Parceltube's Data Protection Policy demonstrates our unwavering commitment to handle data with the utmost care and confidentiality. This policy outlines our approach to collecting, processing, storing, using, sharing, and disposing of data in a manner that upholds fairness, transparency, and respect for individual rights.
This policy is applicable to all parties, including but not limited to employees, job candidates, customers, suppliers, and any other entities providing information. All employees of our company and its subsidiaries, as well as external entities such as contractors, consultants, and partners, must adhere to this policy. It encompasses anyone collaborating with or acting on behalf of our company who may require occasional access to data.
As part of our operations, we engage in the collection and processing of data. This includes offline or online information that makes an individual identifiable, such as names, addresses, usernames, passwords, digital footprints, photographs, social security numbers, financial data, etc. The following principles guide our approach to handling data:
Be accurate and kept up-to-date
Be collected fairly and for lawful purposes only
Be processed within legal and moral boundaries
Be protected against any unauthorized or illegal access by internal or external parties
Be communicated informally
Be stored for more than a specified amount of time
Be transferred to organizations, states, or countries lacking adequate data protection policies
Be distributed to any party other than those agreed upon by the data's owner (excluding legitimate requests from law enforcement authorities)
In addition to our responsibilities in handling data, we have direct obligations to individuals. Specifically, we must:
Let individuals know which of their data is collected
Inform individuals about how we'll process their data
Inform individuals about who has access to their information
Establish provisions for lost, corrupted, or compromised data
Allow individuals to request modifications, erasure, reduction, or correction of data contained in our databases
To uphold data protection, we are committed to:
Restricting and monitoring access to sensitive data
Developing transparent data collection procedures
Training employees in online privacy and security measures
Building secure networks to protect online data from cyberattacks
Establishing clear procedures for reporting privacy breaches or data misuse
Including contract clauses or communicating statements on how data is handled
Establishing data protection practices such as document shredding, secure locks, data encryption, frequent backups, and access authorization
Our data protection provisions will be made accessible on our website.
All principles described in this policy must be strictly followed. A breach of data protection guidelines will invoke disciplinary and possibly legal action.
The Data Protection Policy ("DPP") oversees the handling of Information, encompassing the receipt, storage, usage, transfer, and disposal of data obtained and supplied through the Amazon Services API through our service, including the Seller Partner API. It applies to all systems involved in storing, processing, or managing data derived from the Amazon Services API. This Policy complements the Amazon Services API Developer Agreement and the Acceptable Use Policy.
General Security Requirements
Aligned with top-tier industry security practices, Parceltube will uphold physical, administrative, and technical safeguards, along with additional security measures. These measures aim to (i) uphold the security and confidentiality of accessed, collected, used, stored, or transmitted Information by a Developer and (ii) shield this Information from known or reasonably anticipated threats, accidental loss, alteration, disclosure, and all other unlawful forms of processing. The Developer commits to complying with the following requirements, among others:
Parceltube incorporating network protection controls, such as network firewalls and access control lists, to prevent unauthorized access from specific IP addresses. Parceltube also introduce network segmentation, install anti-virus, and anti-malware software on end-user devices. Additionally, public access will be restricted to approved users, and comprehensive data protection and IT security training must be provided to all individuals with system access.
As Parceltube, it is imperative to establish a formal user access registration process for assigning access rights across all user types and services. This involves assigning a unique ID to each individual with computer access to Information. Avoid the creation or use of generic, shared, or default login credentials, and prevent the sharing of user accounts. Implement baselining mechanisms to ensure that only necessary user accounts access Information at all times.
Furthermore, Parceltube will restrict employees and contractors from storing Information on personal devices. Maintain and enforce "account lockout" protocols by identifying anomalous usage patterns and log-in attempts, disabling accounts with access to Information. Regularly review the list of individuals and services with access to Information at least quarterly.
In cases of employee termination, Parceltube will ensure that access is disabled or removed within 24 hours. This meticulous approach to user access management is crucial for maintaining the security and integrity of the Information.
As part of our company policy, we require the implementation of fine-grained access control mechanisms. This ensures the granting of rights to any party utilizing the Application and the authorized operators of the Application, all in accordance with the principle of least privilege. Access to Information will only be granted on a "need-to-know" basis.
As part of our company policy, we are mandated to set minimum password requirements for personnel and systems accessing Information. Passwords must consist of a minimum of twelve (12) characters, excluding any part of the user's name, and must encompass a mix of upper-case letters, lower-case letters, numbers, and special characters, with specific minimum requirements for each category. Additionally, we establish a minimum password age of 3 months expiry for all users. Multi-Factor Authentication (MFA) is obligatory for all user accounts, and we ensure the encryption of API keys provided by Amazon, with access limited to essential employees only.
As a company policy, we require the encryption of all Information in transit using secure protocols such as TLS 1.2+, SFTP, and SSH-2. This security control must be enforced on both internal and external endpoints. Additionally, when channel encryption terminates in untrusted multi-tenant hardware (e.g., untrusted proxies), developers must implement data message-level encryption.
As company policy, we maintain a comprehensive risk assessment and management process, subject to annual review by our senior management. This involves evaluating potential threats, vulnerabilities, and assessing the likelihood and impact of identified risks. We create and uphold a plan and/or runbook to detect and manage Security Incidents, outlining incident response roles, incident types affecting Amazon, response procedures, escalation paths, and procedures for reporting incidents to Amazon.
Additionally, we review and verify this plan every six (6) months and after any significant infrastructure or system changes. We promptly notify Amazon (via email to 3p-security@amazon.com) within 24 hours of detecting a Security Incident. We bear the sole responsibility to inform relevant government or regulatory agencies as mandated by applicable local laws.
In the event of a Security Incident, we are obligated to investigate thoroughly, document incident details, outline remediation actions, and implement corrective process/system controls to prevent recurrence. We maintain the chain of custody for all evidence or records collected, providing such documentation to Amazon upon request, if applicable. We cannot represent or speak on behalf of Amazon to any regulatory authority or customers unless explicitly requested in writing by Amazon.
As a company policy, we are obligated to permanently and securely delete Information upon receiving Amazon's notice for deletion within 30 days, unless the data is essential for meeting legal obligations, including tax or regulatory requirements. The secure deletion process must align with industry-standard sensitization procedures, such as NIST 800-88. Additionally, all live instances of Information, whether online or network accessible, must be permanently and securely deleted 90 days after receiving notice from Amazon. In case of Amazon's request, we commit to providing a written certification affirming the secure destruction of all Information.
We will either store Information in a dedicated database or establish a mechanism to tag and identify the origin of all data within any database containing Information if we cannot store information in a dedicated database
In line with our policy, we ensure compliance with the following additional Security Requirements for Personally Identifiable Information ("PII"). PII is accessed by Developers solely for specific tax and merchant fulfilled shipping purposes, recognized as essential. When an Amazon Services API includes PII or combines PII with non-PII, the entire data store adheres to the following requirements:
In accordance with our company policy, the retention of Personally Identifiable Information (PII) after order delivery will not extend beyond 30 days. This retention is exclusively for the purposes of (i) fulfilling orders, (ii) calculating and remitting taxes, (iii) generating tax invoices and other legally required documents, and (iv) meeting legal requirements, including tax or regulatory obligations. In instances where data retention beyond 30 days is required by law, our company is authorized to do so, solely for the purpose of complying with the specific legal requirement. As outlined in sections 1.5 ("Encryption in Transit") and 2.4 ("Encryption at Rest"), it is imperative that PII is neither transmitted nor stored without adequate protection at any given point.
we are committed to creating, documenting, and adhering to a privacy and data handling and classification policy for our Applications or services. This policy document dictates the appropriate conduct and technical controls necessary to manage and safeguard our information assets. To ensure accountability and compliance with regulations, we maintain a record of data processing activities, outlining how specific data fields are collected, processed, stored, used, shared, and disposed of, especially concerning Personally Identifiable Information (PII).
Our company has established a process to identify and comply with privacy and security laws and regulatory requirements relevant to our business. We retain documented evidence to demonstrate our compliance. Additionally, we have implemented and adhere to a privacy policy governing customer consent and data rights, allowing them access, rectification, erasure, or the cessation of sharing/processing of their information as applicable or required by data privacy regulations.
To assist Authorized Users with data subject access requests, our company has implemented both technical and organizational processes and systems. Furthermore, we incorporate contractual provisions in employment contracts with employees who handle PII, ensuring the confidentiality of such information.
In line with our company practices, we uphold a baseline standard configuration for our information system. We maintain an inventory of software and physical assets, such as computers and mobile devices, that have access to Personally Identifiable Information (PII), and this inventory is updated on a quarterly basis. All physical assets handling PII must comply with the requirements outlined in this policy.
As part of our company's approach, we refrain from storing PII in removable media, personal devices, or unsecured public cloud applications (e.g., public links via Google Drive) unless encryption is applied, using at least AES-128 or RSA-2048 bit keys or higher. Disposal of any printed documents containing PII is conducted securely.
Furthermore, our company has implemented data loss prevention (DLP) controls to monitor and detect any unauthorized movement of data, ensuring the protection and security of sensitive information.
we ensure that all Personally Identifiable Information (PII) is encrypted at rest, employing a minimum of AES-128 or RSA with a 2048-bit key size or higher. The cryptographic materials, including encryption/decryption keys, and cryptographic capabilities, such as daemons implementing virtual Trusted Platform Modules and providing encryption/decryption APIs, used for encrypting PII at rest are strictly accessible only to our company's processes and services.
It is strictly prohibited to hardcode sensitive credentials, such as encryption keys, secret access keys, or passwords, within code. Additionally, these sensitive credentials must not be exposed in public code repositories. Our developers adhere to the practice of maintaining distinct test and production environments for enhanced security and proper management of sensitive information.
In our company, developers establish a robust logging system to detect security-related events across Applications and systems. This includes tracking the success or failure of events, date and time, access attempts, data changes, and system errors. The logging mechanism is implemented across all channels providing access to Information, such as service APIs, storage-layer APIs, and administrative dashboards.
Logs are regularly reviewed ,Access controls are enforced to prevent unauthorized access and tampering throughout the entire lifecycle of the logs. PII is not included in logs unless necessary to meet legal requirements.
Logs are retained for a minimum of 90 days, unless specified otherwise by applicable law, for reference in case of a Security Incident. Developers implement mechanisms to monitor logs and system activities, triggering investigative alarms for suspicious actions, such as multiple unauthorized calls, unexpected request rates, data retrieval volume, and access to canary data records.
Monitoring alarms and processes are in place to detect any extraction or presence of Information beyond its protected boundaries. In the event of triggered monitoring alarms, developers conduct investigations, with documented procedures outlined in the Developer's Incident Response Plan.
In our company, it is our policy for developers to establish and uphold a plan and/or runbook for the detection and remediation of vulnerabilities. Physical hardware housing Personally Identifiable Information (PII) must be shielded from technical vulnerabilities through regular vulnerability scans and appropriate remediation. Vulnerability scanning is conducted at least every 180 days, penetration testing occurs at least every 365 days, and code is scanned for vulnerabilities before each release.
Additionally, developers exercise control over changes to storage hardware by implementing testing, verification, approval processes, and restricting access to authorized personnel. Adequate procedures and plans are in place to promptly restore availability and access to PII in the event of a physical or technical incident.
As a company, we must maintain all necessary books and records for validating adherence to the Acceptable Use Policy, Data Protection Policy, and Amazon Services API Developer Agreement throughout the agreement period and for 12 months thereafter. Upon a written request from Amazon, our company must provide written certification of compliance with these policies.
Amazon, or an independent certified public accounting firm chosen by Amazon, may conduct audits, assessments, and inspections of books, records, facilities, operations, and system security related to our company's Application in Information retrieval, storage, or processing upon request. Any non-public information disclosed during this process is treated confidentially by Amazon. Our company is expected to cooperate during these audits or assessments, which may occur at our or subcontractor facilities. In case of identified deficiencies or breaches, our company must take necessary actions at our own expense to rectify them within an agreed-upon timeframe. Remediation evidence must be provided upon request, and approval from Amazon is required before closing the audit.