eBooth Software, LLC

Data Security & Controls

eBooth Software, LLC is committed to protecting the confidentiality, integrity, and availability of Amazon seller data accessed through our application. This page describes the security controls and data protection measures we implement to safeguard your information.

1. Encryption and Data Protection

1.1 Encryption in Transit:

  • All data transmitted between our application and Amazon's SP-API is encrypted using TLS 1.2 or higher
  • HTTPS is enforced for all web traffic to our systems
  • No unencrypted transmission of sensitive data is permitted

1.2 Encryption at Rest:

  • All stored seller data is encrypted using industry-standard encryption algorithms (AES-256)
  • Database encryption is enabled for all production data stores
  • Encryption keys are managed using secure key management systems and rotated regularly

2. Access Control and Authentication

2.1 Least Privilege Principle:

  • Access to seller data is restricted to authorized personnel only
  • Users are granted the minimum level of access necessary to perform their job functions
  • Access permissions are reviewed regularly and revoked when no longer needed

2.2 Role-Based Access Control (RBAC):

  • Access to systems and data is controlled through role-based permissions
  • Administrative access is limited to designated personnel
  • Separation of duties is enforced for critical operations

2.3 Multi-Factor Authentication (MFA):

  • MFA is required for all administrative and privileged accounts
  • Strong password policies are enforced for all user accounts

3. Credential and Secrets Management

3.1 Secure Storage:

  • API credentials, access tokens, and secrets are never stored in plain text
  • All credentials are stored in secure secrets management systems (e.g., AWS Secrets Manager, Azure Key Vault)
  • Credentials are encrypted both in transit and at rest

3.2 Credential Rotation:

  • API credentials and access tokens are rotated regularly
  • Expired or compromised credentials are immediately revoked

3.3 No Hardcoding:

  • Credentials are never hardcoded in source code or configuration files
  • Environment variables and secrets management systems are used for credential injection

4. Audit Logging and Monitoring

4.1 Comprehensive Logging:

  • All access to seller data is logged, including user identity, timestamp, and action performed
  • API calls to Amazon SP-API are logged for audit and troubleshooting purposes
  • Authentication attempts (successful and failed) are logged
  • System and application logs are retained for a minimum of 90 days

4.2 Security Monitoring:

  • Automated monitoring systems detect and alert on suspicious activities
  • Logs are regularly reviewed for security incidents and anomalies
  • Intrusion detection and prevention systems are deployed

5. Data Minimization and Privacy

5.1 Minimal Data Access:

  • We access only the data categories explicitly authorized by the selling partner
  • We request only the minimum permissions necessary to provide the Services
  • Data is not accessed or processed for purposes beyond those described in our Privacy Policy

5.2 Personally Identifiable Information (PII):

  • Access to PII (e.g., buyer names, shipping addresses) is restricted to authorized personnel on a need-to-know basis
  • PII is accessed only when necessary for order fulfillment or customer support
  • PII is not used for marketing, profiling, or any purpose other than providing the authorized Services
  • PII is deleted or anonymized in accordance with our data retention policies

6. Infrastructure Security

6.1 Secure Hosting:

  • Our application is hosted on secure, reputable cloud infrastructure providers
  • Infrastructure is configured following security best practices and hardening guidelines
  • Network segmentation and firewalls isolate production systems from unauthorized access

6.2 Patch Management:

  • Operating systems, applications, and dependencies are regularly updated with security patches
  • Critical security vulnerabilities are addressed promptly

6.3 Vulnerability Management:

  • Regular security assessments and vulnerability scans are conducted
  • Identified vulnerabilities are prioritized and remediated based on risk

7. Backup and Disaster Recovery

7.1 Data Backups:

  • Regular automated backups of critical data are performed
  • Backups are encrypted and stored securely in geographically separate locations
  • Backup integrity is tested regularly

7.2 Disaster Recovery:

  • A disaster recovery plan is maintained and tested periodically
  • Recovery time objectives (RTO) and recovery point objectives (RPO) are defined for critical systems

8. Incident Response

8.1 Incident Response Plan:

  • A documented incident response plan is maintained and regularly updated
  • Designated personnel are trained to respond to security incidents
  • Incident response procedures include detection, containment, eradication, recovery, and post-incident analysis

8.2 Breach Notification:

  • In the event of a data breach affecting seller data, we will notify affected parties promptly as required by applicable law
  • We will cooperate with law enforcement and regulatory authorities as necessary

8.3 Incident Contact:

9. Secure Development Practices

9.1 Secure Coding:

  • Developers follow secure coding guidelines and best practices
  • Code reviews are conducted to identify security vulnerabilities
  • Static and dynamic application security testing (SAST/DAST) tools are used

9.2 Dependency Management:

  • Third-party libraries and dependencies are regularly reviewed for known vulnerabilities
  • Vulnerable dependencies are updated or replaced promptly

10. Employee Training and Awareness

10.1 Security Training:

  • All employees with access to seller data receive security awareness training
  • Training covers data protection, privacy, secure handling of credentials, and incident reporting

10.2 Confidentiality Obligations:

  • Employees are bound by confidentiality agreements and are required to protect seller data
  • Access to seller data is granted only to employees who require it for their job functions

11. Compliance and Certifications

11.1 Amazon SP-API Compliance:

  • Our application is designed to comply with Amazon's SP-API policies and data protection requirements
  • We adhere to Amazon's guidelines for secure handling of seller data

11.2 Legal and Regulatory Compliance:

  • We comply with applicable data protection laws and regulations
  • Our practices are aligned with industry standards for data security and privacy

12. Third-Party Service Providers

12.1 Vendor Security:

  • Third-party service providers with access to seller data are carefully vetted
  • Vendors are contractually required to maintain appropriate security controls and confidentiality
  • Vendor security practices are reviewed periodically

13. Data Retention and Deletion

13.1 Retention Policies:

  • Seller data is retained only as long as necessary to provide the Services and comply with legal obligations
  • Data retention periods are defined in our Privacy Policy

13.2 Secure Deletion:

  • When data is deleted, it is securely erased using industry-standard methods
  • Deleted data is not recoverable

14. Continuous Improvement

We are committed to continuously improving our security posture. Our security controls are regularly reviewed and updated to address emerging threats and evolving best practices.

15. Contact Information

For questions or concerns regarding our security practices, or to report a security incident, please contact us:

eBooth Software, LLC
1502 N Clover Rd
Kennewick, WA 99338

Email: support@eboothsoftware.com
Privacy: privacy@eboothsoftware.com