The Data Protection Policy ("DPP") governs the treatment (e.g., receipt,
storage, usage, transfer, and disposition) of the data vended and retrieved through
the Marketplace APIs (including the Marketplace Web Service APIs). This Policy
supplements the Amazon Marketplace Developer Agreement and the Acceptable Use
Policy. Failure to comply may result in suspension or termination of
Marketplace API access.
Definitions
"Application" means a software application or website that interfaces with the
Marketplace APIs.
"Amazon Information" means any information that is exposed by Amazon through
the Marketplace APIs, Seller Central, or Amazon's public-facing websites. This data
can be public or non-public, including Personally Identifiable Information about
Amazon customers.
"Customer" means any person or entity who has purchased items or services from
Amazon's public-facing websites.
"Developer" means any person or entity (including you, if applicable) that
uses the Marketplace APIs for the purpose of integrating or enhancing a third-party
Seller's systems with the features and functionality permitted by Amazon to be
accessed through the Marketplace APIs.
"Personally Identifiable Information" ("PII") means information that can be
used on its own or with other information to identify, contact, or locate an
individual (e.g., Customer or Seller), or to identify an individual in context. This
includes, but is not limited to, a Customer or Seller's name, address, e-mail
address, phone number, gift message content, survey responses, payment details,
purchases, cookies, digital fingerprint (e.g., browser, user device), IP Address,
geo-location, or Internet-connected device product identifier.
"Security Incident" means any actual or suspected unauthorized access,
collection, acquisition, use, transmission, disclosure, corruption, or loss of
Amazon Information, or breach of any environment (i) containing Amazon Information,
or (ii) managed by a Developer with controls substantially similar to those
protecting Amazon Information.
"Seller" means any person or entity (including you, if applicable) selling on
Amazon's public-facing websites.
General Security Requirements
Consistent with industry-leading security standards and other requirements specified
by Amazon based on the classification and sensitivity of Amazon Information,
Developers will maintain physical, administrative, and technical safeguards, and
other security measures (i) to maintain the security and confidentiality of Amazon
Information accessed, collected, used, stored, or transmitted by a Developer, and
(ii) to protect that information from known or reasonably anticipated threats or
hazards to its security and integrity, accidental loss, alteration, disclosure, and
all other unlawful forms of processing. Without limitation, the Developer will
comply with the following requirements:
- Network Protection. Developers must implement network protection controls
(e.g., AWS VPC subnet/Security Groups, network firewalls) to deny access to
unauthorized IP addresses.
- Access Management. Developers must assign a unique ID to each person with
computer access to Amazon Information. Developers must not create or use
generic, shared, or default login credentials or user accounts. Developers must
implement baselining mechanisms to ensure that at all times only the required
user accounts access Amazon Information. Developers must review the list of
people and services with access to Amazon Information on a regular basis (at
least quarterly), and remove accounts that no longer require access. Developers
will maintain and enforce "account lockout" by detecting anomalous usage
patterns and log-in attempts, and disabling accounts with access to Amazon
Information as needed.
- Encryption in Transit. Developers must encrypt all Amazon Information in
transit (e.g., when the data traverses a network, or is otherwise sent between
hosts. This can be accomplished using HTTP over TLS (HTTPS). Developers must
enforce this security control on all applicable external endpoints used by
customers as well as internal communication channels (e.g., data propagation
channels among storage layer nodes, connections to external dependencies) and
operational tooling. Developers must disable communication channels which do not
provide encryption in transit even if unused (e.g., removing the related dead
code, configuring dependencies only with encrypted channels, and restricting
access credentials to use of encrypted channels). Developers must use data
message-level encryption (e.g., using AWS Encryption SDK) where channel
encryption (e.g., using TLS) terminates in untrusted multi-tenant hardware
(e.g., untrusted proxies).
- Incident Response Plan. Developers must create and maintain a plan and/or
runbook to detect and handle Security Incidents. Such plans must identify the
incident response roles and responsibilities, define incident types that may
impact Amazon, define incident response procedures for defined incident types,
and define an escalation path and procedures to escalate Security Incidents to
Amazon. Developers must review and verify the plan every six (6) months and
after any major infrastructure or system change. Developers must investigate
each Security Incident, and document the incident description, remediation
actions, and associated corrective process/system controls implemented to
prevent future recurrence (if applicable). Developers must maintain the chain of
custody for all evidences or records collected, and such documentation must be
made available to Amazon on request (if applicable).
Developers must inform
Amazon (via email to security@amazon.com) within 24 hours of detecting any
Security Incidents. Developers cannot notify any regulatory authority, nor
any customer, on behalf of Amazon unless Amazon specifically requests in
writing that the Developer do so. Amazon reserves the right to review and
approve the form and content of any notification before it is provided to
any party. Developers must inform Amazon within 24 hours when their data is
being sought in response to legal process or by applicable law.
- Request for Deletion or Return. Developers must promptly (but within no
more than 72 hours after Amazon's request), permanently, and securely delete (in
accordance with industry-standard sanitization processes, e.g., NIST 800-88) or
return Amazon Information upon and in accordance with Amazon's notice requiring
deletion and/or return. Developers must also permanently and securely delete all
live (online or network accessible) instances of Amazon Information within 90
days after Amazon's notice. If requested by Amazon, the Developer will certify
in writing that all Amazon Information has been securely destroyed.
Additional Security Requirements Specific to Personally Identifiable
Information
The following additional Security Requirements must be met for all Personally
Identifiable Information ("PII") (see PII definition in Section 1). If a Marketplace
API contains PII, or PII is combined with non-PII, then the entire data store must
comply with the following requirements:
- Data Retention and Recovery. Developers will retain PII only for the
purpose of, and as long as is necessary to fulfill orders (no longer than 30
days after order shipment), or to calculate/remit taxes. If a Developer is
required by law to retain archival copies of PII for tax or similar regulatory
purposes, this archived Amazon Information must be stored as a "cold" or offline
(e.g., not available for immediate or interactive use) backup stored in a
physically secure facility, and all archived data on backup media must be
encrypted. In the event that PII is lost, you must be able to recover all PII
lost (i.e., the data is erased or unavailable for processing due to system crash
or ransomware).
- Data Governance. Developers must create, document, and abide by a privacy
and data handling policy for their Applications or services which govern the
appropriate conduct and technical controls to be applied in managing and
protecting information assets. A record of data processing activities such as
specific data fields and how they are collected, processed, stored, used,
shared, and disposed for all Amazon Information should be maintained to
establish accountability and compliance with regulations. Developers must
establish and abide by their privacy policy for customer consent and data rights
to access, rectify, erase, or stop sharing/processing their information where
applicable or required by data privacy regulation.
- Encryption and Storage. Developers must encrypt all PII at rest (e.g.,
when the data is persisted). The cryptographic materials (e.g.,
encryption/decryption keys) and cryptographic capabilities (e.g., daemons
implementing virtual Trusted Platform Modules and providing
encryption/decryption APIs) used for encryption of PII at rest must be only
accessible to the Developer's processes and services. Developers must not store
PII in removable media (e.g., USB) or unsecured public cloud applications (e.g.,
public links made available through Google Drive). Developers must securely
dispose of any printed documents containing PII.
- Least Privilege Principle. Developers must implement fine-grained access
control mechanisms to allow granting rights to any party using the Application
(e.g., access to a specific set of data at its custody) and the Application's
operators (e.g., access to specific configuration and maintenance APIs such as
kill switches) following the principle of least privilege. Application sections
or features that vend PII must be protected under a unique access role, and
access should be granted on a "need-to-know" basis.
- Logging and Monitoring. Developers must gather logs to detect
security-related events (e.g., access and authorization, intrusion attempts,
configuration changes) to their Applications and systems. Developers must
implement this logging mechanism on all channels (e.g., service APIs,
storage-layer APIs, administrative dashboards) providing access to Amazon
Information. All logs must have access controls to prevent any unauthorized
access and tampering throughout their lifecycle. Logs themselves should not
contain PII and must be retained for at least 90 days for reference in the case
of a Security Incident. Developers must build mechanisms to monitor the logs and
all system activities to trigger investigative alarms on suspicious actions
(e.g., multiple unauthorized calls, unexpected request rate and data retrieval
volume, and access to canary data records). Developers should perform
investigation when monitoring alarms are triggered, and this should be
documented in the Developer's Incident Response Plan.
Audit
Developers must maintain all appropriate books and records reasonably required to
verify compliance with the Acceptable Use Policy, Data Protection Policy, and Amazon
Marketplace Developer Agreement during the period of this agreement and for 12
months thereafter. Upon Amazon's written request, Developers must certify in writing
to Amazon that they are in compliance with these policies.
Upon request, Amazon may, or may have an independent certified public accounting firm
selected by Amazon, audit and inspect the books, records, facilities, operations,
and security of all systems that are involved with a Developer's application in the
retrieval, storage, or processing of Amazon Information. Developers must cooperate
with Amazon or Amazon's auditor in connection with the audit, which may occur at the
Developer's facilities and/or subcontractor facilities. If the audit reveals
deficiencies, breaches, and/or failures to comply with our terms, conditions, or
policies, the Developer must, at its sole cost and expense, take all actions
necessary to remediate those deficiencies within an agreed-upon timeframe, and may
be asked to reimburse Amazon in full for all reasonable costs incurred by Amazon.