Amazon Data Protection Policy
Amazon Data Protection Policy
This policy outlines how The Entertainer are compliant with Amazon policies that govern the collection, processing, storage, usage and disposal of Amazon data obtained from Amazon Marketplace Web Service APIs and platform.
This Data Protection Policy governs the treatment (receipt, storage, usage, transfer, and disposition) of all data vended and retrieved through Amazon Marketplace APIs (including the Marketplace Web Service APIs).
Definitions
"Application" refers to the The Entertainer software application as it interfaces with the Amazon Marketplace APIs.
"Amazon Information" means any information that is exposed by Amazon through the Marketplace APIs, Seller Central, or Amazon's public-facing websites. This data includes both public, non-public, and Personally Identifiable Information about Amazon customers.
"Customer" means any person or entity who has purchased items or services from Amazon's public-facing websites.
"Personally Identifiable Information" (PII) means information that can be used on its own or with other information to identify, contact, or locate an individual or to identify an individual in context. This includes, but is not limited to, a Customer or Seller's name, address, e-mail address, phone number, gift message content, survey responses, payment details, purchases, cookies, digital fingerprint (browser, user device, etc), IP Address, geo-location, or Internet-connected device product identifier.
"Security Incident" means any actual or suspected unauthorised access, collection, acquisition, use, transmission, disclosure, corruption, or loss of Amazon Information, or breach of any environment (i) containing Amazon Information, or (ii) managed by The Entertainer with controls substantially similar to those protecting Amazon Information.
General Security Requirements
Consistent with industry-leading security standards and other requirements specified by Amazon based on the classification and sensitivity of Amazon Information, The Entertainer maintain physical, administrative, and technical safeguards, and other security measures (i) to maintain the security and confidentiality of Amazon Information accessed, collected, used, stored, or transmitted by The Entertainer, and (ii) to protect that information from known or reasonably anticipated threats or hazards to its security and integrity, accidental loss, alteration, disclosure, and all other unlawful forms of processing. Without limitation, The Entertainer will comply with the following requirements:
Network Protection
The Entertainer servers and systems implement network protection controls including network firewalls to deny access to unauthorized IP addresses. Public access is restricted only to approved users.
Access Management
Access to Amazon information is strictly limited to users who require access in order to perform specific required tasks and access is limited to only required data. All users are assigned unique logins with no shared logins. Access to Amazon information is logged and monitored.
Access can be revoked at any time if required and access is reviewed regularly (every 90 days). Upon leaving the company Access and User Permissions are revoked within 24hours for them leaving.
No Amazon data is allowed to be stored on removable or personal devices. No PII is ever downloaded to devices.
Systems maintain and enforce "account lockout" by detecting suspicious activity such as multiple failed logins or large number of requests. Account permissions are revoked immediately and investigated by the security team.
Encryption in Transit
All data in transit is encrypted using HTTP over TLS (HTTPS) on The Entertainer systems. And end points only accepted HTTPS connections. There are no instances of data in transit not being encrypted, even unused.
Incident Response Plan
The Entertainer maintains an incident response plan to deal with security incidents, interruption to or degradation of services or systems.
Impact and urgency of incidents are assessed according to set criteria and appropriate staff are informed. The incident could be a support ticket that is resolved or escalated to the Incident Response Management team.
Roles and responsibilities will be defined within the incident response team according to the exact requirements of the nature of the incident. All documentation relating to the incident is stored in the form of support logs and meeting minutes to be made available later if requested by Amazon
In the case of a data breach of sensitive or PII, including Amazon data company Directors will be notified and the incident response team will be convened to triage, identify mitigations and remediation and to develop a communication plan to notify stakeholders. In the case of any Amazon data breach this includes emailing 3psecurity@amazon.com within 24 hours of discovery. No regulatory authority, nor any customers will be notified, on behalf of Amazon unless Amazon specifically requests in writing that The Entertainer do so. These incident response plans are reviewed every 4 months, or in the case of major platform changes, sooner.
Request for Deletion or Return
Within 72 hours of Amazon's request, The Entertainer will permanently and securely delete (in accordance with NIST 800-88 industry-standard sanitization processes) or return Amazon Information in accordance with Amazon's notice requiring deletion and/or return. The Entertainer will also permanently and securely delete all live (online or network accessible) instances of Amazon Information within 90 days after Amazon's notice. If requested by Amazon, The Entertainer will certify in writing that all Amazon Information has been securely destroyed.
Additional Security Requirements Specific to Personally Identifiable Information
The following additional Security Requirements are met for all Personally Identifiable Information ("PII"), including instances where PII is combined with non PII:
Data Retention and Recovery
Amazon PII is stored by The Entertainer on privately hosted servers for the sole purpose of facilitating the management of client orders. Amazon PII is removed from The Entertainer's servers no more than 30 days after the fulfilment of an order. Cancelled orders may have PII removed earlier.
No Amazon PII data is stored in logs or other files.
Data Governance
The Entertainer has an asset management policy defining how the software and physical assets are kept in an inventory and how this is updated as assets are reassigned or added. It also specifies procedures for data cleansing as assets are re-assigned or removed from the inventory. This is reviewed every 6 months and a full asset inventory is performed. The Entertainer also has a publicly available privacy policy stating our compliance to all applicable data privacy regulations.
Encryption and Storage
All PII is encrypted at rest using industry standard AES-256 encryption. No PII is allowed to be stored in external media or unsecured Cloud applications.
The cryptographic materials (e.g., encryption/decryption keys) and cryptographic capabilities used for encryption of PII at rest are only accessible to The Entertainer services processes and services on our privately hosted server. It is prohibited to store PII in removable media (e.g., USB) or unsecured public cloud applications. The Entertainer securely dispose of all printed materials though the 3rd party Simple Shredding service (certificates of shredding are available for review by Amazon if requested). The Entertainer policies strictly prohibit the printing PII not required for order fulfilment (despatch labels).
Least Privilege Principle
Access is provided to developers and employees on a need-to-know basis using fine grained access controls to assign specific roles to minimise access based on the need to perform duties.
Logging and Monitoring
The Entertainer systems logging includes access logs, authorisation attempts, configuration changes. All logs have access controls to prevent unauthorised access and tempering. No PII Is stored in any logs. Logs are retained for 6 months for reference in the case of a Security Incident.
Changes to source code are logged and recorded to specific individual developers.
API logs are stored in databases on our privately hosted dedicated server, no PII data is stored in these logs.
Unauthorised access or unexpected request rates are flagged and suspicious activity is monitored by the security team who will investigate as detailed in the The Entertainer Incident Response Plan.
Audit
The Entertainer will provide Amazon with all records if requested that demonstrate compliance with the Acceptable Use Policy, Data Protection Policy, and Amazon Marketplace Developer Agreement during the period of our agreement with Amazon and for 12 months thereafter. The Entertainer will also co-operate fully with any auditor assigned by Amazon and allow them to inspect the books, records, facilities, operations, and security of all systems that are involved with The Entertainer's application in the retrieval, storage, or processing of Amazon Information. If the audit reveals deficiencies, breaches, and/or failures to comply with Amazon terms, conditions, or policies, The Entertainer will, at its sole cost and expense, take all actions necessary to remediate those deficiencies within an agreed-upon timeframe.