This Data Protection Policy ("DPP") governs the treatment (e.g., receipt, storage, usage, transfer, and disposition) of the data collected and retrieved by channelpromanager.com (Channel Pro Manager).
"Amazon Information" means seller-authorized data made available to Channel Pro Manager through the Amazon Selling Partner API in connection with the seller's own Amazon account. This data is used solely to support internal order processing, inventory management, and fulfillment workflows. Channel Pro Manager does not aggregate Amazon data, does not resell Amazon data, and does not access Amazon public-facing websites or scrape Seller Central.
"Customer" means an individual whose information is included in a seller-authorized Amazon order and is accessed solely for the purpose of fulfilling that order.
"Personally Identifiable Information" ("PII") means information that can be used on its own or with other information to identify, contact, or locate an individual or to identify an individual in context. This includes, but is not limited to, a Customer or Seller's name, address, e-mail address, phone number, gift message content, survey responses, payment details, purchases, cookies, digital fingerprint (e.g., browser, user device), IP Address, geo-location, or Internet-connected device product identifier.
"Security Incident" means any actual or suspected unauthorized access, collection, acquisition, use, transmission, disclosure, corruption, or loss of Amazon Information, or breach of any environment containing Amazon Information, or managed by Channel Pro Manager with controls substantially similar to those protecting Amazon Information.
"Seller" means any person or entity selling on Amazon's public-facing websites.
"Channel Pro Manager" means the company that owns channelpromanager.com, or its managers, or the services depending on context.
1. Data Retention and Recovery. Channel Pro Manager retains Customer PII only for as long as necessary to fulfill seller-authorized orders. Customer PII is automatically deleted within 30 days after order shipment or completion. Application logs do not contain PII and are retained separately for security monitoring purposes only.
2. Data Governance. Channel Pro Manager's privacy and data handling policy governs the appropriate conduct and technical controls that is applied in managing and protecting information assets. Channel Pro Manager keeps inventory of software and physical assets (e.g. computers, mobile devices) with access to PII, and update regularly. A record of data processing activities such as specific data fields and how they are collected, processed, stored, used, shared, and disposed for all PII Information should be maintained to establish accountability and compliance with regulations. Channel Pro Manager's according to the privacy policy can rectify, erase, or stop sharing/processing the customers information where applicable.
3. Encryption and Storage. All PII is encrypted at rest using industry best practice standards (AES-128, AES-256, or RSA with 2048-bit key size (or higher), this depends on particular server configuration. The cryptographic materials (e.g., encryption/decryption keys) and cryptographic capabilities used for encryption of PII at rest is only accessible to the processes and services. PII is not stored in removable media (e.g., USB) or unsecured public cloud applications (e.g., public links made available through Google Drive). Any printed documents containing PII should be securely disposed. Channel Pro Manager implements a Key Management System (KMS) covering the complete key lifecycle including key generation, secure storage, key rotation (at least annually), and key revocation.
4. Least Privilege Principle. Channel Pro Manager has implemented fine-grained access control mechanisms to allow granting rights to any party using the Application (e.g., access to a specific set of data at its custody) and the Application's operators (e.g., access to specific configuration and maintenance APIs such as kill switches) following the principle of least privilege. Application sections or features that vend PII must be protected under a unique access role, and access should be granted on a "need-to-know" basis.
5. Logging and Monitoring. Channel Pro Manager gathers logs to detect security-related events (e.g., access and authorization, intrusion attempts, configuration changes) to the Application and systems. Channel Pro Manager implements this logging mechanism on all channels (e.g., service APIs, storage-layer APIs, administrative dashboards) providing access to Amazon Information. All logs must have access controls to prevent any unauthorized access and tampering throughout their lifecycle. Logs track success/failure of events, date and time, access attempts, data changes, and system errors. Logs themselves should not contain PII and must be retained for at least 12 months for reference in the case of a Security Incident. Logs are reviewed in real-time using automated monitoring tools (e.g., SIEM) and bi-weekly manual reviews are conducted. Channel Pro Manager has mechanisms to monitor the logs and all system activities to trigger investigative alarms on suspicious actions (e.g., multiple unauthorized calls, unexpected request rate and data retrieval volume, and access to canary data records). Channel Pro Manager should perform investigation when monitoring alarms are triggered, and this should be documented in the Incident Response Plan. Channel Pro Manager monitors for data exfiltration beyond protected boundaries and monitors the Dark Web for unauthorized exposure of Amazon Information.
6. Network Protection. Channel Pro Manager has implemented network protection controls including network firewalls and access control lists (ACLs) to deny access to unauthorized IP addresses. Network segmentation isolates production, staging, and development environments. Intrusion detection and prevention systems (IDS/IPS) are deployed to identify and block malicious network activity using defense-in-depth methods. Anti-virus and anti-malware tools are deployed on all systems, updated at least monthly, and cannot be disabled by employees. Public access is restricted only to Approved Users who have completed data protection and IT security awareness training on at least an annual basis. Channel Pro Manager maintains secure coding practices across all development activities.
7. Access Management. Channel Pro Manager assigns a unique ID to each person with computer access to Amazon Information. Persons with access to data don't create or use generic, shared, or default login credentials or user accounts. Multi-Factor Authentication (MFA) using TOTP is enforced on all accounts with access to Amazon Information. Channel Pro Manager reviews the list of people and services with access to Amazon Information on a regular basis (at least quarterly), and removes accounts that no longer require access. Access for terminated employees is disabled within 24 hours. Channel Pro Manager restricts employees from storing Amazon data on personal devices. Channel Pro Manager maintains and enforces "account lockout" by detecting anomalous usage patterns and log-in attempts, and disabling accounts after 10 or fewer unsuccessful login attempts.
8. Encryption in Transit. Channel Pro Manager encrypts all Amazon Information in transit (e.g., when the data traverses a network, or is otherwise sent between hosts). This is accomplished using TLS 1.2 or higher (HTTPS), SFTP, and SSH-2. Channel Pro Manager enforces this security control on all applicable external endpoints used by customers as well as internal communication channels (e.g., data propagation channels among storage layer nodes, connections to external dependencies) and operational tooling. Channel Pro Manager disables communication channels which do not provide encryption in transit even if unused (e.g., removing the related dead code, configuring dependencies only with encrypted channels, and restricting access credentials to use of encrypted channels). Channel Pro Manager uses data message-level encryption where channel encryption (e.g., using TLS) terminates in untrusted multi-tenant hardware (e.g., untrusted proxies).
9. Incident Response Plan. Channel Pro Manager has and maintains a plan to detect and handle Security Incidents. Such plan identifies the incident response roles and responsibilities, defines incident types that may impact Amazon, defines incident response procedures for defined incident types, and defines an escalation path and procedures to escalate Security Incidents to Amazon. Channel Pro Manager reviews and verifies the plan every six (6) months and after any major infrastructure or system change. Channel Pro Manager investigates each Security Incident, and document the incident description, remediation actions, and associated corrective process/system controls implemented to prevent future recurrence. Channel Pro Manager will inform Amazon within 24 hours of detecting any Security Incidents. Channel Pro Manager maintains chain of custody for all evidence and records collected during incident investigation. All investigation documentation is made available to Amazon upon request. An Incident Management Point of Contact (IMPOC) is designated to be reached in the event of any security incident.
10. Request for Deletion or Return. Channel Pro Manager within no more than 30 days after Amazon's request permanently, and securely delete (in accordance with industry-standard sanitization processes, e.g., NIST 800-88) or return Amazon Information upon and in accordance with Amazon's notice requiring deletion and/or return. Channel Pro Manager also permanently and securely deletes all live (online or network accessible) instances of Amazon Information within 90 days after Amazon's notice. Non-PII Amazon Information is deleted within 18 months unless longer retention is required by applicable laws. Channel Pro Manager provides written certification of destruction upon Amazon's request.