Amazon Data Protection Policy

 

Last revision of the document: 1st January, 2023

This Data Protection Policy («DPP») ensures that the organization:

Ramper Developments and Trading SL (Oceges),

governs the receipt, storage, usage, transfer, and disposal of Information, including the data vended and retrieved through the Amazon Services API (including the Marketplace Web Service API and Selling Partner API). This policy is applicable to all systems that store, process, or otherwise handle data vended and retrieved from the Amazon Services API, and ensures that Ramper Developments and Trading SL is compliant with the next Amazon Policies:

1. General Security Requirements

 

Consistent with industry-leading security, Ramper Developments and Trading SL will maintain physical, administrative, and technical safeguards, and other security measures (i) to maintain the security and confidentiality of Information accessed, collected, used, stored, or transmitted by Ramper Developments and Trading SL, and (ii) to protect that his Information from known or reasonably anticipated threats or hazards to its security and integrity, accidental loss, alteration, disclosure, and all other unlawful forms of processing. Without limitation, Ramper Developments and Trading SL will comply with the following requirements:

1.1 Network Protection

All Ramper Developments and Trading SL servers implement network protection controls including network firewalls and network access control lists to deny access to unauthorized IP addresses. Public access is restricted to authorized and approved users.

 

1.2 Access Management

Access to Amazon information is strictly limited to users who require access in order to perform specific required tasks, and access is limited where possible to only required data.

All users are unique with no shared logins. Access is logged and monitored.

Employees must request access and provide a reason when accessing Amazon data. Access can be revoked at any time if required and is reviewed regularly. Upon leaving the company, Access Permissions are revoked immediately.

No Amazon data is allowed to be stored on removable devices, other than anonymised data such as overall sales figures. No PII is ever downloaded onto devices.

The Company will maintain and enforce account lockout by detecting anomalous usage patterns and log-in attempts, and disabling accounts with access to Information as needed.

 

1.3 Least Privilege Principle

Access is provided to developers and other employees on a need-to-know basis using fine grained access controls to assign specific roles to minimize access based on the need to perform duties

 

1.4 Passwords and credentials management

  • The company sets minimum requirements on passwords and credentials for access to systems. These requirements are:
  • 12 or more characters of password length
  • 1 day of minimum password age
  • 180 days of password expiry time
  • 3 failed attempts allowed with an invalid password before a temporary lock-out
  • Passwords must include, at least: one uppercase, one lowercase, one number and one special character

 

1.5. Encryption in transit

All data in transit is encrypted using HTTPS and SSH on Ramper Developments and Trading SL systems as data traverses the network. There are no instances of data in transit not being encrypted, even unused.

 

1.6 Risk Management and Incident Response Plan

In case of unauthorised access to servers, database hacking or data leakage, Amazon would first be contacted within 24 hours of the incident to notify the problem, via email to 3p-security@amazon.com and security@amazon.com.

We would then follow the runbook developed and create a response mechanism to follow, which would include both non-security teams and the legal department. We would also use guides such as the recommended «NIST SP 800-61: Computer Security Incident Handling Guide» or «NIST SP 800-88: Guidelines for Media Sanitization» for the main steps to follow.

If required by local law, we would also proceed to notify the relevant supervisory authority of the incident within 72 hours of detection, as well as any persons directly affected.

In order to prevent the incident from recurring in the future, the description of the incident, the process followed to correct the incident, the controls implemented in the system, and the new processes implemented to resolve the problem would be documented.

Should Amazon request access to the documentation of the collected logs, it will be made available immediately.

Under no circumstances will developers speak on behalf of Amazon to any authority or customer unless specifically requested in writing by Amazon.

 

1.7. Request for Deletion or Return

Within a period of 72 hours from Amazon’s request, Ramper Developments and Trading SL will permanently and securely delete (in accordance with «NIST SP 800-88: Guidelines for Media Sanitization») or return Amazon Information in accordance with Amazon’s notice requiring deletion and return.

Ramper Developments and Trading SL will also permanently and securely delete all live instances of Amazon Information within 90 days after Amazon’s notice. If requested by Amazon, Ramper Developments and Trading SL will certify in writing that all Amazon Information has been securely destroyed.

 

 

2. Additional Security Requirements Specific to Personally Identifiable Information

 

2.1 Data Retention

Amazon PII is stored by Ramper Developments and Trading SL on privately hosted Database Servers for the only purpose of facilitating the management of client orders, shipments and tax invoices issuing. Amazon PII is removed from Ramper Developments and Trading SL’s databases no more than 30 days after the fulfillment of an order. There is no Amazon PII stored in logs or other files.

Amazon PII could exceptionally remain for over 30 days only if required by law and only for the purposes of complying with that law.

 

2.2 Data Governance

Ramper Developments and Trading SL has an asset management policy defining how the software and physical assets are kept in an inventory and how this is updated as assets are reassigned, added or returned. It also specifies procedures for data cleansing as assets are re-assigned or removed from the inventory.

This is reviewed every 6 months and a full asset inventory is performed. Ramper Developments and Trading SL also has a publicly available privacy policy stating our compliance to all applicable data privacy regulations.

 

2.3 Asset Management

The Company will keep inventory of software and physical assets with access to PII, and update quarterly (every 3 months). Physical assets that store, process, or otherwise handle PII will abide by all of the requirements set forth in this policy.

The Company will not store PII in removable media, personal devices, or unsecured public cloud applications. The Company will securely dispose of any printed documents containing PII.

 

2.4 Encryption at Rest

All Amazon PII is encrypted at rest using industry, at least, standard AES-128 encryption. No Amazon PII is allowed to be stored in external media or unsecured Cloud applications.

All cryptographic materials and cryptographic capabilities used for encryption of PII at rest are only accessible to the Ramper Developments and Trading SL system and developers processes and services on our privately hosted cloud servers.

 

2.5 Secure Coding Practices

The developers will never save or store keys, credentials or passwords in the application code or in public repositories, and will always keep their development and production environments separated.

 

2.6 Logging and Monitoring

An internal process log file is generated each day, and is manually cleared by the administrator user when the anomaly has been resolved, not earlier than 90 days after the log is recorded, in order to have a reference for a security incident.

No PII is ever logged anywhere on Ramper Developments and Trading SL Systems. Code changes are logged to specific
users. API logs are stored in databases on our privately hosted cloud servers.

Unauthorized access or unexpected request rates are flagged and suspicious activity is monitored by system administrators who will instigate an investigation as detailed in the Incident Response Plan.

 

2.7 Vulnerability Management

Our organization has a runbook designed to detect, remediate and correct vulnerabilities in the system.

Through an internal task manager (Monday), developers indicate any vulnerability found in the system and classify them by severity and priority so that members of the development team are aware of them. Depending on the severity of the vulnerability, its correction is prioritized and immediate action is taken in the most critical cases. Each incident notification is identified by the user who reported it, the date and time, as well as other highly relevant parameters.

Any type of software or hardware change is tested, verified and approved by the developers within our team.

Once the finding is corrected, the organization’s developers follow up thoroughly for several weeks to confirm that the problem has been fully fixed.

An exhaustive vulnerability analysis is carried out every 180 days at the most. On the other hand, every 365 days at the most, several system penetration tests. If incidents are detected, the team works immediately on their correction and solution.

 

3. Audit and Assessment

 

Ramper Developments and Trading SL will provide Amazon with all records if requested to demonstrate compliance with the AUP, DDP and Amazon Marketplace Developer Agreement during the period of our agreement with Amazon and for 12 months thereafter.

Ramper Developments and Trading SL will also cooperate fully with any auditor assigned by Amazon and allow them to inspect the books, records, facilities, operations, and security of all systems that are involved with Ramper Developments and Trading SL’s application in the retrieval, storage, or processing of Amazon Information.

Any breaches, failures or deficiencies flagged as part of any audit will be rectified by Ramper Developments and Trading SL at our expense within the agreed timeframe.