Data Protection Policy

The Data Protection Policy (“DPP”) oversees the handling of Information, encompassing the receipt, storage, usage, transfer, and disposal of data obtained and supplied through the Amazon Services API through our service, including the Seller Partner API. It applies to all systems involved in storing, processing, or managing data derived from the Amazon Services API. This Policy complements the Amazon Services API Developer Agreement and the Acceptable Use Policy.
General Security Requirements

Aligned with top-tier industry security practices, Opal E Commerce Australia Pty Ltd will uphold physical, administrative, and technical safeguards, along with additional security measures. These measures aim to (i) uphold the security and confidentiality of accessed, collected, used, stored, or transmitted Information by a Developer and (ii) shield this Information from known or reasonably anticipated threats, accidental loss, alteration, disclosure, and all other unlawful forms of processing. The Developer commits to complying with the following requirements, among others:

1 Network Protection

Opal E Commerce Australia Pty Ltd incorporating network protection controls, such as network firewalls and access control lists, to prevent unauthorized access from specific IP addresses. Opal E Commerce Australia Pty Ltd also introduce network segmentation, install anti-virus, and anti-malware software on end-user devices. Additionally, public access will be restricted to approved users, and comprehensive data protection and IT security training must be provided to all individuals with system access.

1.2 Access Management.

As Opal E Commerce Australia Pty Ltd, it is imperative to establish a formal user access registration process for assigning access rights across all user types and services. This involves assigning a unique ID to each individual with computer access to Information. Avoid the creation or use of generic, shared, or default login credentials, and prevent the sharing of user accounts. Implement baselining mechanisms to ensure that only necessary user accounts access Information at all times.
Furthermore, Opal E Commerce Australia Pty Ltd will restrict employees and contractors from storing Information on personal devices. Maintain and enforce “account lockout” protocols by identifying anomalous usage patterns and log-in attempts, disabling accounts with access to Information. Regularly review the list of individuals and services with access to Information at least quarterly.
In cases of employee termination, Opal E Commerce Australia Pty Ltd will ensure that access is disabled or removed within 24 hours. This meticulous approach to user access management is crucial for maintaining the security and integrity of the Information.

1.3 Least Privilege Principle.

‍

As part of our company policy, we require the implementation of fine-grained access control mechanisms. This ensures the granting of rights to any party utilizing the Application and the authorized operators of the Application, all in accordance with the principle of least privilege. Access to Information will only be granted on a “need-to-know” basis.

1.4 Credential Management.

‍

As part of our company policy, we are mandated to set minimum password requirements for personnel and systems accessing Information. Passwords must consist of a minimum of twelve (12) characters, excluding any part of the user’s name, and must encompass a mix of upper-case letters, lower-case letters, numbers, and special characters, with specific minimum requirements for each category. Additionally, we establish a minimum password age of 3 months expiry for all users. Multi-Factor Authentication (MFA) is obligatory for all user accounts, and we ensure the encryption of API keys provided by Amazon, with access limited to essential employees only.

1.5 Encryption in Transit.

‍

As a company policy, we require the encryption of all Information in transit using secure protocols such as TLS 1.2+, SFTP, and SSH-2. This security control must be enforced on both internal and external endpoints. Additionally, when channel encryption terminates in untrusted multi-tenant hardware (e.g., untrusted proxies), developers must implement data message-level encryption.

‍

1.6 Risk Management and Incident Response Plan.

As company policy, we maintain a comprehensive risk assessment and management process, subject to annual review by our senior management. This involves evaluating potential threats, vulnerabilities, and assessing the likelihood and impact of identified risks. We create and uphold a plan and/or runbook to detect and manage Security Incidents, outlining incident response roles, incident types affecting Amazon, response procedures, escalation paths, and procedures for reporting incidents to Amazon.
Additionally, we review and verify this plan every six (6) months and after any significant infrastructure or system changes. We promptly notify Amazon (via email to 3p-security@amazon.com) within 24 hours of detecting a Security Incident. We bear the sole responsibility to inform relevant government or regulatory agencies as mandated by applicable local laws.
In the event of a Security Incident, we are obligated to investigate thoroughly, document incident details, outline remediation actions, and implement corrective process/system controls to prevent recurrence. We maintain the chain of custody for all evidence or records collected, providing such documentation to Amazon upon request, if applicable. We cannot represent or speak on behalf of Amazon to any regulatory authority or customers unless explicitly requested in writing by Amazon.

1.7 Request for Deletion.

As a company policy, we are obligated to permanently and securely delete Information upon receiving Amazon’s notice for deletion within 30 days, unless the data is essential for meeting legal obligations, including tax or regulatory requirements. The secure deletion process must align with industry-standard sensitization procedures, such as NIST 800-88. Additionally, all live instances of Information, whether online or network accessible, must be permanently and securely deleted 90 days after receiving notice from Amazon. In case of Amazon’s request, we commit to providing a written certification affirming the secure destruction of all Information.

1.8 Data Attribution.

‍

We will either store Information in a dedicated database or establish a mechanism to tag and identify the origin of all data within any database containing Information if we cannot store information in a dedicated database

2.Additional Security Requirements Specific to Personally Identifiable Information

‍

In line with our policy, we ensure compliance with the following additional Security Requirements for Personally Identifiable Information (“PII”). PII is accessed by Developers solely for specific tax and merchant fulfilled shipping purposes, recognized as essential. When an Amazon Services API includes PII or combines PII with non-PII, the entire data store adheres to the following requirements:

2.1 Data Retention.

In accordance with our company policy, the retention of Personally Identifiable Information (PII) after order delivery will not extend beyond 30 days. This retention is exclusively for the purposes of (i) fulfilling orders, (ii) calculating and remitting taxes, (iii) generating tax invoices and other legally required documents, and (iv) meeting legal requirements, including tax or regulatory obligations. In instances where data retention beyond 30 days is required by law, our company is authorized to do so, solely for the purpose of complying with the specific legal requirement. As outlined in sections 1.5 (“Encryption in Transit”) and 2.4 (“Encryption at Rest”), it is imperative that PII is neither transmitted nor stored without adequate protection at any given point.

2.2 Data Governance.

we are committed to creating, documenting, and adhering to a privacy and data handling and classification policy for our Applications or services. This policy document dictates the appropriate conduct and technical controls necessary to manage and safeguard our information assets. To ensure accountability and compliance with regulations, we maintain a record of data processing activities, outlining how specific data fields are collected, processed, stored, used, shared, and disposed of, especially concerning Personally Identifiable Information (PII).
Our company has established a process to identify and comply with privacy and security laws and regulatory requirements relevant to our business. We retain documented evidence to demonstrate our compliance. Additionally, we have implemented and adhere to a privacy policy governing customer consent and data rights, allowing them access, rectification, erasure, or the cessation of sharing/processing of their information as applicable or required by data privacy regulations.
To assist Authorized Users with data subject access requests, our company has implemented both technical and organizational processes and systems. Furthermore, we incorporate contractual provisions in employment contracts with employees who handle PII, ensuring the confidentiality of such information.

2.3 Asset Management.

In line with our company practices, we uphold a baseline standard configuration for our information system. We maintain an inventory of software and physical assets, such as computers and mobile devices, that have access to Personally Identifiable Information (PII), and this inventory is updated on a quarterly basis. All physical assets handling PII must comply with the requirements outlined in this policy.
As part of our company’s approach, we refrain from storing PII in removable media, personal devices, or unsecured public cloud applications (e.g., public links via Google Drive) unless encryption is applied, using at least AES-128 or RSA-2048 bit keys or higher. Disposal of any printed documents containing PII is conducted securely.
Furthermore, our company has implemented data loss prevention (DLP) controls to monitor and detect any unauthorized movement of data, ensuring the protection and security of sensitive information.

2.4 Encryption at Rest.

we ensure that all Personally Identifiable Information (PII) is encrypted at rest, employing a minimum of AES-128 or RSA with a 2048-bit key size or higher. The cryptographic materials, including encryption/decryption keys, and cryptographic capabilities, such as daemons implementing virtual Trusted Platform Modules and providing encryption/decryption APIs, used for encrypting PII at rest are strictly accessible only to our company’s processes and services.

2.5 Secure Coding Practices.

It is strictly prohibited to hardcode sensitive credentials, such as encryption keys, secret access keys, or passwords, within code. Additionally, these sensitive credentials must not be exposed in public code repositories. Our developers adhere to the practice of maintaining distinct test and production environments for enhanced security and proper management of sensitive information.

2.6 Logging and Monitoring.

In our company, developers establish a robust logging system to detect security-related events across Applications and systems. This includes tracking the success or failure of events, date and time, access attempts, data changes, and system errors. The logging mechanism is implemented across all channels providing access to Information, such as service APIs, storage-layer APIs, and administrative dashboards.
Logs are regularly reviewed ,Access controls are enforced to prevent unauthorized access and tampering throughout the entire lifecycle of the logs. PII is not included in logs unless necessary to meet legal requirements.
Logs are retained for a minimum of 90 days, unless specified otherwise by applicable law, for reference in case of a Security Incident. Developers implement mechanisms to monitor logs and system activities, triggering investigative alarms for suspicious actions, such as multiple unauthorized calls, unexpected request rates, data retrieval volume, and access to canary data records.
Monitoring alarms and processes are in place to detect any extraction or presence of Information beyond its protected boundaries. In the event of triggered monitoring alarms, developers conduct investigations, with documented procedures outlined in the Developer’s Incident Response Plan.

2.7 Vulnerability Management.

In our company, it is our policy for developers to establish and uphold a plan and/or runbook for the detection and remediation of vulnerabilities. Physical hardware housing Personally Identifiable Information (PII) must be shielded from technical vulnerabilities through regular vulnerability scans and appropriate remediation. Vulnerability scanning is conducted at least every 180 days, penetration testing occurs at least every 365 days, and code is scanned for vulnerabilities before each release.
Additionally, developers exercise control over changes to storage hardware by implementing testing, verification, approval processes, and restricting access to authorized personnel. Adequate procedures and plans are in place to promptly restore availability and access to PII in the event of a physical or technical incident.

3.Audit and Assessment

As a company, we must maintain all necessary books and records for validating adherence to the Acceptable Use Policy, Data Protection Policy, and Amazon Services API Developer Agreement throughout the agreement period and for 12 months thereafter. Upon a written request from Amazon, our company must provide written certification of compliance with these policies.
Amazon, or an independent certified public accounting firm chosen by Amazon, may conduct audits, assessments, and inspections of books, records, facilities, operations, and system security related to our company’s Application in Information retrieval, storage, or processing upon request. Any non-public information disclosed during this process is treated confidentially by Amazon. Our company is expected to cooperate during these audits or assessments, which may occur at our or subcontractor facilities. In case of identified deficiencies or breaches, our company must take necessary actions at our own expense to rectify them within an agreed-upon timeframe. Remediation evidence must be provided upon request, and approval from Amazon is required before closing the audit.