This Data Protection Policy ("ADPP") governs the management of data accessed via the Amazon Services API (including the Marketplace Web Service API) at VCM Performance Pty Ltd ("The Company"). This policy applies to all systems that store, handle, or process data obtained from the Amazon Services API.
1. General Security Requirements
VCM Performance commits to maintaining robust physical, administrative, and technical safeguards to:
- Ensure the security and confidentiality of Amazon Information.
- Protect against anticipated threats, accidental loss, alteration, unauthorised disclosure, or any unlawful processing.
1.1 Network Protection
- Implementation of network firewalls and access control lists to block unauthorised IP addresses.
- Anti-virus and anti-malware defences on all endpoints.
- Public access is restricted to approved users only.
1.2 Access Management
- Unique ID assignments for each user with data access.
- Prohibition of generic, shared, or default credentials.
- Regular reviews and necessary deactivation of outdated user access.
- Enforcement of device policies to prevent storage of data on personal devices.
1.3 Least Privilege Principle
- Access rights are granted based on the principle of least privilege, necessary for the specific roles of application users and operators.
1.4 Password Management
- Strong password policies requiring a mix of characters, regular updates, and secure storage practices.
1.5 Encryption in Transit
- Mandatory encryption of data in transit using TLS 1.2+ or higher, SFTP, and SSH-2, ensuring endpoint security.
1.6 Incident Response Plan
- A structured incident response plan including detection, handling, and notification procedures to Amazon within 24 hours of incident awareness.
1.7 Request for Deletion or Return
- Compliance with Amazon's directives to securely delete or return data within 72 hours of request, adhering to NIST 800-88 guidelines for data sanitisation.
2. Additional Security Requirements for Personally Identifiable Information (PII)
2.1 Data Retention
- PII is retained no longer than necessary, up to 30 days post-delivery, for order fulfilment, tax calculations, or legal obligations.
2.2 Data Governance
- Strict data handling and privacy policies govern the protection and use of PII, ensuring compliance with applicable privacy laws.
2.3 Asset Management
- Detailed asset management of devices and systems handling PII, with regular updates and secure disposal practices.
2.4 Encryption at Rest
- PII encrypted at rest using AES-128 or RSA-2048, with strict access controls.
2.5 Secure Coding Practices
- Adherence to secure coding standards, avoiding hardcoding of sensitive data, and separation of development and production environments.
2.6 Logging and Monitoring
- Comprehensive logging of security-relevant data, with stringent access control and regular monitoring to identify and react to security incidents.
2.7 Vulnerability Management
- Regular vulnerability assessments and remediation practices to protect data and infrastructure integrity.
3. Audit and Assessment
- Maintenance of records and cooperation with Amazon or designated auditors to verify compliance with this ADPP and the Developer Agreement.
4. Definitions
- Definitions clarify terms such as "Amazon Services API", "PII", and "Security Incident" to ensure a clear understanding of the policy scope.