Data Protection Policy
Personally Identifiable Information (PII)
This Data Protection Policy governs the treatment and use of all data (e.g. receipt, storage, usage, transfer, and disposition) collected and retrieved by Selleetools through Amazon Marketplace APIs.
Application - refers to the Selleetools application that connects to Amazon Marketplace APIs for data processing.
Amazon Data – means any information Amazon discloses about its customers and products through Marketplace APIs, Seller Central, or Amazon’s public sites. This data may be public or non-public, including Personally Identifiable Information
Customer – means any person or entity that has purchased products or services from Amazon’s public websites.
Personally identifiable information (PII) - means information that can be used alone or in combination with other information to identify, contact or locate a person. This includes, but is not limited to, Customer or Reseller name, address, email address, telephone number, payment details, purchases, cookies, digital fingerprint (information extracted from browser and user device), IP address or geographic location.
Security Incident – means the actual or alleged unauthorized access, collection, acquisition, use, transmission, disclosure, corruption or loss of Amazon Data.
General Security Policies
In accordance with industry-leading security standards and other requirements as determined by Amazon based on the classification and sensitivity of Data, Selleetools maintains robust physical, administrative, and technical safeguards and other security measures to protect Amazon Data accessed, collected, used, stored, or transmitted by Selleetools against known or reasonably anticipated threats or hazards to its security and integrity, accidental loss, alteration, disclosure, and all other unlawful forms of processing. These measures are designed to maintain the confidentiality of Amazon Data in accordance with industry-leading security standards and other requirements specified by Amazon based on the classification and sensitivity of the information. In addition, Selleetools is committed to complying with all relevant policies to ensure the security and protection of Amazon Data. Selleetools complies with the following policies:
- Network Protection.
To ensure the security and protection, Selleetools has implemented AWS VPC subnet/Security Groups and network firewall controls on all of our Application servers and systems. These controls are designed to restrict access to unauthorized IP addresses and allow public access only to approved users.
- Access Management.
At Selleetools Application, we assign a unique ID to each individual with computer access to Amazon Data and prohibit the use of generic, shared, or default login credentials or user accounts. We have implemented baselining mechanisms to ensure that only the necessary user accounts have access to Amazon Data at all times. We review the list of individuals and services with access to Amazon Information on a monthly basis and remove any accounts that are no longer needed. We also prohibit employees from accessing or storing Amazon Data on personal devices and enforce “account lockout” by detecting unusual usage patterns and login attempts and disabling accounts with access to Amazon Data as needed.
- Encryption in Transit.
The Selleetools Application uses encryption to protect Amazon Data in transit when it is sent between hosts over a network or using HTTP over TLS (HTTPS). This security measure is enforced on all external endpoints used by customers as well as internal communication channels and operational tooling. We do not use communication channels that do not provide encryption in transit, even if they are not currently in use. Additionally, the Selleetools Application uses message-level encryption when channel encryption ends in untrusted multi-tenant hardware.
- Incident Response Plan.
The Selleetools Incident Response Plan includes response roles and responsibilities and steps for detecting and handling various types of Security Incidents that may impact Amazon Data. The plan defines incident response procedures for specific incident types and an escalation path and procedures for escalating Security Incidents to Amazon. It is reviewed every six months and after any major infrastructure or system changes. We investigate each security incident, document the incident description, remediation actions, and corrective process/system controls implemented to prevent future recurrences (if applicable), and maintain the chain of custody for all records collected. This documentation is made available to Amazon upon request.
As outlined in our Incident Response Plan and in accordance with Amazon’s Data Protection Policy, Selleetools will inform Amazon (via email to firstname.lastname@example.org) within 24 hours of detecting any security incidents. We will not notify any regulatory authority or customer on behalf of Amazon unless specifically requested to do so in writing. Amazon has the right to review and approve the form and content of any notification before it is provided to any party, unless required by law. In such cases, Amazon has the right to review the form and content of the notification before it is provided to any party. Additionally, we will inform Amazon within 24 hours when their data is being sought in response to legal process or by applicable law.
- Request for Deletion or Return.
Within 72 hours of being requested by Amazon, Selleetools will permanently delete (in accordance with industry-standard sanitization processes) or return Amazon Data in accordance with Amazon’s notice requiring deletion and/or return. Selleetools will permanently and securely delete all live instances of Amazon Data within 90 days after Amazon’s notice. If requested, we will provide written certification that all Amazon Data has been securely destroyed.
Additional Security Policies Specific to Personally Identifiable Information
The Selleetools Application, in relation to the Amazon Marketplace API, contains both PII and non-PII data. The following additional Security Policies apply to all Personally Identifiable Information (PII):
- Data Retention and Recovery.
We do not use Personally Identifiable Information for any purposes other than to fulfill orders. This retention period is no more than 30 days hold period from shipment and online delivery confirmation to the customer. Selleetools is not legally obligated to keep archival copies of Personally Identifiable Information, therefore, beyond the 30-day hold period, we do not store any backup media for PII data. In the event of loss, deletion or inability to process Personally Identifiable Information due to system failure or ransomware during the 30-day hold period, Selleetools keeps a backup of all PII data. This copy is encrypted and meets all the security requirements outlined in this policy. All backups are purged along with the original at the end of the 30-day hold period.
- Data Governance.
- Encryption and Storage.
At Selleetools, we use industry-standard AES-256 encryption to secure all personal information (PII) at rest. Only our system processes and services have access to the cryptographic materials and capabilities required for this encryption. In addition, we do not store PII on removable media or in unsecured public cloud applications, and we never print documents containing PII on paper. By following these measures, we ensure the protection and confidentiality of PII.
- Least Privilege Principle.
At Selleetools, we carefully control access to the application and its data, following the principle of least privilege. This means that we only grant rights to parties using the application, as well as its operators, on a “need-to-know” basis. Any sections or features of the application that contain personal information (PII) are protected by a unique access role, ensuring that access is limited to those who have a legitimate reason to access the data.
- Logging and Monitoring.
Selleetools gathers logs to detect security-related events, such as access and authorization issues or intrusion attempts, across all channels providing access to Amazon Data. These logs are only accessible by authorized personnel and do not contain personal information (PII). They are retained for 90 days as a reference in case of a security incident. To ensure the security and integrity of our systems, we have a runbook that includes regular monitoring of logs and system activities. In addition to regular review, our monitoring includes real-time notifications via email, phone call, and SMS if suspicious activity is detected. If an alert is triggered, we follow our Incident Response Plan to address the issue.
To ensure compliance with Amazon’s Acceptable Use Policy, Data Protection Policy, and Marketplace Developer Agreement, Selleetools maintains all necessary records for the duration of this agreement and for 12 months thereafter. If requested in writing by Amazon, we will provide written certification of our compliance with these policies.