Data policy
This Data Protection Policy (“DPP”) governs the treatment (e.g., receipt, storage, usage, transfer, and disposition) of the data collected and retrieved by profitwiser.com (ProfitWiser).
Amazon Brand Analytics Data Protection:
We do not aggregate data about Authorized Users’ or Customers’ business received through the Amazon Services API for distribution or sale to third parties, including competing Authorized Users.
We do not promote, publish, or share insights about Amazon’s business. We do not use insights about Amazon’s business for our own business purposes.
Definitions
“Amazon Information” means any information that is exposed by Amazon through the Marketplace APIs, Seller Central, or Amazon’s public-facing websites. This data can be public or non-public, including Personally Identifiable Information about Amazon customers.
“Customer” means any person or entity who has purchased items or services from Amazon’s public-facing websites.
“Security Incident” means any actual or suspected unauthorized access, collection, acquisition, use, transmission, disclosure, corruption, or loss of Amazon Information, or breach of any environment containing Amazon Information, or managed by ProfitWiser with controls substantially similar to those protecting Amazon Information.
“Seller” means any person or entity selling on Amazon’s public-facing websites.
“ProfitWiser” means the company that owns ProfitWiser.com, or its managers, or the services depending on context.
ProfitWiser complies with the following requirements
- Data Governance. ProfitWiser’s privacy and data handling policy governs the appropriate conduct and technical controls that is applied in managing and protecting information assets.
- Least Privilege Principle. ProfitWiser has implemented fine-grained access control mechanisms to allow granting rights to any party using the Application (e.g., access to a specific set of data at its custody) and the Application’s operators (e.g., access to specific configuration and maintenance APIs such as kill switches) following the principle of least privilege.
- Logging and Monitoring. ProfitWiser gathers logs to detect security-related events (e.g., access and authorization, intrusion attempts, configuration changes) to the Application and systems. ProfitWiser implements this logging mechanism on all channels (e.g., service APIs, storage-layer APIs, administrative dashboards) providing access to Amazon Information. All logs must have access controls to prevent any unauthorized access and tampering throughout their lifecycle. Logs themselves do not contain PII and must be retained for at least 90 days for reference in the case of a Security Incident. ProfitWiser has mechanisms to monitor the logs and all system activities to trigger investigative alarms on suspicious actions (e.g., multiple unauthorized calls, unexpected request rate and data retrieval volume, and access to canary data records). ProfitWiser should perform investigation when monitoring alarms are triggered, and this should be documented in the Incident Response Plan.
- Network Protection. ProfitWiser has implemented network protection controls to deny access to unauthorized IP addresses and public access must be restricted only to approved users.
- Encryption in Transit. ProfitWiser encrypts all Amazon Information in transit (e.g., when the data traverses a network, or is otherwise sent between hosts). This is accomplished using HTTP over TLS (HTTPS). ProfitWiser enforces this security control on all applicable external endpoints used by customers as well as internal communication channels (e.g., data propagation channels among storage layer nodes, connections to external dependencies) and operational tooling. ProfitWiser disables communication channels which do not provide encryption in transit even if unused (e.g., removing the related dead code, configuring dependencies only with encrypted channels, and restricting access credentials to use of encrypted channels). ProfitWiser uses data message-level encryption where channel encryption (e.g., using TLS) terminates in untrusted multi-tenant hardware (e.g., untrusted proxies).
- Incident Response Plan. ProfitWiser has and maintains a plan to detect and handle Security Incidents. Such plan identifies the incident response roles and responsibilities, defines incident types that may impact Amazon, defines incident response procedures for defined incident types, and defines an escalation path and procedures to escalate Security Incidents to Amazon. ProfitWiser reviews and verifies the plan every six (6) months and after any major infrastructure or system change. ProfitWiser investigates each Security Incident, and document the incident description, remediation actions, and associated corrective process/system controls implemented to prevent future recurrence. ProfitWiser will inform Amazon within 24 hours of detecting any Security Incidents.
- Request for Deletion or Return. ProfitWiser within no more than 72 hours after Amazon’s request permanently, and securely delete (in accordance with industry-standard sanitization processes, e.g., NIST 800-88) or return Amazon Information upon and in accordance with Amazon’s notice requiring deletion and/or return. ProfitWiser also permanently and securely deletes all live (online or network accessible) instances of Amazon Information within 90 days after Amazon’s notice.