Data Protection Policy
Purpose and Scope
This Data Protection Policy governs the receipt, storage, processing, use, transfer, disclosure, retention, and deletion of Amazon Information and other customer information handled by Tuxtreme and Shanxi KMT Industrial Machinery Co., Ltd.. It applies to employees, contractors, systems, vendors, and applications that access Amazon-related data or the company website.
Definitions
- “Amazon Information” means any information made available by Amazon through Marketplace APIs, Seller Central, reports, public-facing websites, or related Amazon services, including seller data and customer data.
- “PII” means information that identifies, relates to, describes, or can reasonably be linked to an individual, including name, delivery address, email, phone number, order details, and similar personal information.
- “Restricted Data” means PII or other data classified as confidential under Amazon requirements or internal policy.
- “Security Incident” means actual or suspected unauthorized access, acquisition, use, disclosure, loss, corruption, or compromise of Amazon Information or systems that process Amazon Information.
Data Governance
Tuxtreme maintains records of data processing activities, including data categories, processing purpose, source, storage location, access roles, retention period, sharing arrangements, and disposal method. Data may be collected only for legitimate business purposes such as order fulfillment, customer support, warranty service, returns, fraud prevention, legal compliance, and Amazon marketplace operations.
Amazon Information Handling Standards
- Amazon Information must not be used for unrelated marketing, profiling, resale, or unauthorized analytics.
- Amazon Information must not be stored on personal devices, unsecured removable media, public links, shared drives without access control, or unmanaged cloud accounts.
- Customer data must be disclosed only to authorized employees, approved service providers, Amazon, legal authorities when required, or the customer to whom the data relates.
- Printed records containing PII must be minimized and securely destroyed after use.
Encryption and Storage
- PII and Restricted Data stored in databases, backups, exports, or files must be encrypted using AES-256, RSA-2048 or stronger, or an equivalent industry-recognized method.
- Encryption keys and secrets must be stored separately from protected data and accessible only to authorized services and personnel.
- TLS 1.2 or higher must be used for external web endpoints and data transmission wherever technically feasible.
- Unencrypted protocols, unused ports, and obsolete ciphers must be disabled.
Least Privilege and Access Management
- Each user must have a unique account; generic, shared, default, or vendor accounts are prohibited for systems handling Amazon Information.
- Access must be role-based and limited to the minimum data and functions required for the user role.
- MFA is required for administrative access and all accounts with access to Amazon Information where supported.
- Access rights must be reviewed at least quarterly and removed within 24 hours after termination or role change.
- Account lockout and anomaly detection controls must be used where supported.
Logging and Monitoring
- Access, authentication, authorization, administrative activity, configuration change, data export, and security events must be logged.
- Logs must be protected from unauthorized access, deletion, and tampering.
- Logs must not intentionally contain PII. Where unavoidable, log data must be masked, minimized, and access-controlled.
- Security logs must be retained for at least 90 days and reviewed when alerts are triggered.
Network and Endpoint Protection
- Firewalls, secure configuration baselines, endpoint protection, anti-malware, and vulnerability management must be implemented for systems handling Amazon Information.
- Public access to administrative interfaces is prohibited unless protected through approved secure access controls.
- Critical vulnerabilities should be remediated within seven days of discovery and high-risk vulnerabilities within 30 days where commercially reasonable and technically feasible.
Data Retention and Deletion
- Amazon PII must be retained only for the minimum period necessary to fulfill orders, provide customer service, process returns, support warranty claims, meet legal obligations, or resolve disputes.
- Operational target: delete, anonymize, or securely archive Amazon customer PII within 30 days after order delivery unless a documented legal, tax, accounting, fraud prevention, dispute, chargeback, warranty, or return obligation requires longer retention.
- Upon Amazon request, Amazon Information must be securely deleted or returned within the timeframe required by Amazon and documented through deletion evidence.
- Secure deletion should follow NIST SP 800-88 principles where applicable.
Incident Response and Amazon Notification
- Security Incidents must be escalated immediately to Compliance & Security Officer.
- If Amazon Information may be affected, Amazon must be notified within 24 hours of detection or within the timeframe required by the applicable Amazon program.
- Incident records must include timeline, affected systems, data categories, containment actions, corrective actions, root cause, and prevention measures.
Training, Review, and Enforcement
- Personnel with access to Amazon Information must receive security and confidentiality training at onboarding and at least annually.
- This policy must be reviewed at least annually and after major system, vendor, website, or Amazon API changes.
- Violations may result in access removal, disciplinary action, contract termination, or legal action.
Contact Information
Shanxi KMT Industrial Machinery Co., Ltd.
No. 66 Zhaoyu Street
Private Science & Technology Park
Jinzhong Economic and Technological Development Zone
Jinzhong, Shanxi 030600
P.R. China
Website: https://tuxtreme.com
Email: customerservice@tyaje.com