Amazon Data Protection Policy

This policy is written to ensure that MOAJ is compliant with the Amazon policies below and governs the collection, processing, storage, usage, and disposal of Amazon data obtained for the use of clients from the Amazon Marketplace Web Service APIs:

• Acceptable Use Policy (effective January 1, 2021)
• Data Protection Policy (effective January 1, 2021)
• General security requirements

General Security Requirements

Consistent with industry-leading security standards and other requirements specified by Amazon based on the classification and sensitivity of Amazon Information, MOAJ maintains physical, administrative, and technical safeguards, and other security measures:

• To maintain the security and confidentiality of Amazon Information accessed, collected, used, stored, or transmitted by MOAJ.
• To protect that information from known or reasonably anticipated threats or hazards to its security and integrity, accidental loss, alteration, disclosure, and all other unlawful forms of processing.

Network Protection

All MOAJ servers implement network protection controls including network firewalls. Public access is restricted to authorized users.

Access Management

Access to Amazon information is strictly limited to users who require access to perform specific required tasks. Access is limited to only required data where possible.

• All users are unique with no shared logins, and 2-Factor Authentication is in operation.
• Access is logged and monitored.
• Employees must request access and provide a reason when accessing Amazon data.
• Access permissions are revoked immediately upon leaving the company.
• No Amazon data is allowed to be stored on removable devices, except anonymized data such as overall sales figures.

Encryption in Transit

All data in transit is encrypted using HTTPS on MOAJ systems as data traverses the network.

Incident Response Plan

MOAJ has an incident response plan to deal with interruptions or degradation of services. In the case of a data breach involving Amazon data, the Chief Technical Officer and Chief Executive Officer will be notified, and the incident response team will address the issue according to established protocols.

Request for Deletion or Return

Within 72 hours of Amazon's request, MOAJ will permanently and securely delete or return Amazon Information in accordance with Amazon's notice.

Additional Security Requirements for PII

Data Retention and Recovery

Amazon PII is stored for managing client orders and is removed no more than 30 days after the fulfillment of an order.

Data Governance

MOAJ has an asset management policy defining how assets are maintained and reviewed every six months.

Encryption and Storage

All PII is encrypted at rest using AES-256 encryption. Cryptographic materials are only accessible to MOAJ system processes and services.

Least Privilege Principle

Access is provided to developers and employees on a need-to-know basis using fine-grained access controls.