Shopperllo developers encrypt all PII at rest including, but not limited to,when the data is persisted, using industry best practice standards by using AES-256. All cryptographic materials including, but not limited to encryption/decryption keys and cryptographic capabilities, daemons implementing virtual Trusted Platform Modules and providing encryption/decryption APIs used for encryption of PII at rest are only accessible to the Shopperllo developer's processes and services. Shopperllo developers do not store PII in removable media including, but not limited to USB, unsecured public cloud applications and/or public links made available through Google Drive. Shopperllo developers securely dispose of any printed documents containing PII. Least Privilege Principle:
Shopperllo developers implement fine-grained access control mechanisms to allow granting rights to any party using the Application including, but not limited to access to a specific set of data at its custody and the Application's operators with access to specific configuration and maintenance APIs such as kill switches following the principle of least privilege. Application sections or features that vend PII are protected under a unique access role, and access is only granted on a "need-to-know" basis. Logging and Monitoring:
Shopperllo developers gather logs to detect security-related events including, but not limited to access and authorization, intrusion attempts or configuration changes to their Applications and systems. Shopperllo developers have, in force, this logging mechanism on all channels including, but not limited to service APIs, storage-layer APIs or administrative dashboards providing access to Amazon Information. All logs have, in force, access controls to prevent any unauthorized access and tampering throughout their lifecycle. Logs themselves do not contain PII and are retained for at least 90 days for reference in the event of a Security Incident. Shopperllo developers have, in force, mechanisms to monitor the logs and all system activities to trigger investigative alarms on suspicious actions, including, but not limited to, multiple unauthorized calls, unexpected request rate and data retrieval volume, or access to canary data records. Shopperllo developers perform an investigation when monitoring alarms are triggered. This event is documented in the Developer's Incident Response Plan. Audit
Shopperllo developers maintain all appropriate books and records reasonably required to verify compliance with the Acceptable Use Policy, Data Protection Policy, and Amazon Marketplace Developer Agreement during the period of agreement and for 12 months thereafter. Upon Amazon's written request, Shopperllo developers will certify in writing to Amazon that they are in compliance with these policies. Shopperllo developers will cooperate with Amazon or Amazon's auditor in connection with the audit, which may occur at the Shopperllo developer's facilities and/or subcontractor facilities. If the audit reveals deficiencies, breaches, and/or failures to comply with Amazon or Amazon’s auditor’s terms, conditions, or policies, Shopperllo, at its sole cost and expense, take all actions necessary to remediate those deficiencies within an agreed-upon timeframe.