Security & governance

Data Policy

The following controls outline how IYLIN manages partner data, protects access, and responds to operational risk.

SP-API Use Case for Amazon Selling Partners

  • We access Amazon Selling Partner data solely to provide authorized services: order management, inventory sync, listing automation, and financial reconciliation.
  • Data is processed only as necessary to fulfill the contracted service scope.
  • We do not share Amazon Selling Partner data with unauthorized third parties.
  • We do not use Amazon data to build competing products or services.
  • We do not use Amazon data for competitor analysis, resale, or secondary purposes beyond authorized service delivery.

Scope & Purpose Limitation

  • Data collected is limited to what is necessary for service delivery.
  • Processing purposes are defined in the service agreement and not exceeded.
  • Data is not repurposed without explicit consent or legal basis.

Access Management

  • Access to Selling Partner data is restricted to authorized personnel only.
  • Role-based access controls (RBAC) are enforced across all systems.
  • Access logs are maintained and reviewed regularly.
  • Multi-factor authentication (MFA) is required for all privileged access.

Credential & Key Management

  • API credentials and keys are stored in encrypted vaults (e.g., AWS Secrets Manager).
  • Credentials are rotated on a defined schedule and immediately upon suspected compromise.
  • No credentials are stored in source code, logs, or unencrypted configuration files.

Encryption & Transport

  • All data in transit is encrypted using TLS 1.2 or higher.
  • Data at rest is encrypted using AES-256 or equivalent standards.
  • Encryption keys are managed separately from encrypted data.

Logging & Monitoring

  • All access to Selling Partner data is logged with timestamps, user IDs, and actions.
  • Logs are retained for a minimum of 90 days and protected from tampering.
  • Automated alerts are configured for anomalous access patterns.

Vulnerability Management

  • Regular vulnerability scans and penetration tests are conducted.
  • Critical vulnerabilities are patched within 30 days of discovery.
  • Dependencies are monitored for known CVEs using automated tooling.

Retention & Deletion

  • Selling Partner data is retained only for the duration required to deliver the service.
  • Upon contract termination, data is securely deleted within 30 days.
  • Deletion procedures are documented and verifiable upon request.

Incident Response

  • Designated Incident Management Point of Contact (IMPOC).
  • Defined escalation and containment procedures.
  • Post-incident review and corrective actions.
  • If the incident involves Amazon Information, we will notify Amazon without undue delay via security@amazon.com.

Third Parties & Backups

  • Third-party service providers are vetted for security compliance before data sharing.
  • Data processing agreements (DPAs) are in place with all sub-processors.
  • Backups are encrypted and stored in geographically separate locations.
  • Backup restoration is tested quarterly.

Data Loss Prevention

  • DLP policies are enforced to prevent unauthorized data exfiltration.
  • Endpoint controls restrict copying of sensitive data to unauthorized devices.
  • Network egress monitoring detects and blocks suspicious data transfers.

Transparency & Rights

  • Selling Partners may request a summary of data held about them at any time.
  • Data correction and deletion requests are processed within 30 days.
  • This policy is reviewed and updated at least annually.