"Amazon Information" means any information that is exposed by Amazon through the Marketplace APIs, Seller Central, or Amazon's public-facing websites. This data can be public or non-public, including Personally Identifiable Information about Amazon customers.
"Customer" means any person or entity who has purchased items or services from Amazon's public-facing websites.
"Seller" means any person or entity selling on Amazon's public-facing websites.
Ecomlink Business Solutions (referred to as “We” throughout this policy) are committed to protecting and respecting seller and customer privacy and keeping personal information secure. This policy applies to our websites i.e. ecomlink.in and to our associated websites i.e Evidhi.com, including our other sites you visit in which this Privacy Policy is linked to in the footer. All these websites are referred to as ‘our website’ in this policy.
This policy set out:
Details of the personal information that we may collect from you/Amazon (on your behalf);
Information about how we process, store, use, share, dispose your information (i.e. Data Protection and Privacy;
Please read this policy carefully to understand our views and practices regarding your personal data and how we will treat it.
When we refer in this policy to ‘User’ we are referring to a user of our services through our portal/ website.
We may collect and process the following data about you:
Data Governance: Our privacy and data handling policy governs the appropriate conduct and technical controls that is applied in managing and protecting information assets. We keep inventory of software and physical assets (e.g. computers, mobile devices) with access to PII, and update regularly. A record of data processing activities such as specific data fields and how they are collected, processed, stored, used, shared, and disposed for all PII Information should be maintained to establish accountability and compliance with regulations. We according to the privacy policy can rectify, erase, or stop sharing/processing the customers information where applicable.
Encryption and Storage: All PII is encrypted at rest using industry best practice standards (AES-256 Encryption algorithm), particularly this depends on server configuration. The cryptographic materials (e.g., encryption/decryption keys) and cryptographic capabilities used for encryption of PII at rest is only accessible to the processes and services. PII is not stored in removable media (e.g., USB) or unsecured public cloud applications (e.g., public links made available through Google Drive). Any printed documents containing PII should be securely disposed.
Least Privilege Principle: We have implemented fine-grained access control mechanisms to allow granting rights to any party using the Application (e.g., access to a specific set of data at its custody) and the Application's operators (e.g., access to specific configuration and maintenance APIs such as kill switches) following the principle of least privilege. Application sections or features that vend PII must be protected under a unique access role, and access should be granted on a "need-to-know" basis.
Logging and Monitoring: We gather logs to detect security-related events (e.g., access and authorization, intrusion attempts, configuration changes) to the Application and systems. We implement this logging mechanism on all channels (e.g., service APIs, storage-layer APIs, administrative dashboards) providing access to Amazon Information. All logs must have access controls to prevent any unauthorized access and tampering throughout their lifecycle. Logs themselves should not contain PII and must be retained for at least 90 days for reference in the case of a Security Incident. We has mechanisms to monitor the logs and all system activities to trigger investigative alarms on suspicious actions (e.g., multiple unauthorized calls, unexpected request rate and data retrieval volume, and access to canary data records). We should perform investigation when monitoring alarms are triggered, and this should be documented in the Incident Response Plan.
Network Protection: We have implemented network protection controls to deny access to unauthorized IP addresses and public access must be restricted only to approved users.
Access Management: We assign a unique ID to each person with computer access to Amazon Information. Persons with access to data do not create or use generic, shared, or default login credentials or user accounts. We review the list of people and services with access to Amazon Information on a regular basis (at least quarterly), and remove accounts that no longer require access. We restrict employees from storing Amazon data on personal devices. We will maintain and enforce "account lockout" by detecting anomalous usage patterns and log-in attempts, and disabling accounts with access to Amazon Information as needed.
Encryption in Transit: We encrypt all Amazon Information in transit (e.g., when the data traverses a network, or is otherwise sent between hosts). This is accomplished using HTTP over TLS 1.2 (HTTPS). We enforce this security control on all applicable external endpoints used by customers as well as internal communication channels (e.g., data propagation channels among storage layer nodes, connections to external dependencies) and operational tooling. We disable communication channels which do not provide encryption in transit even if unused (e.g., removing the related dead code, configuring dependencies only with encrypted channels, and restricting access credentials to use of encrypted channels). We use data message-level encryption where channel encryption (e.g., using TLS) terminates in untrusted multi-tenant hardware (e.g., untrusted proxies).
Incident Response Plan:
We have and maintains a plan
to detect and handle Security Incidents.
Such plan
identifies the incident response roles and responsibilities, defines incident types that may
impact Amazon,
defines incident response procedures for defined incident types, and defines an escalation path
and
procedures to escalate Security Incidents to Amazon. We review and verifies the plan every six
(6) months
and after any major infrastructure or system change. We investigate each Security Incident, and
document the
incident description, remediation actions, and associated corrective process/system controls
implemented to
prevent future recurrence.
We will inform Amazon within 24 hours of detecting any Security Incidents via email to
3p-security@amazon.com.
Request for Deletion or Requests: If customer (Amazon Seller) contact us to update or delete or edit the PII data, we will respond within 24-48 hours and request will be fulfilled within 2-3 weeks.