Data Protection Policy
Last updated: June 2024
1. Overview
Nanjing Shunheng Information Technology Co., Ltd. ("Shunheng ERP") is committed to protecting the confidentiality, integrity, and availability of all data processed through our platform. This Data Protection Policy (DPP) outlines the technical and organizational measures we implement to safeguard data, in compliance with applicable laws and Amazon's Acceptable Use Policy Section 4.5.
2. Scope
This policy applies to all data processed by Shunheng ERP, including:
- Amazon SP-API data (Brand Analytics reports, inventory, orders, advertising data)
- User account information
- System logs and audit trails
- Any other data stored or transmitted through our infrastructure
3. Data Encryption
3.1 Encryption in Transit
All data transmitted over networks is protected using TLS 1.2 or higher protocols. This includes:
- All communications between Shunheng ERP and Amazon SP-API endpoints
- All user interactions with our web application (HTTPS)
- All internal service-to-service communications within our infrastructure
- API calls between our platform and third-party integrations
3.2 Encryption at Rest
All data stored in our systems is encrypted using AES-256 encryption. This includes:
- Database records (user data, Amazon SP-API data, configuration data)
- Backup files and snapshots
- Cache and temporary storage
- Log files containing sensitive information
4. Access Control
4.1 Role-Based Access Control (RBAC)
We implement strict role-based access control with the principle of least privilege:
- Each user is assigned a role with minimum necessary permissions
- Access to Amazon SP-API data is scoped per organization and per role
- Administrative access requires separate elevated credentials
- Access reviews are conducted quarterly
4.2 Authentication
- Multi-factor authentication (MFA) is required for all administrative accounts
- Password policies enforce complexity, minimum length (12+ characters), and rotation
- Session management with automatic timeout after 30 minutes of inactivity
- OAuth 2.0 for Amazon SP-API authorization
5. Data Retention and Deletion
5.1 Retention Schedule
- Active account data: retained for the duration of the service agreement
- Amazon SP-API data: retained in accordance with Amazon's applicable policies
- Backup data: retained for 30 days
- Audit logs: retained for a minimum of 365 days
5.2 Data Deletion
Upon termination of service or upon user request:
- Data is securely deleted within 90 days
- Deletion follows NIST SP 800-88 guidelines for media sanitization
- Confirmation of deletion is provided to the customer
- Backup copies are purged within the next backup cycle
6. Incident Response
6.1 Incident Detection and Reporting
- 24/7 automated monitoring and alerting for security events
- Security incidents are triaged within 1 hour of detection
- Critical incidents involving Amazon seller data are reported to Amazon (3p-security@amazon.com) within 24 hours
- Affected customers are notified within 48 hours
6.2 Incident Response Plan
- Detection & Assessment — Identify and classify the incident
- Containment — Isolate affected systems to prevent spread
- Eradication — Remove the root cause
- Recovery — Restore systems from verified clean backups
- Post-Mortem — Root cause analysis and preventive measures
7. Subprocessor and Third-Party Vendors
We engage trusted third-party service providers for infrastructure and operations:
- Cloud Infrastructure: Alibaba Cloud / AWS (data centers in China and/or regions selected by customer)
- Database Services: Managed database services with encryption at rest enabled
- Monitoring & Logging: Services that meet our security and compliance requirements
All subprocessors are subject to contractual data protection obligations and are regularly audited.
8. Compliance
We comply with applicable data protection regulations including:
- Personal Information Protection Law (PIPL) of the People's Republic of China
- Amazon Acceptable Use Policy (AUP) Sections 4.4 and 4.5
- Amazon Data Protection Policy requirements for SP-API developers
- GDPR principles for European users (where applicable)
9. Contact
For questions or concerns regarding data protection, please contact our security team:
Email: support@shunhengerp.com
Nanjing Shunheng Information Technology Co., Ltd.
3A048 Yindu Jinchuang Plaza, No.2 Shuiximen Street, Qinhuai District, Nanjing, China