Data Protection Policy

This policy is written to ensure that Reference Point Computers Ltd are compliant for the Amazon policies below and governs the collection, processing, storage, usage and disposal of Amazon data obtained for the use of clients from the Amazon Marketplace Web Service APIs:

Acceptable Use Policy (effective January 1, 2021)

Data Protection Policy (effective January 1, 2021)

General Security Requirements

Consistent with industry-leading security standards and other requirements specified by Amazon based on the classification and sensitivity of Amazon Information, Reference Point Computers Ltd maintains physical, administrative, and technical safeguards, and other security measures to maintain the security and confidentiality of Amazon Information accessed, collected, used, stored, or transmitted by Reference Point Computers Ltd, and to protect that information from known or reasonably anticipated threats or hazards to its security and integrity, accidental loss, alteration, disclosure, and all other unlawful forms of processing. Without limitation, Reference Point Computers Ltd complies with the following requirements:

Network Protection

All Reference Point Computers Ltd servers implement network protection controls including network firewalls. Public access is not available and access is only allowed to specific systems based on IP address.

Access Management

Access to Amazon information is strictly limited to users who require access in order to perform specific required tasks, and access is limited where possible to only required data. All users are unique with no shared logins. Access is logged and monitored.

Access can be revoked at any time if required and access is reviewed regularly (monthly). Upon leaving the company Access and User Permissions are immediately revoked.

No Amazon data is allowed to be stored on removable or personal devices. No PII is ever downloaded to devices.

Systems maintain and enforce "account lockout" by detecting suspicious activity such as multiple failed logins or large number of requests. Account permissions are revoked immediately and investigated by IT and System Administrators.

Encryption in Transit

All data in transit is encrypted using HTTPS on Reference Point Computers Ltd systems. There are no instances of data in transit not being encrypted, even unused.

Incident Response Plan

Reference Point Computers Ltd maintains an incident response plan to deal with security incidents, interruption to or degradation of services or systems.

Impact and urgency of incidents are assessed according to set criteria and appropriate staff are informed. The incident could be a support ticket that is resolved or escalated to the Technical Director. If the incident is deemed to be High Priority or Importance the Managing Director is informed and an incident response team is formed.

Roles and responsibilities will be defined within the incident response team according to the exact requirements of the nature of the incident. All documentation relating to the incident is stored in the form of support logs and meeting minutes to be made available later if requested by Amazon

In the case of a data breach of sensitive or PII, including Amazon data company Directors will be notified and the incident response team will be convened to triage, identify mitigations and remediation and to develop a communication plan to notify stakeholders. In the case of any Amazon data breach this includes emailing 3p-security@amazon.com within 24 hours of discovery. No regulatory authority, nor any customers will be notified, on behalf of Amazon unless Amazon specifically requests in writing that Reference Point COmputers do so. These incident response plans are reviewed every 4 months, or in the case of major platform changes, sooner.

Request for Deletion or Return

Within 24 hours of Amazon's request, Reference Point Computers Ltd will permanently and securely delete (in accordance with NIST 800-88 industry-standard sanitization processes) or return Amazon Information in accordance with Amazon's notice requiring deletion and/or return. Reference Point Computers Ltd will also permanently and securely delete all live (online or network accessible) instances of Amazon Information within 30 days after Amazon's notice. If requested by Amazon, Reference Point Computers Ltd will certify in writing that all Amazon Information has been securely destroyed.

Additional Security Requirements Specific to Personally Identifiable Information

The following additional Security Requirements are met for all Personally Identifiable Information ("PII"), including instances where PII is combined with non PII:

Data Retention and Recovery

Amazon PII is stored by Reference Point Computers Ltd on privately hosted servers for the sole purpose of facilitating the management of client orders. Amazon PII is removed from Reference Point Computers Ltd's databases no more than 30 days after the fulfillment of an order. Cancelled orders may have PII removed earlier. There is no Amazon PII stored in logs or other files.

Data Governance

Reference Point Computers Ltd has an asset management policy defining how the software and physical assets are kept in an inventory and how this is updated as assets are reassigned or added. It also specifies procedures for data cleansing as assets are re-assigned or removed from the inventory. This is reviewed every 6 months and a full asset inventory is performed. Reference Point Computers Ltd also has a publicly available privacy policy stating our compliance to all applicable data privacy regulations.

Encryption and Storage

All PII is encrypted at rest using industry standard AES-256 encryption. No PII is allowed to be stored in external media or unsecured Cloud applications. All cryptographic materials (encryption/decryption keys) and cryptographic capabilities used for encryption of PII at rest are only accessible to the Reference Point Computers Ltd system processes and services on our privately hosted cloud servers. Reference Point Computers Ltd have a procedure for securely disposing of printed documents with the 3rd party “Shred-it”, though this is explicitly prohibited by Reference Point Computers Ltd policy.

Least Privilege Principle

Access is provided to developers and other employees on a need-to-know basis using access controls to assign specific roles to minimise access based on the need to perform duties.

Logging and Monitoring

Admin panel logging including access logs and authorization attempts are logged and stored for 12 months. No PII is ever logged anywhere on Reference Point Computers Ltd Systems. Code changes are logged to specific users. API logs are stored in databases on our privately hosted cloud servers, again not containing PII. Unauthorized access or unexpected request rates are flagged and suspicious activity is monitored by system administrators who will instigate an investigation as detailed in the Reference Point Computers Ltd Incident Response Plan.

Audit

Reference Point Computers Ltd will provide Amazon with all records if requested that demonstrate compliance with the Acceptable Use Policy, Data Protection Policy, and Amazon Marketplace Developer Agreement during the period of our agreement with Amazon and for 12 months thereafter. Reference Point Computers Ltd will also cooperate fully with any auditor assigned by Amazon and allow them to inspect the books, records, facilities, operations, and security of all systems that are involved with Reference Point Computers Ltd's application in the retrieval, storage, or processing of Amazon Information. Any breaches, failures or deficiencies flagged as part of any audit will be rectified by Reference Point Computers Ltd at our expense within the agreed timeframe.