Channel Spyder Data
Protection Policy w/Personally Identifiable Information (PII)
Protection Policy governs the treatment (receipt, storage, usage, transfer, and
disposition) of all data vended and retrieved through Amazon Marketplace APIs
(including the Marketplace Web Service APIs).
"Application" Refers to the Channel Spyder software
application as it interfaces with the Amazon Marketplace APIs.
means any information that is exposed by Amazon through the Marketplace APIs,
Seller Central, or Amazon's public-facing websites. This data includes both public,
non-public, and Personally Identifiable Information about Amazon customers.
"Customer" means any person or entity who has
purchased items or services from Amazon's public-facing websites.
Identifiable Information" (PII) means information that can be used on its own
or with other information to identify, contact, or locate an individual or to
identify an individual in context. This includes, but is not limited to, a
Customer or Seller's name, address, e-mail address, phone number, gift message
content, survey responses, payment details, purchases, cookies, digital
fingerprint (browser, user device, etc), IP Address, geo-location, or
Internet-connected device product identifier.
means any actual or suspected unauthorized access, collection, acquisition,
use, transmission, disclosure, corruption, or loss of Amazon Information, or
breach of any environment (i) containing Amazon Information, or (ii) managed by
Channel Spyder with controls substantially similar to those protecting Amazon
industry-leading security standards and other requirements specified by Amazon
based on the classification and sensitivity of Amazon Information, Channel
Spyder maintains physical, administrative, and technical safeguards, and other
security measures (i) to maintain the security and confidentiality of Amazon
Information accessed, collected, used, stored, or transmitted by Channel Spyder,
and (ii) to protect that information from known or reasonably anticipated
threats or hazards to its security and integrity, accidental loss, alteration,
disclosure, and all other unlawful forms of processing. Without limitation, Channel
Spyder complies with the following policies:
All Channel Spyder Application servers and systems employ AWS VPC
subnet/Security Groups as well as network firewall network protection
controls for the purpose of denying access to unauthorized IP addresses. Public
access is restricted to approved users only.
The Channel Spyder Application uses a unique ID assigned to each
individual with computer access to Amazon Information. Under no
circumstances do we create or use generic, shared, or default login
credentials or user accounts. We have implemented baselining mechanisms to
ensure that at all times only the required user accounts have access
Amazon Information. We review the list of people and services with access
to Amazon Information on a monthly basis and remove accounts that no
longer require access. We restrict employees from accessing or storing
Amazon data on personal devices. We maintain and enforce "account
lockout" by detecting anomalous usage patterns and log-in attempts
and disabling accounts with access to Amazon Information as needed.
The Channel Spyder Application encrypts all Amazon Information in transit,
when the data traverses a network, or is otherwise sent between hosts
using HTTP over TLS (HTTPS). We enforce this security control on all
applicable external endpoints used by customers as well as internal
communication channels and during operational tooling. We don't use communication
channels which do not provide encryption in transit even if unused. In
addition, the Channel Spyder Application uses message-level encryption
where channel encryption terminates in untrusted multi-tenant hardware.
As part of the Channel Spyder's Incident
Response Plan our runbook includes
response roles and responsibilities, as well as steps to detect and handle
various Security Incident types that may impact Amazon Data. In this plan
we define incident response procedures for specific incident types, and we
define an escalation path and procedures to escalate Security Incidents to
Amazon. Our Incident Response Plan is reviewed every six (6) months as well as after
any major infrastructure or system change. We investigate each Security
Incident, and document the incident description, remediation actions, and
associated corrective process/system controls implemented to prevent
future recurrence (if applicable). Additionally, we maintain the chain of
custody for all records collected, and such documentation (if applicable) is
made available to Amazon upon request.
part of our Incident Response Plan, and
per Amazon's written Data Protection Policy requirements, Channel Spyder will inform
Amazon (via email to firstname.lastname@example.org) within 24 hours of detecting any
Security Incidents. We will not notify any regulatory authority, nor any
customer, on behalf of Amazon unless Amazon specifically requests in writing
that we do so. Amazon has the right to review and approve the form and content
of any notification before it is provided to any party, unless such
notification is required by law, in which case Amazon has the right to review
the form and content of any notification before it is provided to any party. We
will inform Amazon within 24 hours when their data is being sought in response
to legal process or by applicable law.
- Request for
Deletion or Return.
Within 72 hours of Amazon's request, Channel Spyder will permanently and
securely delete (in accordance with NIST 800-88 industry-standard
sanitization processes) or return Amazon Information in accordance with
Amazon's notice requiring deletion and/or return. Channel Spyder will also
permanently and securely delete all live (online or network accessible)
instances of Amazon Information within 90 days after Amazon's notice. If
requested by Amazon, we will certify in writing that all Amazon
Information has been securely destroyed.
Security Policies Specific to Personally Identifiable Information
additional Security Policies apply to all Personally Identifiable Information
(PII). The Channel Spyder Application, as it pertains to the Amazon Marketplace
API contains both PII and non-PII, therefore the entire Amazon data store complies
with the following policies:
Retention and Recovery. We retain PII only for the purpose of
fulfilling orders. This retention period is for no more than 30 days
("Hold Period") from shipment and online confirmation of delivery to
customer. Channel Spyder is not required by law to retain archival copies
of PII, therefore beyond the 30-day Hold Period, we do not maintain backup
media of any kind for PII. In the event that PII is lost, erased or
unavailable for processing due to system crash or ransomware during the 30-day
Hold Period, Channel Spyder maintains a backup copy of all PII. This copy
is encrypted and meets all security requirements noted in this policy. All
security backups are purged with the original at the end of the 30-day
As part of the Channel Spyder Application privacy and Data Handling Policy, we keep inventory of all software and
physical assets with access to PII. This inventory is updated every 30
days. We keep records of all data processing activities, including but not
limited to, specific data fields as well as how they are collected,
processed, stored, used, shared, and disposed of as they apply to PII.
This record is maintained for the purpose of establishing accountability
as it applies to customer consent and data rights per all
applicable data privacy regulations.
All PII is encrypted at rest using AES-256 industry standards. All cryptographic
materials (encryption/decryption keys) and cryptographic capabilities used
for encryption of PII at rest are only accessible to the Channel Spyder system
processes and services. We do not store PII in removable media (USB, Flash
Drives, Etc.) or unsecured public cloud applications (Google Drive, Drop
Box, Etc). No documents containing PII are ever printed on paper.
Channel Spyder employs fine-grained access control mechanisms when
granting rights to any party using the Application, as well as the Application's
operators, following the principle of least privilege. Application
sections or features that vend PII are protected under a unique access
role, and access is only granted on a "need-to-know" basis.
- Logging and
Channel Spyder gathers logs to detect security-related events (access &
authorization, intrusion attempts, etc) to our Applications and systems. This
logging mechanism is implemented on all channels providing access to
Amazon Information. Logs are only accessible by authorized personnel. The
logs themselves do not contain PII and are retained for 90 days as
reference in the case of a Security Incident. Channel Spyder's runbook
includes mechanisms for regular monitoring of the logs and all system
activities. In addition to regular review, Channel Spyder's monitoring
includes real time notifications via email, phone call and SMS in the
event a suspicious action (multiple unauthorized calls, unexpected request
rate, etc) triggers an alert. In the event of an alert, procedure follows
per Channel Spyder's Incident Response Plan.
Channel Spyder maintains
all appropriate books and records reasonably required to verify compliance with
Amazon's Acceptable Use Policy, Data Protection Policy, and the Amazon
Marketplace Developer Agreement during the period of this agreement and for 12
months thereafter. Upon Amazon's written request, Channel Spyder will certify
in writing to Amazon that we are in compliance with these policies.
PO Box 2166
Yorba Linda, CA 92885