MWS audit V.2

1. 1 Acceptable Use
1.1 Do you use Personally Identifiable Information (PII) for any purpose other than Shipping
labels and/or tax purposes? If so, please list additional use cases and explain them (e.g.
customer profiles, marketing, buyer communication).
1.2 Please list any subsidiaries or additional beneficiaries (e.g. additional business units,
customers, vendors, other third-party solutions) that obtain access to Amazon MWS data due to
your use as a Developer (other than application users).
1.3 Do you retrieve Amazon.com data from non-Amazon MWS sources? If yes, please specify
the type of data and its source.
2 Network Protections
2.1 How is your infrastructure hosted (e.g. on-premise, AWS, non-Amazon cloud solution)?
2.2 How do you restrict network-level access to your infrastructure (web servers, database
servers, endpoints, etc)?
2.3 Do you restrict public access to your database/file servers and desktop/developer endpoints?
If so, how?
3 Access Management
3.1 Please describe your access management practices.
3.2 Have you assigned a unique ID (for logging and accountability) to each employee who has
access to Amazon Information?
3.3 How often do you review (and baseline) access to Amazon Information?
3.4 Do you have a lockout mechanism in place when a malicious activity or log-in attempt is
detected?
3.5 Do you keep an inventory of asset hardware and software that stores Amazon information?
3.6 Do you allow employees to store Amazon data on personal devices?

2. 3.7 Do your access controls divide data access between PII and non-PII access?
4 Encryption in Transit
4.1 Are you encrypting all data-in-transit for all internal and external endpoints? Please specify
any data transfers, internal or external, which are not encrypted.
5 Incident Response Plan
5.1 "How does your incident response plan address:
1. What to do in case your servers/databases are hacked?
2. What to do in case an unauthorized access to customer data is detected?
3. Who to contact in case of an incident and what steps to follow?
4. What to do in case your servers leaked Amazon Information?
5. How to reach out to Amazon to inform them of the incident?"
6 Request for Deletion or Return
6.1 In case of Amazon's request for data deletion or return, do you have a mechanism in place
to destroy Amazon-provided data?
6.2 In case of request, how soon will you be able to destroy Amazon-provided data?
7 Data Governance
7.1 Do you have an external Privacy policy? If "Yes," please provide the URL to your external
Privacy policy.
8 Encryption and Storage
8.1 Are you encrypting all data-at-rest, including data backups?

3. 8.2 What protocol are you using to encrypt data-at-rest?
9 Least Privilege Principle
9.1 How does your organization follow the principle of least privilege to ensure that access to
PII is granted on a "need-to-know" basis?
10 Logging and Monitoring
10.1 How are you generating logs?
10.2 Are you logging security-related events (like access and authorization events, intrusion
attempts, configuration changes, etc.)?
10.3 Are you storing PII in logs?
10.4 Do you have mechanisms in place to monitor the logs and trigger alarms in case of
malicious activity?