Policy - Amazon – Playfishing

Amazon SP-API Role Access Data Management and Privacy Policy

Title

Last updated: Maggio 2025

1. Application Description

Our application was created with the aim of simplifying and automating the daily management of sales on Amazon. By integrating business systems with SP-API APIs, it allows you to keep offers updated, monitor orders received in real time, automatically generate shipping labels, process tax documents and analyze performance through official reports. This flow allows not only operational savings, but above all greater precision in order fulfillment and accounting management.

2. Processing of Personally Identifiable Information (PII)

Within our system, personal data such as name, surname, address, postal code, city and telephone number are processed exclusively for operational purposes. In particular, this information is used to generate the labels necessary for direct shipping of products to customers (FBM mode) and to prepare tax documentation. The issuing of invoices for end customers, especially those in the EU, is necessary for the correct application of VAT regulations and takes place in full compliance with the provisions of the Revenue Agency (response no. 802/2021). Under no circumstances will the data be used for purposes other than those indicated.

3. Sharing with third parties

Our organization shares personal information exclusively with third parties that are essential to the execution of services, such as couriers in charge of deliveries and tax intermediaries authorized to manage invoices. All sharing occurs via secure connections, and data is encrypted using the 128-bit AES algorithm during transfer. Access is permitted only to systems and operators that have an actual operational need for it.

4. Network Protection

The entire infrastructure is protected by next-generation firewalls and access to resources is via VPN with restrictions on authorized IPs. Systems are monitored by intrusion prevention solutions (IDS/IPS) and updated regularly. Corporate endpoints are subject to restrictive policies, preventing any accidental access or exposure of sensitive data.

5. Access Management

Each employee authorized to access Amazon data has a unique personal identifier and shared access is never used. Access to data is limited 1 exclusively to people who, for work reasons, need to process Amazon information. Access is monitored, recorded, and deactivated within 24 hours in the event of an employee leaving the organization. Quarterly checks are also performed to verify active access.

6. Personal Devices and Data Security

The use of personal devices to access or store Amazon data is expressly prohibited. Authorized devices are registered, encrypted, and DLP (Data Loss Prevention) checked. An up-to-date inventory of the assets involved is maintained and, where temporary paper supports are required, they are destroyed using secure methods.

7. Data retention, backup and deletion

Amazon information is stored on Amazon RDS, with AES-128 encryption both in transit and at rest. Personally identifiable data is retained only for as long as is strictly necessary to complete operational and tax activities. In particular, order data is retained for a maximum of 30 days from the date of delivery confirmation to the customer, after which it is automatically deleted from our systems through automated secure deletion procedures, which include overwriting and permanently removing data from backups. Backup copies are subject to consistent expiration rules, which require them to be deleted within 90 days of creation.

8. Security Monitoring

We monitor applications in real time through SIEM systems and constantly analyze logs, which do not include PII data, to detect suspicious activity. In case of anomalies, responsible personnel are alerted to immediately activate the required procedures.

9. Incident Management

We have implemented an incident response plan, updated annually, that includes specific guidelines for security breaches, unauthorized access, and data loss. An operational runbook supports the team in structured emergency management. Amazon is notified within 24 hours of any relevant event, in accordance with their policies.

10. Credential Security

All corporate credentials meet high standards: minimum length of 12 characters, mandatory use of alphanumeric characters and symbols, periodic rotation, and mandatory MFA. API keys are managed through AWS Secrets Manager or other secure management systems.

11. Security in test environments

No real data is ever used in testing contexts. We use pseudonymization and anonymization techniques to avoid any accidental exposure. Furthermore, test and production environments are completely separated and credentials are never written directly into the source code.

12. Vulnerability Management

Our process involves identifying and remediating vulnerabilities within 24 hours of discovery. We conduct regular reviews every 180 days and a penetration test annually. Structural changes follow a full cycle of review, approval, and testing.

13. Change Management

Responsibility for changes falls on an experienced, certified and trained IT team. Changes are made only by authorized personnel and go through a structured process of technical validation and approval.