Amazon Data Protection Policy

Last Updated: 08/05/2024

1. Introduction

One Connection Limited is dedicated to ensuring compliance with Amazon’s policies which governing the receipt, storage, usage, transfer, and disposal of Information, including the data vended and retrieved through the Amazon Services APIs (including the Marketplace Web Service API and Selling Partner API). This Data Protection Policy outlines our commitment to safeguarding Amazon data and our adherence to Amazon’s guidelines.

This policy is applicable to all systems that store, process, or otherwise handle data vended and retrieved from the Amazon Services API, and ensures that One Connection Limited is compliant with Amazon Policies.

2. General Security Requirements

One Connection Limited maintains physical, administrative, and technical safeguards, and other security measures (i) to maintain the security and confidentiality of Information accessed, collected, used, stored, or transmitted with in company, and (ii) to protect that Information from known or reasonably anticipated threats or hazards to its security and integrity, accidental loss, alteration, disclosure, and all other unlawful forms of processing.

2.1 NETWORK PROTECTION

All One Connection Limited’s servers and systems implement network protection controls including network firewalls and network access control lists to deny access to unauthorized IP addresses.
Public access to systems is limited to authorized and approved users, and carry out data protection and IT security training for everyone with system access.

2.2 Access Management

Access to Amazon information is strictly limited to users who require access in order to perform specific required tasks, and access is limited where possible to only required data.

All users are unique with no shared logins, and access is logged and monitored.

Access permissions are reviewed regularly (every 90 days), and access is disabled and/or removed within 24 hours for terminated employees.

No Amazon data is allowed to be stored on removable devices and personal devices, and no Personally Identifiable Information (PII) is downloaded onto devices.

2.3 Least Privilege Principle

Access is provided to developers and other employees on a need-to-know basis using fine-grained access controls mechanisms to assign specific roles to minimize access based on the need to perform duties.

2.4 Passwords and Credentials Management

One Connection Limited sets minimum requirements on passwords and credentials for access to systems. These requirements are:

• 12 or more characters of password length.
• 90 days of password expiry time.
• 3 failed attempts allowed with an invalid password before a temporary lock-out.
• Passwords must include, at least: one uppercase, one lowercase, one number and one special character.

2.5 Encryption in Transit

All data in transit is encrypted using HTTP over TLS (HTTPS) on One Connection Limited, and end points only accepted HTTPS connections. There are no instances of data in transit not being encrypted,

2.6 Risk Management and Incident Response Plan

One Connection Limited maintains an incident response plan to address unauthorized access, database hacking, or data leakage incidents.

• In the event of unauthorized access, data breaches, or other security incidents, Amazon is notified within 24 hours via email to designated security contacts.
• Legal department and non-security teams collaborate to address incidents, following established industry-standard guidelines such as NIST SP 800-61 and NIST SP 800-88.
• Regulatory authorities and affected individuals are notified as required by law.
• Documentation related to incidents is made available to Amazon upon request.
• Incident response plans are reviewed every 90 days, or in the case of major platform changes, sooner.

2.7 Request for Deletion or Return

One Connection Limited will comply with Amazon’s request for the deletion or return of Amazon Information within 72 hours, securely deleting or returning the information in accordance with industry-standard sanitization processes.

All live instances of Amazon Information will be permanently and securely deleted within 90 days of the request.

3. Additional Security Requirements Specific to Personally Identifiable Information (PII)

3.1 Data Retention

PII obtained through Amazon is stored on privately hosted servers for order management purposes and is removed within 30 days after order fulfilment, with exceptions made for legal requirements.

3.2 Data Governance

One Connection Limited retain PII only for the purpose of fulfilling orders. This retention period is for no more than 30 days (“Hold Period”) from shipment and online confirmation of delivery to customer.

One Connection Limited is not required by law to retain archival copies of PII, therefore beyond the 30-day Hold Period, One Connection Limited do not maintain backup media of any kind for PII.

In the event that PII is lost, erased or unavailable for processing due to system crash or ransomware during the 30-day Hold Period, One Connection Limited maintains a backup copy of all PII. This copy is encrypted and meets all security requirements noted in this policy. All security backups are purged with the original at the end of the 30-day Hold Period.

3.3 Asset Management

Inventory of software and physical assets with access to PII is updated quarterly, and physical assets are secured to prevent unauthorized access.

PII is not stored in removable media, personal devices, or unsecured public cloud applications, and printed documents containing PII are securely disposed.

3.4 Encryption at Rest

All PII is encrypted at rest using industry standard AES-256 encryption. No PII is allowed to be stored in external media or unsecured Cloud applications. All cryptographic materials are accessible only to authorized processes and services on privately hosted cloud servers. It is prohibited to store PII in removable media or unsecured public cloud applications. One Connection Limited strictly prohibit the printing PII not required for order fulfilment (despatch labels).

3.5 Secure Coding Practices

One Connection Limited adhere to secure coding practices, ensuring that keys, credentials, and passwords are not saved in application code or public repositories, and maintaining separation between development and production environments.

3.6 Logging and Monitoring

An internal process log file is generated each day, and is manually cleared by the administrator user when the anomaly has been resolved, not earlier than 90 days after the log is recorded, in order to have a reference for a security incident.

Logs containing PII are not stored on One Connection Limited systems, and code changes are logged to specific users.

Unauthorized access or suspicious activity is flagged and monitored, with investigations conducted as per the Incident Response Plan.

3.7 Vulnerability Management

One Connection Limited has established processes for detecting, remediating, and correcting vulnerabilities in the system, with vulnerabilities classified by severity and prioritized for immediate action.

One Connection Limited create and maintain a plan to detect and remediate vulnerabilities. Physical hardware containing PII must be protected from technical vulnerabilities by performing vulnerability scans and remediating appropriately. Vulnerability scanning or penetration tests are conducted at least every 180 days and scan code for vulnerabilities prior to each release. Furthermore, One Connection Limited must control changes to the storage hardware by testing, verifying changes, approving changes, and restricting access to who may perform those actions.

4. Audit and Assessment

One Connection Limited will provide Amazon with records demonstrating compliance with the Acceptable Use Policy, Data Protection Policy, and Amazon Services API Developer Agreement during the agreement period and for 12 months thereafter.

One Connection Limited will cooperate fully with any audit conducted by Amazon and allow inspection of systems involved in the retrieval, storage, or processing of Amazon Information.

Any breaches, failures, or deficiencies identified in audits will be rectified by One Connection Limited at its expense within the agreed timeframe.

5. Definitions

“Amazon Services API” means any application programming interface (API) offered by Amazon for the purpose of helping Amazon Authorized Users to programmatically exchange data.

“Application” means a software application or website that interfaces with the Amazon Services API or the API Materials.

“Authorized User” means a user of Amazon’s systems or services who has been specifically authorized by Amazon to use the applicable systems or services.

“Customer” means any person or entity who has purchased items or services from Amazon’s public-facing websites.

“Information” means any information that is exposed through the Amazon Services API, Amazon Portals, or Amazon’s public-facing websites. This data can be public or non-public, including Personally Identifiable Information about Amazon Customers.

“Personally Identifiable Information” (“PII”) means information that can be used on its own or with other information to identify, contact, identify in context, or locate an Amazon Customer or Authorized User. This includes, but is not limited to, a Customer or Authorized User’s name, address, e-mail address, phone number, gift message content, survey responses, payment details, purchases, cookies, digital fingerprint (e.g., browser, user device), IP Address, geo-location, nine-digit postal code, or Internet-connected device product identifier.

“Security Incident” means any actual or suspected unauthorized access, collection, acquisition, use, transmission, disclosure, corruption, or loss of Information, or breach of any environment containing Information.