This document requests information about the developer's data security and privacy practices. It asks about policies, procedures, tools and documentation related to access management, encryption, incident response, data deletion, governance, storage, monitoring and more. The developer provides links to their privacy policy and several internal documentation drafts and procedures related to data security and retention. They also describe some security tools used and state that merchant IDs and previous assessment reports are not available.

1. Version 1
1 Acceptable Use
1.1 Do you use Personally Identifiable Information (PII) for any purpose other than Shipping
labels and/or tax purposes? If so, please list additional use cases and explain them (e.g.
customer profiles, marketing, buyer communication).
1.2 Please list any subsidiaries or additional beneficiaries (e.g. additional business units,
customers, vendors, other third-party solutions) that obtain access to Amazon MWS data due to
your use as a Developer (other than application users).
1.3 Do you retrieve Amazon.com data from non-Amazon MWS sources? If yes, please specify
the type of data and its source.
2 Network Protections
2.1 How is your infrastructure hosted (e.g. on-premise, AWS, non-Amazon cloud solution)?
2.2 How do you restrict network-level access to your infrastructure (web servers, database
servers, endpoints, etc)?
2.3 Do you restrict public access to your database/file servers and desktop/developer endpoints?
If so, how?
3 Access Management
3.1 Please describe your access management practices.
3.2 Have you assigned a unique ID (for logging and accountability) to each employee who has
access to Amazon Information?
3.3 How often do you review (and baseline) access to Amazon Information?

2. 3.4 Do you have a lockout mechanism in place when a malicious activity or log-in attempt is
detected?
3.5 Do you keep an inventory of asset hardware and software that stores Amazon information?
3.6 Do you allow employees to store Amazon data on personal devices?
3.7 Do your access controls divide data access between PII and non-PII access?
4 Encryption in Transit
4.1 Are you encrypting all data-in-transit for all internal and external endpoints? Please specify
any data transfers, internal or external, which are not encrypted.
5 Incident Response Plan
5.1 "How does your incident response plan address:
1. What to do in case your servers/databases are hacked?
2. What to do in case an unauthorized access to customer data is detected?
3. Who to contact in case of an incident and what steps to follow?
4. What to do in case your servers leaked Amazon Information?
5. How to reach out to Amazon to inform them of the incident?"
6 Request for Deletion or Return
6.1 In case of Amazon's request for data deletion or return, do you have a mechanism in place
to destroy Amazon-provided data?
6.2 In case of request, how soon will you be able to destroy Amazon-provided data?
7 Data Governance

3. 7.1 Do you have an external Privacy policy? If "Yes," please provide the URL to your external
Privacy policy.
8 Encryption and Storage
8.1 Are you encrypting all data-at-rest, including data backups?
8.2 What protocol are you using to encrypt data-at-rest?
9 Least Privilege Principle
9.1 How does your organization follow the principle of least privilege to ensure that access to
PII is granted on a "need-to-know" basis?
10 Logging and Monitoring
10.1 How are you generating logs?
10.2 Are you logging security-related events (like access and authorization events, intrusion
attempts, configuration changes, etc.)?
10.3 Are you storing PII in logs?
10.4 Do you have mechanisms in place to monitor the logs and trigger alarms in case of
malicious activity?

4. Version 2
Cyber
General
1. Do you have a defined Organization Chart
2. Do you have a defined Data/ Business Process Flow Diagram
3. Please provide your Merchant ID Log
4. Please share (if available) any previous Assessment Reports (SOC 1/2 Type 2 / other
Certification Reports such as SOC, HIPAA, PCI-DSS etc.)
Cyber - Data Security
C5. Do you have a defined Data/ Business Process Flow Diagram
C55. Please share (if available) any previous Assessment Reports (SOC 1/2 Type 2 /
other Certification Reports such as SOC, HIPAA, PCI-DSS etc.)
Cyber - Information security policies
C9. Do you have an Access Control Policy or Standard
C11. Do you have an Audit & Event Logging Policies or Standards
Data breach is in breach policy below
https://docs.google.com/document/d/1EgO-GijbuSwp-j_r0yEi3TNK-Y-60MqwYHv
hM2OCOmk/edit?usp=sharing - data breach log - here is how we keep breaches.
C13. Do you have an Asset Lifecycle Management Policy
C15. Do you have a Data Encryption Policy or Standard
C17. Do you have a Data Protection and Privacy policy
- https://sellbery.com/legal-docs/privacy-policy - privacy policy;
- https://docs.google.com/document/d/1X6MEUm3Uz5fiNo72V-_h_Zz-yO-u5HZ-al
51r4LhnIk/edit?usp=sharing
C19. Do you have a Data Classification Policy
https://sellbery.com/legal-docs/privacy-policy - Personal data in our privacy policy
Confidential - in information security policy
C21. IDo you have an Information Security Policy and/or Standard
- https://docs.google.com/document/d/1X6MEUm3Uz5fiNo72V-_h_Zz-yO-u5HZ-al
51r4LhnIk/edit?usp=sharing
C23. Do you have a Password Management Policy

5. C25. Do you have a Anti-Malware Policy or procedures
C27. Do you have a Cloud Security Policy and Associated Standards
C29. Do you have a Configuration Management Policy
C31. Do you have a Data Destruction and Retention Policy
- https://docs.google.com/document/d/1Kdb3pJ1n0fX2d_wimd-G-S6QkSXXT1Ueg
E5hzoic4Uc/edit?usp=sharing - Data retention policy draft
- https://docs.google.com/spreadsheets/d/1_ImqwEfLB2dkzC7TYSGBUZ1KNYNI
MmNiTkuKNp0OrS8/edit#gid=86919022 - data retention matrix draft
C33. Do you have a Security Training and Awareness Policy and Content Information
C35. Do you have a Risk Management Policy and procedure
C37. Do you have a Software Development Policy or Standard
C39. Do you have a Network Security Policy
C41. Do you have a Third Party Risk Management Policy
C43. Do you have a Vulnerability Management Policy
C45. Do you have a Data Backup and Restoration Policy
C47. Do you have a Incident Management Policy
https://docs.google.com/document/d/1EgO-GijbuSwp-j_r0yEi3TNK-Y-60MqwYHv
hM2OCOmk/edit?usp=sharing - data breach policy - how we act
https://docs.google.com/document/d/1EgO-GijbuSwp-j_r0yEi3TNK-Y-60MqwYHv
hM2OCOmk/edit?usp=sharing - data breach log - here is how we keep breaches.
C49. Do you have a Mobile computing and mobile devices including BYOD (Bring Your
Own Device) Policy
C51. Do you have a Remote Access Policy
Cyber - Data Security
C53. Do you have a Data Handling Procedures for Amazon Data
C57. Please provide a description of any security tools utilized (Anti-virus, IDS, Logging
tools etc.)
C59. Do you have a Network Architecture Diagrams
C61. Please describe your IT Change Management Plans or Procedures
C63. Do you have a Baseline Configuration documentation or checklist
C65. Please provide your Data Disposal Procedures and Logs
C67. Do you have a Information Classification Scheme and Information Asset
Classification Procedure
C69. Do you have a Patch Management Procedures
C71. Do you have a Removable Media Handling Procedure
C73. Please provide a list of any additional open source library dependencies or 3rd
party tools