Data Protection Policy
Optimiseres E Consultancy Pvt. Ltd. — Data Protection Policy for Seller Insights App (SP-API). Effective date: YYYY-MM-DD
1. Purpose & scope
This policy describes how Optimiseres protects seller data accessed via Amazon SP-API, our security controls, encryption practices, access management, monitoring, and incident response. It applies to all personnel, contractors, and subprocessors who handle seller data.
2. Data classification
We classify data into:
- Seller-identifying data: Seller ID, store name, marketplace identifiers.
- Operational data: Reports (orders, inventory, fees), listings, ad reports.
- Secrets & credentials: Refresh tokens, client secrets, API keys.
Each class is handled with controls appropriate to its sensitivity; secrets receive the highest protection.
3. Encryption & key management
- All sensitive secrets (refresh tokens, client secrets) are encrypted at rest using strong AES-based encryption with keys managed by AWS KMS or an equivalent key management system.
- Encryption keys are rotated periodically and access to keys is strictly limited to authorized infrastructure roles.
- Data in transit is protected using TLS (HTTPS) for all endpoints and internal service-to-service communication.
4. Access control & authentication
- Role-based access control (RBAC) enforces least privilege for platform users and internal staff.
- Administrative access to production systems requires MFA and is logged for audit.
- Service-to-service credentials are rotated regularly and stored in a secrets manager (e.g., AWS Secrets Manager).
5. Data storage & retention
- Processed reports and exports are stored in Amazon S3 with bucket policies restricting public access.
- Database backups are encrypted and retained according to our retention schedule; default seller data retention after deactivation is 30 days unless otherwise requested.
- We implement procedures for timely deletion or anonymization of data upon verified customer requests.
6. Logging, monitoring & alerting
We collect and retain audit logs for authorization events, token exchanges, and report downloads. Logs are stored in a secure logging system (CloudWatch / ELK) with retention and access controls. Automated alerts notify ops teams of suspicious activity, high error rates, or token failures.
7. Network & infrastructure security
- Production services run in isolated VPCs with network ACLs and security groups to minimize exposure.
- Public endpoints are protected by HTTPS and rate-limiting; internal services use private subnets.
- Periodic vulnerability scanning and patching are performed on servers and container images.
8. Subprocessors & third parties
We use third-party infrastructure providers (AWS) and may engage subprocessors for hosting, analytics, or support. All subprocessors are contractually bound to process data only as directed, maintain confidentiality, and meet equivalent security standards.
9. Incident response & breach notification
- We maintain an incident response plan to contain, investigate, and remediate security incidents.
- In case of a breach affecting seller data, we will notify affected customers and Amazon per applicable legal timelines and provide details of remediation steps.
- Post-incident reviews are conducted to implement corrective actions and prevent recurrence.
10. Data subject rights & requests
Sellers can request access, correction, deletion, or portability of their data. Requests should be sent to contact_us@optimiseres.com. We verify the requestor's identity before fulfilling requests and respond within a reasonable timeframe consistent with applicable law.
11. Business continuity & backups
- Critical data is backed up regularly; backups are encrypted and stored in a separate AWS region where feasible.
- We maintain recovery procedures and periodically test backups and failover processes.
12. Audits, compliance & testing
We perform periodic security assessments, internal audits, and vulnerability testing. Where required, we engage third-party auditors to validate controls. Findings are tracked and remediated according to a risk-based plan.
13. Developer & operational responsibilities
- Developers follow secure coding practices and perform code reviews for security-sensitive changes.
- Operational runbooks exist for token rotation, emergency revocation, and routine maintenance.
- Production deployments follow CI/CD pipelines with approval gates and rollbacks.
Contact & governance
Optimiseres E Consultancy Pvt. Ltd.
1157, Sector-10, Panchkula, Haryana, 134109, India
Email: contact_us@optimiseres.com
Security & Compliance: support@optimiseres.com
For urgent security issues, include "SECURITY" in the subject line. Requests for data deletion or audits should include the Seller ID and primary contact email.
14. Policy review
This policy is reviewed annually or after any significant change in our systems or applicable law. The effective date at the top reflects the current version.