Amazon Data Protection and Handling Policy
Multiskills LLC, doing business as OneDayBundle (“OneDayBundle”, “we”, “us”, “our”).
Network Protection
  1. OneDayBundle personnel have active, in force, AES-256 encryption and a network firewall to deny access to unauthorized IP addresses. All unauthorized public access is denied.
  2. OneDayBundle personnel are assigned a unique ID/Keys/Authentication to control and monitor computer access to Amazon Information and personnel cannot create or use generic, shared, default login credentials or user accounts. All-access/authorization is controlled by OneDayBundle CEO.
  3. OneDayBundle personnel have active, in force, baseline mechanisms to ensure that at all times only the required user accounts can access Amazon Information.
  4. OneDayBundle CEO solely reviews the authorized list of people and services with access to Amazon Information on a monthly basis and removes accounts that no longer require access.
  5. OneDayBundle developer employees are restricted from storing Amazon data on personal devices.
  6. OneDayBundle personnel maintain and enforce “account lockout” by detecting anomalous usage patterns, log-in attempts, and disabling accounts with access to Amazon Information as needed. Accounts are locked after ten (10) consecutive failed login attempts and require administrative unlock or a timed lockout in accordance with security policy. Password history is enforced to prevent reuse of the previous ten (10) passwords.
  7. OneDayBundle personnel have, in force, HTTPS encryption for all Amazon Information in transit within, but not limited to our network or between hosts. All data in transit is protected using TLS 1.2 or higher.
  8. OneDayBundle personnel enforce this security control on all applicable external endpoints used in internal communication channels including, but not limited to data propagation channels among storage layer nodes, connections to external dependencies, and operational tooling.
  9. provide encryption in transit even if unused, including, but not limited to removing the related dead code, configuring dependencies only with encrypted channels, and restricting access credentials to the use of encrypted channels.
  10. OneDayBundle personnel use AWS Encryption SDK where channel encryption such as TLS, terminates in untrusted multi-tenant hardware such as untrusted proxies.
  11. Anti-malware/EDR protection is deployed on applicable endpoints and servers and cannot be disabled by end users; tamper protection is enabled.
Data Retention and Recovery:
    OneDayBundle retains Amazon customer personal data (PII) only for the purpose of, and as long as is necessary to fulfill orders, but no longer than 30 days after order delivery, except where a longer retention period is required by law (e.g., tax or regulatory requirements). Any legally required archival copies are stored as "cold" or offline encrypted archives and are not available for immediate or interactive use. Non-PII Amazon Information is retained no longer than 18 months. Upon Amazon’s request or upon termination of access, OneDayBundle will delete Amazon Information from active systems as soon as practicable and no later than 30 days, and will ensure deletion from all live instances within 90 days after receiving written notice from Amazon. Secure deletion and media sanitization are performed using industry-standard methods (e.g., NIST SP 800-88 or equivalent). Backups are stored in physically secure facilities and are encrypted. OneDayBundle maintains recovery procedures to restore data in case of loss while respecting the retention limits above.
Data Governance:
  1. OneDayBundle personnel create, document, and abide by the OneDayBundle privacy and data handling policy for their Applications or services which govern the appropriate conduct and technical controls to be applied in managing and protecting information assets.
  2. OneDayBundle personnel keep an inventory of software and physical assets such as, but not limited to computers and mobile devices with access to PII, and update regularly. A record of data processing activities such as specific data fields and how they are collected, processed, stored, used, shared, and disposed of for all PII Information is maintained to establish accountability and compliance with regulations.
  3. OneDayBundle personnel have established and abide by the OneDayBundle privacy policy for customer consent and data rights to access, rectify, erase, or stop sharing/processing their information where applicable or required by data privacy regulation.
  4. API credentials (including SP-API keys/tokens where applicable) are rotated on a defined schedule and upon suspected compromise; access is revoked promptly when no longer required.
Encryption and Storage:
  1. OneDayBundle personnel encrypt all PII at rest including, but not limited to, when the data is persisted, using industry best practice standards by using AES-256. All cryptographic materials including, but not limited to encryption/decryption keys and cryptographic capabilities, daemons implementing virtual Trusted Platform Modules, and providing encryption/decryption APIs used for encryption of PII at rest are only accessible to the OneDayBundle developer's processes and services. Encryption keys are managed and protected using a dedicated key management system (e.g., AWS KMS or equivalent), with least-privilege access and audit logging for key usage.
  2. OneDayBundle personnel do not store PII in removable media including but not limited to USB, unsecured public cloud applications and/or public links made available through Google Drive.
  3. OneDayBundle personnel securely dispose of any printed documents containing PII.
Least Privilege Principle:
  1. OneDayBundle personnel implement fine-grained access control mechanisms to allow granting rights to any party using the Application including, but not limited to access to a specific set of data at its custody and the Application's operators with access to specific configuration and maintenance APIs such as kill switches following the principle of least privilege. Application sections or features that vend PII are protected under a unique access role, and access is only granted on a "need-to-know" basis.
Logging and Monitoring:
  1. OneDayBundle personnel gather logs to detect security-related events including, but not limited to access and authorization, intrusion attempts or configuration changes to their Applications and systems.
  2. OneDayBundle maintains logging on all channels providing access to Amazon Information, including service APIs, storage-layer APIs, and administrative dashboards. Logs record key security-relevant events (e.g., authentication events, authorization changes, access attempts, privilege changes, and data access patterns). Logs themselves do not contain PII. Logs are retained for at least 12 months and are protected from tampering. Logs and alerts are reviewed continuously (real-time where feasible) and at least on a bi-weekly basis by authorized personnel.
  3. OneDayBundle personnel have, in force, mechanisms to monitor the logs and all system activities to trigger investigative alarms on suspicious actions, including, but not limited to, multiple unauthorized calls, unexpected request rate and data retrieval volume, or access to canary data records.
  4. OneDayBundle personnel perform an investigation when monitoring alarms are triggered. This event is documented in the Developer's Incident Response Plan.
Audit
  1. OneDayBundle personnel maintain all appropriate books and records reasonably required to verify compliance with the Acceptable Use Policy, Data Protection Policy, and Amazon Marketplace Developer Agreement during the period of the agreement and for 12 months thereafter.
  2. Upon Amazon's written request, OneDayBundle personnel will certify in writing to Amazon that they are in compliance with these policies.
  3. OneDayBundle personnel will cooperate with Amazon or Amazon's auditor in connection with the audit, which may occur at the OneDayBundle developer's facilities and/or subcontractor facilities. If the audit reveals deficiencies, breaches, and/or failures to comply with Amazon or Amazon’s auditor’s terms, conditions, or policies, OneDayBundle, at its sole cost and expense, takes all actions necessary to remediate those deficiencies within an agreed-upon timeframe.
Security Monitoring and Incident Response
  1. Multiskills LLC maintains a proactive security monitoring and incident response framework to detect, investigate, and mitigate potential security threats.
  2. Security audits and penetration testing are conducted annually to assess network security, cloud infrastructure, application security and API security risks.
  3. We maintain an Incident Management Point of Contact (IMPOC) responsible for coordinating incident response and communications with Amazon. The IMPOC is available 24/7 for security incident escalation.
    Vulnerability Management:
    OneDayBundle performs vulnerability scanning of externally facing systems and internal components at least every 30 days, and after material changes. Critical vulnerabilities are remediated within 7 days and high-severity vulnerabilities within 30 days. Static/dynamic application security testing is incorporated into the development and release process. Security audits and penetration tests are conducted at least annually, and findings are tracked to remediation.
  4. All security incidents must be reported immediately and escalated to the Security Operations Team (SecOps) for containment and remediation.
    Amazon Notification:
    In the event of any actual or suspected security incident, breach, or unauthorized access involving Amazon Information, OneDayBundle will notify Amazon within 24 hours by emailing [email protected] (or the address specified by Amazon from time to time). Notifications will include known details at the time, actions taken for containment, and ongoing remediation status, and OneDayBundle will cooperate with Amazon’s investigation and audit requests.
  5. Changes Handling:
    OneDayBundle will inform Amazon SP-API Solution Provider Support (via https://developer.amazonservices.com/support) within 30 days of any organizational changes or events that change OneDayBundle’s need for or use of Amazon Information (e.g., merger, acquisition, transfer of ownership, or material change in product/service offerings), and will maintain a written policy to this effect. OneDayBundle will disclose to Amazon any affiliated entities involved in its application or service when requesting additional roles.
Change Management
  1. Multiskills LLC is obliged to inform Amazon ([email protected]) within 30 days of any organizational changes or events that change your organization's need for or use of Information.
This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy. We won't track your information when you visit our site. But in order to comply with your preferences, we'll have to use just one tiny cookie so that you're not asked to make this choice again.
OK