Amazon Data Protection Policy

This Data Protection Policy governs the treatment (receipt, storage, usage, transfer, and disposition) of all data vended and retrieved through Amazon Marketplace APIs.

Definitions
"Application" means the Duo Wen Inc software application as it interfaces with the Amazon Marketplace APIs or the API Materials.

"Amazon Information" means any information that is exposed by Amazon through the Marketplace APIs, Seller Central, or Amazon's public-facing websites. This data includes both public, non-public, and Personally Identifiable Information about Amazon customers.

"Customer" means any person or entity who has purchased items or services from Amazon's public-facing websites.

"Personally Identifiable Information" ("PII") means information that can be used on its own or with other information to identify, contact, identify in context, or locate a Customer. This includes, but is not limited to, a Customer's name, address, e-mail address, phone number, gift message content, survey responses, payment details, purchases, cookies, digital fingerprint (e.g., browser, user device), IP Address, geo-location, nine-digit postal code, or Internet-connected device product identifier.

"Security Incident" means any actual or suspected unauthorized access, collection, acquisition, use, transmission, disclosure, corruption, or loss of Amazon Information, or breach of any environment containing Amazon Information.

General Security Requirements

Consistent with industry-leading security standards and other requirements specified by Amazon based on the classification and sensitivity of Amazon Information, Duo Wen Inc maintain physical, administrative, and technical safeguards, and other security measures (i) to maintain the security and confidentiality of Amazon Information accessed, collected, used, stored, or transmitted by Duo Wen Inc, and (ii) to protect that information from known or reasonably anticipated threats or hazards to its security and integrity, accidental loss, alteration, disclosure, and all other unlawful forms of processing. Without limitation, Duo Wen Inc will comply with the following requirements:

Network Protection
Duo Wen Inc servers and systems employ Google VPC and network firewall network protection controls for the purpose of denying access to unauthorized IP addresses. Public access is restricted to approved users only. Duo Wen Inc implements anti-virus and anti-malware software on end-user devices.

Access Management
Duo Wen Inc uses a unique ID assigned to each individual with computer access to Amazon Information. Under no circumstances do we create or use generic, shared, or default login credentials or user accounts. Baselining mechanisms are implemented to ensure that at all times only the required user accounts have access to Amazon Information. Access can be revoked at any time if required and access is reviewed regularly (every 90 days). Upon leaving the company access and user permissions are revoked within 24hours.

No Amazon data is allowed to be stored on removable or personal devices. Systems maintain and enforce "account lockout" by detecting suspicious activity such as multiple failed logins or large number of requests, and disable accounts with access to Amazon Information as needed.

Encryption in Transit
All data in transit is encrypted using HTTP over TLS (HTTPS) on Duo Wen Inc systems. Any end points only accept HTTPS connections, there are no instances of data in transit not being encrypted.

Incident Response Plan
Duo Wen Inc maintains an incident response plan to deal with security incidents, interruption to or degradation of services or systems. Impact and urgency of incidents are assessed according to set criteria and appropriate staff are informed. Roles and responsibilities will be defined within the incident response team according to the exact requirements of the nature of the incident. Duo Wen Inc maintain the chain of custody for all evidence or records collected, and such documentation will be made available to Amazon upon request (if applicable).

Duo Wen Inc will notify Amazon (via email to 3p-security@amazon.com) within 24 hours of detecting Security Incident or suspecting that a Security Incident has occurred. Duo Wen will investigate each Security Incident and document the incident description, remediation actions, and associated corrective process/system controls implemented to prevent future recurrence. If a Security Incident occurred, Duo Wen Inc cannot represent or speak on behalf of Amazon to any regulatory authority or customers unless Amazon specifically requests in writing to do so.

Request for Deletion or Return
Within 72 hours of Amazon's request, Duo Wen Inc will permanently and securely delete (in accordance with NIST 800-88 industry-standard sanitization processes) or return Amazon Information in accordance with Amazon's notice requiring deletion and/or return. Duo Wen Inc will also permanently and securely delete all live (online or network accessible) instances of Amazon Information within 90 days after Amazon's notice. If requested by Amazon, we will certify in writing that all Amazon Information has been securely destroyed.

Additional Security Requirements Specific to Personally Identifiable Information

The following additional Security Requirements will be met for Personally Identifiable Information ("PII"). PII is granted to Duo Wen Inc for select tax and merchant fulfilled shipping purposes, on a will-have basis. If an Amazon Services API contains PII, or PII is combined with non-PII, then the entire data store will comply with the following requirements:

Data Retention and Recovery
Duo Wen Inc will retain PII for no longer than 30 days after order delivery and only for the purpose of, and as long as is necessary to (i) fulfill orders, (ii) calculate and remit taxes, (iii) produce tax invoices, or (iv) meet legal requirements, including tax or regulatory requirements.

Data Governance
Duo Wen Inc keeps inventory of all software and physical assets with access to PII. A record of data processing activities such as specific data fields and how they are collected, processed, stored, used, shared, and disposed for all PII is maintained to establish accountability and compliance with regulations. Duo Wen Inc also has a publicly available privacy policy stating our compliance to all applicable data privacy regulations.

Encryption and Storage
All PII is encrypted at rest using the 256-bit Advanced Encryption Standard (AES-256), or better, with symmetric keys: that is, the same key is used to encrypt the data when it is stored, and to decrypt it when it is used. These data keys are themselves encrypted using a key stored in a secure keystore, and changed regularly.

No PII is allowed to be stored in external media or unsecured cloud applications. Any printed documents containing PII should be securely disposed.

Least Privilege Principle
Access is provided to developers and employees on a need-to-know basis using fine grained access controls to assign specific roles to minimise access based on the need to perform duties.

Logging and Monitoring
Duo Wen Inc systems logging includes access logs, authorisation attempts, configuration changes. All logs have access controls to prevent unauthorised access and tempering. No PII Is stored in any logs. Changes to source code are logged and recorded to specific individual developers. Unauthorised access or unexpected request rates are flagged and suspicious activity is monitored and investigated as required.

Audit
Duo Wen inc maintains all appropriate books and records reasonably required to verify compliance with Amazon's Acceptable Use Policy, Data Protection Policy, and Amazon Services API Developer Agreement during the period of this agreement and for 12 months thereafter. Upon Amazon's written request, Duo Wen Inc will certify in writing to Amazon that we are in compliance with these policies.