Amazon Data Protection Policy

This policy outlines how Dean Morris Cards Limited are compliant with Amazon policies that govern the collection, processing, storage, usage and disposal of Amazon data obtained from Amazon Marketplace Web Service APIs and platform.

This Data Protection Policy governs the treatment (receipt, storage, usage, transfer, and disposition) of all data vended and retrieved through Amazon Marketplace APIs (including the Marketplace Web Service APIs).

Definitions

"Application" refers to the Dean Morris Cards Limited software application as it interfaces with the Amazon Marketplace APIs.

"Amazon Information" means any information that is exposed by Amazon through the Marketplace APIs, Seller Central, or Amazon's public-facing websites. This data includes both public, non-public, and Personally Identifiable Information about Amazon customers.

"Customer" means any person or entity who has purchased items or services from Amazon's public-facing websites.

"Personally Identifiable Information" (PII) means information that can be used on its own or with other information to identify, contact, or locate an individual or to identify an individual in context. This includes, but is not limited to, a Customer or Seller's name, address, e-mail address, phone number, gift message content, survey responses, payment details, purchases, cookies, digital fingerprint (browser, user device, etc), IP Address, geo-location, or Internet-connected device product identifier.

"Security Incident" means any actual or suspected unauthorised access, collection, acquisition, use, transmission, disclosure, corruption, or loss of Amazon Information, or breach of any environment (i) containing Amazon Information, or (ii) managed by Dean Morris Cards Limited with controls substantially similar to those protecting Amazon Information.

General Security Requirements

Consistent with industry-leading security standards and other requirements specified by Amazon based on the classification and sensitivity of Amazon Information, Dean Morris Cards maintain physical, administrative, and technical safeguards, and other security measures (i) to maintain the security and confidentiality of Amazon Information accessed, collected, used, stored, or transmitted by Dean Morris Cards, and (ii) to protect that information from known or reasonably anticipated threats or hazards to its security and integrity, accidental loss, alteration, disclosure, and all other unlawful forms of processing. Without limitation, Dean Morris Cards Limited will comply with the following requirements:

Network Protection

Dean Morris Cards servers and systems implement network protection controls including network firewalls to deny access to unauthorized IP addresses. Public access is restricted only to approved users.

Access Management

Access to Amazon information is strictly limited to users who require access in order to perform specific required tasks and access is limited to only required data. All users are assigned unique logins with no shared logins. Access to Amazon information is logged and monitored.

Access can be revoked at any time if required and access is reviewed regularly (monthly). Upon leaving the company Access and User Permissions are immediately revoked.

No Amazon data is allowed to be stored on removable or personal devices. No PII is ever downloaded to devices.

Systems maintain and enforce "account lockout" by detecting suspicious activity such as multiple failed logins or large number of requests. Account permissions are revoked immediately and investigated by IT and System Administrators.

Encryption in Transit

All data in transit is encrypted using HTTP over TLS (HTTPS) on Dean Morris Cards Limited systems. And end points only accepted HTTPS connections. There are no instances of data in transit not being encrypted, even unused.

Incident Response Plan

Dean Morris Cards Limited maintains an incident response plan to deal with security incidents, interruption to or degradation of services or systems.

Impact and urgency of incidents are assessed according to set criteria and appropriate staff are informed. The incident could be a support ticket that is resolved or escalated to the Information Systems Manager. If the incident is deemed to be High Priority or Importance a Company Director is informed and an incident response team is formed.

Roles and responsibilities will be defined within the incident response team according to the exact requirements of the nature of the incident. All documentation relating to the incident is stored in the form of support logs and meeting minutes to be made available later if requested by Amazon

In the case of a data breach of sensitive or PII, including Amazon data company Directors will be notified and the incident response team will be convened to triage, identify mitigations and remediation and to develop a communication plan to notify stakeholders. In the case of any Amazon data breach this includes emailing [email protected] within 24 hours of discovery. No regulatory authority, nor any customers will be notified, on behalf of Amazon unless Amazon specifically requests in writing that Dean Morris Cards Limited do so. These incident response plans are reviewed every 4 months, or in the case of major platform changes, sooner.

Request for Deletion or Return

Within 72 hours of Amazon's request, Dean Morris Cards Limited will permanently and securely delete (in accordance with NIST 800-88 industry-standard sanitization processes) or return Amazon Information in accordance with Amazon's notice requiring deletion and/or return. Dean Morris Cards Limited will also permanently and securely delete all live (online or network accessible) instances of Amazon Information within 90 days after Amazon's notice. If requested by Amazon, Dean Morris Cards Limited will certify in writing that all Amazon Information has been securely destroyed.

Additional Security Requirements Specific to Personally Identifiable Information

The following additional Security Requirements are met for all Personally Identifiable Information ("PII"), including instances where PII is combined with non PII:

Data Retention and Recovery

Amazon PII is stored by Dean Morris Cards Limited on privately hosted servers for the sole purpose of facilitating the management of client orders. Amazon PII is removed from Dean Morris Cards Limited's servers no more than 30 days after the fulfilment of an order. Cancelled orders may have PII removed earlier.

No Amazon PII data is stored in logs or other files.

Data Governance

Dean Morris Cards Limited has an asset management policy defining how the software and physical assets are kept in an inventory and how this is updated as assets are reassigned or added. It also specifies procedures for data cleansing as assets are re-assigned or removed from the inventory. This is reviewed every 6 months and a full asset inventory is performed. Dean Morris Cards Limited also has a publicly available privacy policy stating our compliance to all applicable data privacy regulations.

Encryption and Storage

All PII is encrypted at rest using industry standard AES-256 encryption. No PII is allowed to be stored in external media or unsecured Cloud applications.

The cryptographic materials (e.g., encryption/decryption keys) and cryptographic capabilities used for encryption of PII at rest are only accessible to Dean Morris Cards Limited services processes and services on our privately hosted server. It is prohibited to store PII in removable media (e.g., USB) or unsecured public cloud applications. Dean Morris Cards Limited securely dispose of all printed materials though the 3rd party Simple Shredding service (certificates of shredding are available for review by Amazon if requested). Dean Morris Cards Limited policies strictly prohibit the printing PII not required for order fulfilment (despatch labels).

Least Privilege Principle

Access is provided to developers and employees on a need-to-know basis using fine grained access controls to assign specific roles to minimise access based on the need to perform duties.

Logging and Monitoring

Dean Morris Cards systems logging includes access logs, authorisation attempts, configuration changes. All logs have access controls to prevent unauthorised access and tempering. No PII Is stored in any logs. Logs are retained for 6 months for reference in the case of a Security Incident.

Changes to source code are logged and recorded to specific individual developers.

API logs are stored in databases on our privately hosted dedicated server, no PII data is stored in these logs.

Unauthorised access or unexpected request rates are flagged and suspicious activity is monitored by System Administrators who will investigate as detailed in the Dean Morris Cards Incident Response Plan.

Audit

Dean Morris Cards Limited will provide Amazon with all records if requested that demonstrate compliance with the Acceptable Use Policy, Data Protection Policy, and Amazon Marketplace Developer Agreement during the period of our agreement with Amazon and for 12 months thereafter. Dean Morris Cards Limited will also co-operate fully with any auditor assigned by Amazon and allow them to inspect the books, records, facilities, operations, and security of all systems that are involved with Dean Morris Cards Limited's application in the retrieval, storage, or processing of Amazon Information. If the audit reveals deficiencies, breaches, and/or failures to comply with Amazon terms, conditions, or policies, Dean Morris Cards Limited will, at its sole cost and expense, take all actions necessary to remediate those deficiencies within an agreed-upon timeframe.