This policy outlines how Label Directs Limited are compliant with Amazon policies that govern the collection, processing, storage, usage, and disposal of Amazon data obtained from Amazon Selling Partner APIs (including the Marketplace Web Service APIs).
This policy is applicable to all systems that store, process, or otherwise handle data vended and retrieved from the Selling Partner APIs.
All Label Directs Limited servers and systems implement network protection controls including network firewalls and network access control lists to deny access to unauthorized IP addresses. Public access is restricted to authorized and approved users.
Access to Amazon information is strictly limited to users who require access to perform specific required tasks and access is limited to only required data. All users are assigned unique logins with no shared logins. Access to Amazon information is logged and monitored.
Access can be revoked at any time if required and access is reviewed regularly (every 90 days). Upon leaving the company Access and User Permissions are revoked within 24 hours for them leaving.
No Amazon data is allowed to be stored on removable or personal devices. No Personally Identifiable Information(PII) is ever downloaded to devices.
Systems maintain and enforce “account lockout” by detecting suspicious activity such as multiple failed logins or large number of requests. Account permissions are revoked immediately and investigated by the security team.
Fine-grained access control mechanisms are implemented to protect Amazon information:
Label Directs Limited sets minimum requirements on passwords and credentials for access to systems. These requirements are:
All Amazon information in transit is encrypted, when the data traverses a network, or is otherwise sent between hosts using HTTP over TLS (HTTPS). There are no instances of data in transit not being encrypted, even unused.
Label Directs Limited maintains an incident response plan to deal with security incidents, interruption to or degradation of services or systems.
Label Directs Limited will not notify any regulatory authority, nor any customer, on behalf of Amazon unless specifically requested in writing by Amazon.
Within 72 hours of Amazon’s request, Label Directs Limited will permanently and securely delete (in accordance with NIST 800-88 industry-standard sanitization processes) or return Amazon Information in accordance with Amazon’s notice requiring deletion and/or return. Label Directs Limited will also permanently and securely delete all live (online or network accessible) instances of Amazon Information within 90 days after Amazon’s notice. If requested by Amazon, Label Directs Limited will certify in writing that all Amazon Information has been securely destroyed.
Label Directs Limited retain PII only for the purpose of fulfilling orders. This retention period is for no more than 30 days (“Hold Period”) from shipment and online confirmation of delivery to customer.
Label Directs Limited is not required by law to retain archival copies of PII, therefore beyond the 30-day Hold Period, Label Directs Limited do not maintain backup media of any kind for PII.
In the event that PII is lost, erased or unavailable for processing due to system crash or ransomware during the 30-day Hold Period, Label Directs Limited maintains a backup copy of all PII. This copy is encrypted and meets all security requirements noted in this policy. All security backups are purged with the original at the end of the 30-day Hold Period.
As part of Application privacy and Data Handling Policy, Label Directs Limited keep an inventory of all software and physical assets with access to PII. This inventory is updated every 30 days. Label Directs Limited keep records of all data processing activities, including but not limited to, specific data fields as well as how they are collected, processed, stored, used, shared, and disposed of as they apply to PII. This record is maintained for the purpose of establishing accountability and compliance with regulations. Label Directs Limited follow the posted Privacy Policy as it applies to customer consent and data rights per all applicable data privacy regulations.
All PII is encrypted at rest using industry standard AES-256 encryption. No PII is allowed to be stored in external media or unsecured Cloud applications.
The cryptographic materials (e.g., encryption/decryption keys) and cryptographic capabilities used for encryption of PII at rest are only accessible to Label Directs Limited services processes and services on privately hosted server. It is prohibited to store PII in removable media (e.g., USB) or unsecured public cloud applications. Label Directs Limited securely dispose of all printed materials though the 3rd party Simple Shredding service (certificates of shredding are available for review by Amazon if requested). Label Directs Limited policies strictly prohibit the printing PII not required for order fulfilment (despatch labels).
Label Directs Limited systems logging includes access logs, authorisation attempts, configuration changes. This logging mechanism is implemented on all channels providing access to Amazon Information. Logs are only accessible by authorized personnel. The logs themselves do not contain PII and are retained for 90 days as reference in the case of a Security Incident.
Code changes are logged to specific users. API logs are stored in databases on privately hosted cloud servers, no PII data is stored in these logs.
Unauthorized access or unexpected request rates are flagged, and suspicious activity is monitored by system administrators who will instigate an investigation as detailed in the Incident Response Plan.
Label Directs Limited has a runbook designed to detect, remediate, and correct vulnerabilities in the system.
Through an internal task manager, developers indicate any vulnerability found in the system and classify them by severity and priority so that members of the development team are aware of them. Depending on the severity of the vulnerability, its correction is prioritized, and immediate action is taken in the most critical cases. Each incident notification is identified by the user who reported it, the date and time, as well as other highly relevant parameters.
Any type of software or hardware change is tested, verified, and approved by the developers within team.
Once the finding is corrected, developers follow up thoroughly for several weeks to confirm that the problem has been fully fixed.
An exhaustive vulnerability analysis is carried out every 90 days at the most. If incidents are detected, the team works immediately on their correction and solution.
Label Directs Limited will provide Amazon with all records if requested that demonstrate compliance with the Acceptable Use Policy, Data Protection Policy, and Amazon Marketplace Developer Agreement during the period of Label Directs Limited agreement with Amazon and for 12 months thereafter.
Label Directs Limited will also co-operate fully with any auditor assigned by Amazon and allow them to inspect the books, records, facilities, operations, and security of all systems that are involved with Label Directs Limited applications in the retrieval, storage, or processing of Amazon Information.
If the audit reveals deficiencies, breaches, and/or failures to comply with Amazon terms, conditions, or policies, Label Directs Limited will, at its sole cost and expense, take all actions necessary to remediate those deficiencies within an agreed-upon timeframe.
This policy was last updated on 11/04/2024
Label Directs Limited offers a unique range of toner and ink cartridge replacements, as well as printer drum units. We provide top-quality products at affordable prices, with a focus on customer satisfaction and service.
COMPANY INFORMATION
Label Directs Limited
Registered in England and Wales
No. 09111550
Registered office address:
6140 Knights Court,
Birmingham Business Park,
Solihull Parkway,
Birmingham,
B37 7WY
United Kingdom