Amazon Data Handling Policy

1. OVERVIEW & SCOPE

This Data Handling Policy establishes the security, privacy, and compliance standards for our organization's handling of Amazon Information obtained through the Selling Partner API. This policy applies to all employees, contractors, and systems that access, store, process, or transmit Amazon data.

Policy Objectives:

• Protect the confidentiality, integrity, and availability of Amazon data
• Comply with Amazon's Data Protection Policy (DPP) and Acceptable Use Policy (AUP)
• Ensure compliance with Brazilian tax regulations and ancillary tax obligations (obrigações acessórias)
• Establish clear roles, responsibilities, and procedures for data handling
• Provide a framework for secure data collection, storage, processing, and disposal

Applicability:

This policy applies to:

• All Amazon Selling Partner API data (transaction data, order information)
• Brazilian Nota Fiscal (invoices) generated by Amazon for FBA operations
• Personally Identifiable Information (PII) used for tax and invoice purposes
• All systems, devices, and locations where Amazon data is processed or stored

2. DATA COLLECTION

Collection Methods:

Amazon Information is collected exclusively through authorized channels:

• Amazon Selling Partner API: Programmatic retrieval of transaction data, order details, and fulfillment information
• Amazon FBA Portal: Manual retrieval of Nota Fiscal (tax invoices) as required for tax compliance

Authorized Data Types:

Data Minimization: We collect only data necessary for authorized purposes. Employees are prohibited from accessing or requesting Amazon data beyond their explicit business need.

3. DATA PROCESSING

Amazon Information is processed for the following authorized purposes:

Tax & Invoice Management:

• Generation of Nota Fiscal (Brazilian tax invoices)
• Tax calculation and remittance to Brazilian tax authorities
• Fulfillment of obrigações acessórias (ancillary tax obligations)
• Compliance with Brazilian fiscal regulations

FBA Operations:

• Order fulfillment and shipment tracking
• Inventory management and reconciliation
• Performance reporting and analytics

Data Governance & Analytics:

• Internal business reporting (aggregated, non-identifiable data only)
• Performance metrics and compliance audits

Processing Standards: All processing activities comply with Amazon's DPP and Brazilian data protection requirements. PII is processed only by authorized finance and tax staff on a need-to-know basis.

Testing & Development:

Development and testing environments use anonymized or masked versions of Amazon data. Real PII is never used in test environments. Masked data is generated using industry-standard tools that remove identifiable information (names, addresses, phone numbers) while preserving data structure for testing.

4. DATA STORAGE & ENCRYPTION

Storage Infrastructure:

• Database: PostgreSQL with AES-128 encryption at the storage level
• Location: Private VPC (Virtual Private Cloud) with restricted security groups
• Access: Restricted to authorized application servers and approved IP addresses only

Encryption at Rest:

Encryption in Transit:

• API Communications: All Selling Partner API calls use HTTPS/TLS 1.2+ encryption
• Internal Data Transfer: Encrypted via TLS 1.2+ for all internal and external endpoints
• Database Connections: Encrypted channels only; unencrypted connections are blocked

Compliance: Our encryption methods meet or exceed Amazon DPP requirements (minimum AES-128 or RSA-2048 bit keys). Encryption keys are never stored alongside encrypted data.

Key Management System (KMS):

• Encryption keys are generated, stored, and rotated within a centralized Key Management System
• Key rotation occurs annually (API keys rotated every 12 months)
• Only authorized applications and services have access to decryption keys
• Key revocation procedures are in place for incident response and employee termination

5. ACCESS CONTROLS & USER MANAGEMENT

User Identification & Authentication:

• All employees are assigned unique user credentials
• Multi-Factor Authentication (MFA): Required for all users with API or database access
• User accounts are managed through Active Directory with centralized policy enforcement
• Accounts are locked after 3 failed login attempts within a 3-minute window

Access Levels & Role-Based Permissions:

Access Review & Revocation:

• Access privileges are reviewed quarterly for continued necessity
• Unused or inactive accounts are identified and removed (no access for 90+ days = automatic deletion)
• Upon employee termination, access is revoked within 24 hours
• All access changes are logged and audited

Password Management:

• Minimum Length: 12 characters
• Complexity: Mix of uppercase, lowercase, numbers, and special characters
• Expiration: Maximum 365-day expiration
• History: Last 10 passwords cannot be reused
• Storage: Never hardcoded in code or documentation
• Account Lockout: After 3 failed login attempts

Device Access Controls:

• Amazon Information is restricted to company-managed devices only
• Mobile Device Management (MDM) prevents unauthorized file transfers to personal devices
• USB storage and external media are prohibited on systems handling all internal data, including those obtained via Amazon API
• Violation attempts are logged in endpoint protection platform (Windows Defender logs)
• Any detected unauthorized transfer attempts trigger automatic alerts to IT team
• Remote access requires VPN with certificate-based authentication

6. DATA SHARING

Internal Data Sharing:

Amazon Information may be shared internally only with:

• Finance Staff: Access to PII for tax reporting and invoice generation (need-to-know basis)
• IT Staff: Access for system maintenance and security operations
• Development Team: Access to masked/anonymized data for testing and integration purposes only

External Data Sharing:

Amazon Information is NOT shared with external parties except:

• Brazilian Tax Authorities: As required by law for tax compliance (Nota Fiscal, obrigações acessórias)
• Amazon (via authorized processes): Only if required for incident response or audit compliance

Prohibition: Data is never sold, aggregated across customers, or used for marketing or promotional purposes. Amazon data is never used to target Amazon customers for external services.

Third-Party Data Processors:

If any external parties require access to Amazon data (e.g., auditors, consultants):

• Written agreements must be in place imposing equivalent data protection obligations
• Access is limited to the minimum necessary for the specific purpose
• External parties must sign a confidentiality agreement before access is granted
• All access is logged and audited

7. DATA RETENTION & DELETION

Retention Periods:

Data Deletion Procedures:

• Data deletion is performed within 30 days of Amazon's request (unless legally required for longer retention)
• Deletion uses industry-standard secure sanitization processes (NIST 800-88 standards)
• All live/online instances of data are permanently deleted within 90 days of deletion request
• Offline backups containing deleted data are tracked and destroyed per retention schedule
• Deletion is documented with certificates of destruction provided upon request

Data Retention for Legal Compliance:

PII may be retained beyond standard retention periods only if required by law. Currently:

• Brazil: PII is retained for 5+ years to comply with Brazilian tax code requirements for Nota Fiscal generation and tax reporting
• Documentation of legal retention requirements is maintained and available for audit

8. SECURITY MEASURES

Network Security:

• Firewall: Hardware firewall with access control lists (ACL) denying unauthorized inbound connections
• VPC Isolation: Database and file servers in private VPC with restricted security groups
• Network Segmentation: Restricted to approved internal IPs and application servers
• Endpoint Protection: Anti-virus and anti-malware tools installed on all systems, scanned at least monthly
• Public Access: We do not permit direct public access to any systems (databases, servers or endpoints) containing Amazon API data

Secure Coding Practices:

• API keys and sensitive credentials are never hardcoded in source code
• Code repositories are scanned for secrets using automated detection tools
• Development and production environments are strictly segregated
• Code vulnerability scans (SAST tools) performed before each release

Vulnerability Management:

Backup & Disaster Recovery:

• Frequency: Daily encrypted backups
• Location: Geographically separated region
• Encryption: Same AES-128 standard as live data
• Recovery Time Objective (RTO): 4 hours
• Recovery Point Objective (RPO): 24 hours
• Testing: Restore procedures tested quarterly

Security Training & Awareness:

• All employees with Amazon Information access receive annual data protection and IT security awareness training
• Training covers: password management, phishing awareness, secure coding, incident reporting
• Training completion is mandatory and documented

Physical Security:

• Data is stored in cloud infrastructure with managed physical security
• Office-based systems are restricted to company facilities with controlled access
• Printed documents containing PII are securely disposed of (shredded/incinerated)

9. INCIDENT RESPONSE

Incident Definition:

A "Security Incident" includes any actual or suspected:

• Unauthorized access to systems or data
• Data breach or loss (accidental or intentional)
• Compromise of credentials or encryption keys
• Unauthorized data exfiltration or disclosure
• Ransomware or malware infection affecting Amazon data

Incident Response Procedures:

1. Detection & Isolation (Immediate) - Affected systems are isolated from the network immediately
2. Initial Assessment (0-2 hours) - Incident scope, systems affected, and preliminary impact assessment documented
3. Amazon Notification (Within 24 hours) - Amazon is notified via security@amazon.com with incident details, scope, and initial findings
4. Forensic Investigation (Days 1-3) - Detailed investigation to identify root cause, affected data, and timeline
5. Remediation (Ongoing) - Implement fixes (credential rotation, patching, security updates) and prevent recurrence
6. Post-Incident Report (Within 7 days) - Comprehensive report with root cause analysis, preventive measures, and lessons learned

Incident Escalation Path:

• Incident Management Point of Contact (IMPOC): Gabriel Correa de Oliveira
• Email: dpo@iwannasleep.com
• Internal Escalation: IT Lead → Company Management → Security Review
• External Notification: Amazon (security@amazon.com); Brazilian regulators (if legally required)

Communication During Incidents:

• Only authorized personnel communicate with Amazon or regulatory authorities
• Internal communications are documented and logged
• External communications follow Amazon's incident reporting requirements

Documentation: All security incidents are investigated and documented. Evidence is preserved, chain of custody is maintained, and documentation is available for Amazon audit upon request.

10. COMPLIANCE & MONITORING

Security Logging & Monitoring:

• Database Access Logs: Timestamps, user IDs, query details, and result counts
• API Call Logs: Request/response metadata, endpoints called, data volume retrieved
• System Event Logs: Login attempts, file access, configuration changes
• Log Retention: 12 months minimum; older logs archived per retention schedule

Monitoring & Alerting:

Centralized log aggregation monitors for:

• Multiple failed login attempts (3 failures within 3 minutes)
• Unusual query patterns or unexpected data retrieval volumes
• After-hours or out-of-schedule access attempts
• API quota limit violations
• Attempts to extract data beyond authorized boundaries
• Detection of data on Dark Web or unauthorized external locations

Audit & Assessment:

• Internal security audits conducted annually
• Compliance with this policy reviewed quarterly
• Amazon is granted audit rights per Amazon Solution Provider Agreement
• Upon Amazon's request, we certify in writing compliance with all policies

Remediation Tracking:

• Vulnerability and incident findings are logged in a centralized tracking system
• Each finding includes: severity rating, affected systems, remediation owner, and target completion date
• Progress is reviewed weekly by IT leadership and reported to management monthly
• Critical findings must be remediated within 7 days; high-risk within 30 days

Code Vulnerability Remediation:

• Development code is scanned for vulnerabilities using SAST tools before each release
• Vulnerabilities identified during development are prioritized and fixed before deployment to production
• Runtime vulnerabilities detected in production are tracked and remediated according to severity:
  • Critical: within 7 days
  • High: within 30 days
• Remediation is documented and verified before closure

Policy Review & Updates:

• This policy is reviewed annually and updated as needed
• Material changes are communicated to all affected staff
• Policy effectiveness is assessed during annual security audits

Compliance with Legal Requirements:

• Brazilian Tax Law: All procedures comply with Brazilian fiscal and tax obligations
• Amazon DPP & AUP: This policy implements all requirements of Amazon's Data Protection Policy and Acceptable Use Policy
• Data Protection Regulations: Procedures follow applicable privacy regulations where applicable

ACKNOWLEDGMENT

All employees and contractors with access to Amazon Information must acknowledge receipt and understanding of this Data Handling Policy. Violation of this policy may result in disciplinary action, up to and including termination of employment.

For questions or to report violations, contact:

Incident Management Point of Contact (IMPOC)
Gabriel Correa de Oliveira
dpo@iwannasleep.com