencies) and operational tools.Sellersoft disables communication channels that do not provide in-transit encryption, even if unused channels (e.g., removing associated dead code, configuring dependencies with encrypted channels only, and restricting access credentials to encrypted channels). Sellersoft uses data message-level encryption where channel encryption (e.g., using TLS) terminates in untrusted multi-user hardware (e.g., untrusted proxies).
Incident Response Plan
Sellersoft owns and maintains a plan for detecting and handling security incidents. Such a plan identifies roles and responsibilities for incident response, defines the types of incidents that may affect Amazon, defines incident response procedures for the defined incident types, and defines escalation paths and procedures for escalating security incidents to Amazon.Sellersoft reviews and verifies the plan every six (6) months and after any significant infrastructure or system changes. Sellersoft investigates each security incident and documents the incident description, remediation and associated corrective processes/system controls to prevent future recurrence. Sellersoft will notify Amazon within 24 hours of detecting any security incident.
Request for Deletion or Return
Sellersoft permanently and securely removes (in accordance with industry standard sanitization procedures, such as NIST 800-88) or returns Amazon information within no more than 72 hours of Amazon's request and in accordance with Amazon's notice of request for removal and/or return. Sellersoft also permanently and securely removes all real-time ( online or web-accessible) instances.
Audit
Sellersoft maintains all appropriate books and records reasonably required to verify compliance with Amazon's Acceptable Use Policy, Data Protection Policy, and the Amazon Marketplace Developer Agreement during the period of this agreement and for 12 months thereafter. Upon Amazon's written request, Sellersoft will certify in writing to Amazon that we are in compliance with these policies.
Definitions
"Amazon Information" means any information that is exposed by Amazon through the Marketplace APIs, Seller Central, or Amazon's public-facing websites. This data can be public or non-public, including Personally Identifiable Information about Amazon customers.
"Customer" means any person or entity who has purchased items or services from Amazon's public-facing websites.
"Security Incident" means any actual or suspected unauthorized access, collection, acquisition, use, transmission, disclosure, corruption, or loss of Amazon Information, or breach of any environment containing Amazon Information, or managed by Sellersoft with controls substantially similar to those protecting Amazon Information.
"Seller" means any person or entity selling on Amazon's public-facing websites. "Sellersoft" means the company Sellersoft Inc., which owns https://sellersoft.ca, or its managers, or the services depending on the context.
Contact Information
If you have any questions about this Privacy Policy, please contact us viaemail.