Amazon Data Handling & Data Protection Policy (Selling Partner API)

Publisher: Octuno
Last updated: 2026-01-14
Applies to: All Octuno systems and workflows that retrieve, store, process, transmit, or dispose of data accessed through Amazon Selling Partner API (SP-API) and related Amazon Services APIs.

This page describes how we collect, process, store, use, share, and dispose of Amazon Information (including any Personally Identifiable Information – PII) in alignment with Amazon requirements (Data Protection Policy, Acceptable Use Policy, and Solution Provider Portal Agreement).

1) Definitions used on this page

  • Amazon Information: Any information exposed through Amazon Services APIs (including SP-API), Amazon portals, or Amazon public-facing websites, whether public or non-public, including PII.
  • PII: Information that can identify or contact an Amazon Customer or Authorized User (e.g., name, address, email, phone, IP address, device identifiers, etc.).
  • Authorized User: An Amazon seller/vendor authorized to use Amazon systems/services who has authorized our application via Amazon's prescribed third-party authorization.
  • Security Incident: Any actual or suspected unauthorized access, collection, acquisition, use, transmission, disclosure, corruption, or loss of Amazon Information, or breach of any environment containing it.
  • Live copies: Online or network-accessible instances of Amazon Information (e.g., production databases, caches, search indexes).

2) Purpose and permitted use

We access and process Amazon Information only to support an Authorized User's business operations within permitted use of Amazon APIs.

We do not access, use, share, or disclose Amazon Information for any purpose other than delivering or operating the Authorized User's enabled Octuno features, except where required by applicable law.

3) What we collect (data minimization)

We request and retrieve only the minimum Amazon Information required to provide enabled functionality, such as:

  • Orders and order status (including FBM/MFN where shipping workflows apply)
  • Shipment-related data needed to create labels / confirm shipments
  • Inventory and stock data (including FBA inventory context)
  • FBA inbound shipment planning/management data (where enabled)
  • Listing/product content fields (where enabled)
  • Operational identifiers needed to link records to the correct seller account and marketplace

We do not request access to Amazon Information that is not necessary for the requested features.

4) Why we collect and how we use it (feature purposes)

Octuno provides ERP functionality focused on Amazon and other marketplaces. For Amazon-connected accounts, we may use Amazon Information for:

  • Order synchronization and statistical order tracking used for forecasting/analysis
  • Inventory management and restock forecasting (including FBA limits where applicable)
  • FBM/MFN shipping operations (label creation, tracking, shipment confirmation)
  • FBA inbound shipment planning and management through API integration
  • Profitability and operational calculations tied to catalog/order/shipment workflows
  • Product texts management, including optional AI-assisted generation for listing content

5) Authorization and credential rules (strict)

5.1 Access method

We access Amazon Information only through Amazon-prescribed third-party authorization.

5.2 No collection of Portal credentials or access keys

We never request, accept, or store:

  • Seller Central or Vendor Central usernames/passwords
  • Any Authorized User's access keys
  • Any other Solution Provider's access keys

Where portal access is needed for a legitimate workflow, we rely on Amazon-supported access methods (e.g., secondary user permissions) rather than credential sharing.

5.3 Key usage discipline

We apply for and maintain only the access keys necessary for the enabled functionality and operate in a way consistent with Amazon's key baselining expectations (including maintaining ongoing successful API activity where required).

6) PII rules (strict limitation + documentation)

6.1 Permitted PII purposes

We process Amazon Customer PII only when strictly required for:

  • Merchant-fulfilled shipping (MFN/FBM) workflows (e.g., label generation and shipment confirmation), and/or
  • Legal / tax / regulatory requirements, where applicable

6.2 Prohibited PII purposes

We do not use Amazon Customer PII for:

  • Marketing targeting
  • Review fabrication, review manipulation, or similar prohibited activity
  • Any purpose outside permitted shipping/legal requirements

Where PII processing is required for a feature, we document the need for that processing within our product/service context for Authorized Users.

7) Data retention and deletion

7.1 PII retention (hard limit)

We retain Amazon Customer PII for no longer than 30 days after order delivery and only as long as necessary for permitted purposes (merchant-fulfilled shipping and/or legal requirements). Where operationally feasible, PII is deleted earlier (e.g., within 30 days after shipment confirmation). If retention beyond 30 days is required by law, we retain only what is required and only for that legal purpose.

7.2 Deletion upon Amazon request and required timelines

Upon Amazon notice requiring deletion, we permanently and securely delete Amazon Information within Amazon's required timelines, including:

  • Secure deletion within 30 days of Amazon's request (unless legally required to retain)
  • Permanent deletion of all live (online or network-accessible) copies of Amazon Information within 90 days of Amazon's notice, where applicable under Amazon requirements

7.3 Non-PII retention

We do not retain non-PII Amazon Information beyond the period required for operational needs and Amazon requirements (including deletion within 18 months unless a longer period is required by law).

7.4 Secure deletion standard

Secure deletion follows industry-standard sanitization processes such as NIST 800-88.

8) Data attribution and separation

We store Amazon Information in a separate datastore or apply tagging/attribution mechanisms so the origin of Amazon Information is identifiable within any datastore. This supports traceability, access control, deletion obligations, and auditability.

9) Security controls

9.1 Network protection

We restrict public access to databases, file servers, and desktop/developer endpoints with:

  • Network firewalls and network access control lists (ACLs) to deny unauthorized IP addresses
  • Network segmentation
  • IDS/IPS defense-in-depth mechanisms to detect/prevent malicious behavior
  • Anti-virus and anti-malware controls on endpoints, updated at least monthly
  • Controls preventing users from disabling endpoint protection

Access to systems handling Amazon Information is restricted to approved internal users with coding/development responsibilities who complete data protection and IT security awareness training at least annually.

9.2 Access management and least privilege

We enforce:

  • A formal user access registration process and a unique ID per person
  • No generic/shared/default accounts and no account sharing
  • Least-privilege / need-to-know access controls
  • Baselining mechanisms to keep access limited to required accounts
  • Account lockout after 10 or fewer unsuccessful login attempts
  • Access reviews at least quarterly
  • Access removal within 24 hours for terminated employees

9.3 Credential and password management

For systems handling Amazon Information:

  • Password length: minimum 12 characters
  • Must not include any part of the user's name
  • Must include upper-case, lower-case, numbers, and special characters
  • Minimum password age: 1 day
  • Maximum password expiration: 365 days
  • Password history prevents reuse of the last 10 passwords
  • MFA is required for all user accounts
  • Amazon API keys are encrypted, access-limited to required personnel, and rotated at least once every 12 months

9.4 Encryption in transit

We encrypt Amazon Information in transit using secure protocols such as TLS 1.2+, SFTP, and SSH-2.

We disable non-encrypted channels even if unused; where TLS terminates on untrusted multi-tenant infrastructure, we apply message-level encryption.

9.5 Encryption at rest + key management

We encrypt PII (and any datastore containing PII) at rest using at least AES-128 or RSA-2048 (or stronger).

We implement a key management approach covering key lifecycle controls including generation, secure storage, rotation, and revocation. Cryptographic materials are accessible only to our services/processes that require them.

10) Personal devices, removable media, and DLP

We prohibit storing Amazon Information on personal devices or removable media (USB flash drives, external drives, phones). We also prohibit storing Amazon Information in unsecured public cloud sharing contexts (e.g., publicly accessible links).

We implement:

  • Technical restrictions to prevent unauthorized storage or transfer
  • Data Loss Prevention (DLP) controls to monitor and detect unauthorized movement of data
  • Automated alerting on suspicious access or extraction attempts

11) Logging, monitoring, and investigations

We gather logs for security-relevant events across all channels that access Amazon Information (service APIs, storage-layer APIs, and administrative dashboards), including:

  • Success/failure events
  • Date/time
  • Access attempts
  • Data changes
  • System errors

Controls include:

  • We log privileged/admin actions and configuration changes on production systems handling Amazon Information.
  • Access controls and tamper resistance throughout the log lifecycle.
  • Logs do not contain PII unless legally required.
  • We do not enable debug-level logging on production systems that handle Amazon customer data or traffic.
  • Log review in real-time (where applicable) or at least bi-weekly.
  • Retention for at least 12 months unless a longer period is required by law.
  • Monitoring alarms for suspicious activities (e.g., unexpected request rate, unusual data retrieval volume, multiple unauthorized calls, canary record access where used).

Investigations are documented within our incident response runbook.

12) Incident response and Amazon notification

We maintain a runbook to detect and handle Security Incidents, including:

  • Defined roles/responsibilities
  • Incident types affecting Amazon Information
  • Containment, eradication, recovery procedures
  • Documentation of incident description, remediation actions, and corrective controls to prevent recurrence
  • Evidence handling and chain-of-custody documentation (made available to Amazon upon request where applicable)

Amazon notification: We notify Amazon at security@amazon.com within 24 hours of detecting a Security Incident involving Amazon Information.

13) Backups, geo-separation, restore procedures (RTO/RPO)

We store encrypted backups/archives of Amazon Information in a geographically separated backup location. Backups are stored in an offline or non-interactive form (not intended for immediate/interactive use).

We maintain documented restore procedures including defined RTO/RPO targets and documented testing of restore processes.

14) Vulnerability management

We maintain a vulnerability management runbook and procedures, including:

  • Vulnerability scanning at least every 30 days
  • Penetration testing at least every 365 days
  • Code vulnerability scanning prior to each release

Remediation timelines:

  • Critical vulnerabilities remediated within 7 days
  • High-risk vulnerabilities remediated within 30 days of discovery

We track findings and remediation progress with documented evidence.

15) Secure coding and SDLC controls

We maintain secure coding practices, including:

  • No hardcoding of sensitive credentials (encryption keys, secret access keys, passwords)
  • No exposure of secrets in public code repositories
  • Separate test and production environments
  • Code review before deployment
  • Remediation of runtime issues through fixes and redeployment with documented corrective actions

16) Subcontractors / vendors / carriers (as applicable)

We share Amazon Information only as necessary to perform merchant-fulfilled shipping. Specifically, recipient shipping details are transmitted to shipping carriers (e.g., DHL) via API using the merchant's carrier account to generate labels and complete shipment confirmation. Only the minimum required fields are shared for this purpose.

If any infrastructure provider is involved, it acts only as a data processor under confidentiality and data protection obligations and cannot use Amazon Information for its own purposes.

If any subcontractor/vendor requires access to Amazon Information, we conduct third-party risk assessments at least annually before granting access and ensure written terms impose obligations at least as strict as ours.

17) Acceptable use commitments (AUP alignment)

We do not:

  • Circumvent throttling quotas or usage limits (including by creating multiple Solution Provider accounts within the same region)
  • Aggregate data across Authorized Users to sell/share with any parties
  • Provide or promote external data services that vend Amazon-derived data
  • Publish or share insights about Amazon's business for our own business purposes
  • Use Amazon Customer PII for marketing targeting or prohibited outreach

We design our application to respect per-Authorized User throttling quotas and monitor request rates and client-side errors.

If we suspect an Authorized User is using our service to violate their agreement with Amazon, we notify Amazon at spapi-abuse@amazon.com and block that user's access.

For SP-API support and organizational changes affecting our need for or use of Amazon Information, we contact Amazon via: https://developer.amazonservices.com/support

18) AI feature transparency

Where AI is used (e.g., AI text generation for product listing content):

  • We disclose AI use to Authorized Users
  • We apply integrity/validation checks to reduce risk of material impact from incorrect outputs, consistent with our quality obligations

We do not use Amazon Information or Amazon Materials to develop or improve machine learning models or large language models.

19) Data subject rights (DSAR) support

Where applicable under data privacy regulations, Octuno supports Authorized Users in responding to data subject requests (access, rectification, erasure, restriction/stop processing). Requests are handled through our support process. We verify the requester through the Authorized User context, locate relevant Amazon-origin data via source tagging or data attribution, execute the required action (e.g., export or deletion where permitted), and log completion. DSAR actions follow the same security controls and retention/deletion rules described in this policy.

20) Records of processing and Amazon data inventory

We maintain an internal record of processing activities for Amazon data processed by Octuno. This inventory documents the Amazon API operations used, the data fields collected (including PII classification), the purpose for processing, storage location, encryption controls, retention/deletion rules, and any approved sharing mechanisms where applicable. The inventory is updated when features or roles change.

21) Privileged access and remote access controls

Administrative and privileged access is granted on least privilege, requires MFA, and is logged. Privileged actions affecting systems handling Amazon Information are audit logged. Remote administrative access is restricted to approved accounts and controlled access paths. Direct access to environments containing Amazon Information from unmanaged personal devices is prohibited.

22) Customer support process and access model

Support requests are handled through a ticketing/CRM process. Support users are granted least-privilege access. Any access to Amazon Information for troubleshooting is controlled, logged, and reviewed, and is time-bound where feasible. Support never requests Seller Central/Vendor Central credentials or access keys.

23) Portal user permissions and employee/contractor disclosure

If our employees, agents, or contractors can process or access Amazon Information:

  • We clearly disclose this in our solution description and in this privacy/data-handling policy
  • Such personnel are managed via Portal user permissions where applicable and complete required verification
  • Access remains least-privilege and is reviewed at least quarterly

24) Asset destruction and secure disposal

Devices and media that may contain Amazon Information (or had access to PII) are disposed of using secure sanitization consistent with NIST 800-88, including secure wipe or physical destruction where appropriate. Disposal actions are recorded. Printed documents containing PII are securely destroyed.

25) Detection beyond protected boundaries (Dark Web Review)

We maintain monitoring and alerting to detect indications that Amazon Information may have been exposed beyond its protected boundaries (including signals consistent with dark web exposure). Alerts trigger investigation under our incident response runbook. If a Security Incident is confirmed, Amazon is notified within 24 hours as described above.

26) Contact

Support: support@octuno.io
Security / Incident contact (IMPOC): Arsen Ishakov, security@octuno.io