SIMCHEAP logo

Data Protection & Policy

This reference standard defines how data is accessed, protected, retained, and deleted within SIMCHEAP.

Least-Privilege Access 90-Day Key Rotation Tamper-Protected Security Auditable Control Baseline

SP-API use case for Amazon Selling Partners

  • Order & fulfillment: process order status, shipment events, and recipient contact details (PII when required) for delivery, exception handling, and after-sales support.
  • Listing & inventory: process SKU attributes, listing status, and inventory levels (primarily non-PII) for listing synchronization and replenishment planning.
  • Finance & reconciliation: process settlement, fee, refund, and transaction records for account reconciliation, financial reporting, and audit support.
  • PII is used only when necessary for fulfillment, compliance obligations, customer support, and dispute resolution.
  • We do not use Amazon data for competitor analysis, resale, or secondary purposes beyond authorized service delivery.

Scope & purpose limitation

  • Access data only with explicit authorization and documented purpose.
  • Use data solely to deliver requested services.
  • Apply data minimization and confidentiality principles.
  • No unauthorized sharing, resale, or secondary use.

Access management

  • MFA required for all user accounts.
  • Password minimum length 12; upper/lower/number/special required.
  • Password minimum age 1 day; maximum age 90 days.
  • Account lockout after 5 failed login attempts.
  • Password history retained permanently; password reuse is prohibited.
  • Monthly access reviews; no shared or generic accounts.
  • Access is revoked within 4 hours after role change or offboarding.

Credential & key management

  • API keys stored encrypted and access-limited.
  • API keys rotated at least every 90 days and immediately after suspected exposure.
  • Encryption keys rotated every 90 days.
  • All credentials are stored in a managed secrets vault; plaintext storage is prohibited.

Encryption & transport

  • TLS 1.2+ for data in transit.
  • PII encrypted at rest with AES-128+ or RSA-2048+.
  • Key management system (KMS) for cryptographic material.

Logging & monitoring

  • Security logs retained for a minimum of 12 months.
  • Logs reviewed continuously or at least bi-weekly.
  • Logs include access attempts, data changes, and system errors.
  • Logs protected from tampering; no PII unless legally required.

Vulnerability management

  • Critical vulnerabilities resolved within 7 days.
  • High-risk vulnerabilities resolved within 30 days.
  • Regular scanning and penetration testing.
  • Anti-virus and anti-malware controls use tamper protection; disabling is blocked and alerted.

Retention & deletion

  • PII retained no longer than 30 days after delivery unless required by law.
  • Non-PII retained no longer than 18 months unless legally required.
  • Documented deletion workflows with auditability.

Incident response

  • Designated Incident Management Point of Contact (IMPOC).
  • Defined escalation and containment procedures.
  • Post-incident review and corrective actions.
  • If the incident involves Amazon Information, we will notify Amazon without undue delay via security@amazon.com.

Third parties & backups

  • Third-party risk assessments before onboarding.
  • Contractual security obligations for subprocessors.
  • Geographically dispersed backups.
  • Subprocessor categories include cloud infrastructure, logistics, and customer support tooling.
  • Shared fields may include recipient name, delivery address, phone number, and parcel tracking details when required.
  • Sharing purpose is strictly limited to fulfillment, returns handling, customs clearance, and related support.
  • Data is transferred through APIs or encrypted channels with access controls and audit logs.
  • No competitor analysis data is shared, and no secondary use or resale is permitted.

Data loss prevention

  • DLP controls to detect unauthorized data movement.
  • No PII stored on removable media or unsecured public links.
  • Printed PII disposed securely when applicable.

Transparency & rights

  • Clear data use disclosures to customers.
  • Support for access and deletion requests.
  • Compliance with applicable privacy regulations.

Endpoint & device controls

  • Production data must not be stored on personal devices.
  • Managed devices require full-disk encryption and screen lock.
  • Only approved and monitored devices may access production environments.

Session & re-authentication

  • Admin sessions time out automatically after 30 minutes of inactivity.
  • Sensitive operations require step-up verification.
  • Concurrent sessions are monitored and can be force-terminated by policy.

Backup & recovery targets

  • Recovery Point Objective (RPO): less than or equal to 24 hours.
  • Recovery Time Objective (RTO): less than or equal to 4 hours.
  • Disaster recovery drills are executed at least quarterly.

Change & release security

  • Code changes require peer review before deployment.
  • Critical configuration changes must be auditable and approval-gated.
  • Emergency changes require post-change review and corrective actions.