Data Protection Policy
This Data Protection Policy ("DPP") governs the treatment (e.g., receipt, storage, usage, transfer, and disposition) of the data collected and retrieved by https://OozeLife.com (Ooze Life).
Definitions
"Amazon Services API" means any application programming interface (API) offered by Amazon for the purpose of helping Amazon Authorized Users to programmatically exchange data.
"API Materials" means Materials we make available in connection with the Amazon Services API, including APIs, documentation, specifications, software libraries, software development kits, and other supporting materials, regardless of format.
"Application" means a software application or website that interfaces with the Amazon Services API or the API Materials.
"Authorized User means a user of Amazon’s systems or services who has been specifically authorized by Amazon to use the applicable systems or services.
"Customer" means any person or entity who has purchased items or services from Amazon's public-facing websites.
"Developer" means any person or entity (including you, if applicable) that uses the Amazon Services API or the API Materials for a Permitted Use on behalf of an Authorized User.
"Information" means any information that is exposed through the Amazon Services API, Amazon Portals, or Amazon's public-facing websites. This data can be public or non-public, including Personally Identifiable Information about Amazon Customers.
"Personally Identifiable Information" ("PII") means information that can be used on its own or with other information to identify, contact, identify in context, or locate an Amazon Customer or Authorized User. This includes, but is not limited to, a Customer or Authorized User's name, address, e-mail address, phone number, gift message content, survey responses, payment details, purchases, cookies, digital fingerprint (e.g., browser, user device), IP Address, geo-location, nine-digit postal code, or Internet-connected device product identifier.
"Security Incident" means any actual or suspected unauthorized access, collection, acquisition, use, transmission, disclosure, corruption, or loss of Information, or breach of any environment containing Information.Ooze Life complies with the following requirements.
AUP - Acceptable Use Policy
- Data Sharing 4.6
Question - List all outside parties with whom your organization shares Amazon Information and describe how your organization shares this information.
- Riverguide by 24G – Ooze shares information via the Third-party developer/apps page within Seller Central through their app with Amazon. The application name is Riverguide by 24G.
- Avalara – Ooze shares information via the Third-party developer/apps page within Seller Central through their app with Amazon. We share this information via a MWS Authorization Token.
- Buy With Prime - Ooze shares information via the Third-party developer/apps page within Seller Central through their app with Amazon. The application name is Buy with Prime Activation and through Full MWS Access via an MWS Authorization Token.
- Dassity - Ooze shares information via the Third-party developer/apps page within Seller Central through their app with Amazon. We share this information via MWS Authorization Token and Dassity has full MWS Access.
- Helium 10 - Ooze shares information via the Third-party developer/apps page within Seller Central through their app with Amazon. We share this information via MWS Authorization Token, their app name is Helium 10.
- Informed.co - Ooze shares information via the Third-party developer/apps page within Seller Central through their app with Amazon. We share this information via MWS Authorization Token, their app name is Informed.co
- Kevin Nolan (Suite Engine and Microsoft Business Central) - Ooze shares information via the Third-party developer/apps page within Seller Central through their app with Amazon. The information is shared through the MWS Authorization Token. The information flows via API calls from Suite Engine into Microsoft Business Central which is our ERP/order management system.
- Pacvue Corporation - Ooze shares information via the Third-party developer/apps page within Seller Central through their app with Amazon. Their app names are Pacvue-eCommerce and Pacvue - Product Center.
- Windsor.ai - Ooze shares information via the Third-party developer/apps page within Seller Central through their app with Amazon. Their app name is Windsor.ai
- Data usage 4.1.
Question - Describe why you require Personally Identifiable Information to build your application or feature.
Ooze requires PII to ship FBM orders. To ship our FBM orders, we need PII to port over to our ERP system (Microsoft Business Central) to ship orders from our warehouse. Without PII, Ooze wouldn’t know customers shipping information and Ooze couldn’t utilize the FBM order feature for selling on Amazon.
- Data Retention 2.1
Question- How long do you retain Personally Identifiable Information data?
Ooze retains PII for 7 years per federal guidelines regarding the Period of Limitations that apply to income tax returns.
- Network Protection 1.1
Question - Describe the network protection controls used by your organization to restrict public access to databases, file servers, and desktop/developer endpoints.
Microsoft Business Central is cloud hosted by Microsoft, there for all network infrastructure (routers and switches) are governed and or regulated by Microsoft. Ooze does not store a local copy of the database. Access to the data is restricted using least privilege access and is monitored and controlled by the Ooze IT security management and Ecommerce Manager. Ooze has implemented network protection controls to deny access to unauthorized IP addresses and public access is restricted only to approved users. IT security training is conducted monthly, all users working within Microsoft Business Central are required to take this training. Ooze utilizes Sophos as our cyber security protection software that is on every end-user device.
- Access Management 1.2 and Least Privilege Principle 1.3.
Question - Describe how your organization individually identifies employees who have access to Amazon information, and restricts employee access to Amazon information on a need-to-know basis.
Ooze assigns a unique ID to each person with computer access to Amazon Information. Persons with access to data don’t create or use generic, shared, or default login credentials or user accounts. Ooze reviews the list of people and services with access to Amazon Information on a regular basis (at least quarterly), and remove accounts that no longer require access. Ooze restricts employees from storing Amazon data on personal devices. Ooze will maintain and enforce "account lockout" by detecting anomalous usage patterns and log-in attempts and disabling accounts with access to Amazon Information as needed.
Ooze has implemented fine-grained access control mechanisms to allow granting rights to any party using the Application (e.g., access to a specific set of data at its custody) and the Application's operators (e.g., access to specific configuration and maintenance APIs such as kill switches) following the principle of least privilege. Application sections or features that vend PII must be protected under a unique access role, and access should be granted on a "need-to-know" basis.
- Asset Management 2.3.
Question - Describe the mechanism your organization has in place to monitor and prevent Amazon Information from being accessed from employee personal devices (such as USB flash drives, cellphones) and how are you alerted in the event such incidents occur.
Ooze employee personal devices are not permitted to access Microsoft Business Central (MS BC) cloud environment per Ooze company policy. Administrator access is governed by two-step factor authentication. That access must be approved by IT Security and the Ecommerce Manager. We are alerted via failed login attempts messages by Microsoft to IT security. Persons with access to MS BC cannot use generic, shared, or default login credentials. Ooze reviews the list of users and service providers with access to PII on a quarterly basis and remove accounts that no longer require access. Ooze does not permit employees to store Amazon data on personal devices and does not allow PII on removable media or unsecured public clouds. Ooze maintains and enforces "account lockout" by detecting anomalous access patterns and log-in attempts and disables accounts as needed. Ooze has data loss prevention controls in place to monitor and detect unauthorized movement of data.
- Data Governance 2.2
Question - Provide your organization´s privacy and data handling policies to describe how Amazon data is collected, processed, stored, used shared and disposed. You may provide this in the form of a public website URL.
To Do: Get all of this info approved by David and get it on Cannatron and ooze life in a hidden location that can only be accessed via a unknown link.
- Encryption at Rest 2.4
Question - Describe where your organization stores Amazon Information at rest and provide details on any encryption algorithm used.
All PII data within Microsoft Business Central is stored in a Microsoft SaaS offering hosted on Azur. Microsoft Business Central uses a single encryption key per server instance. Encryption and decryption is performed by a RSA algorithm as provided by the cryptographic service provider (see RSACryptoServiceProvider(Int32)). The generated encryption key size is 2048 bits. The cryptographic materials (e.g., encryption/decryption keys) and cryptographic capabilities used for encryption of PII at rest is only accessible to the processes and services. PII is not stored in removable media (e.g., USB) or unsecured public cloud applications (e.g., public links made available through Google Drive). Any printed documents containing PII should be securely disposed.
- Data Retention 2.1
Question - Describe how your organization backups or archives Amazon Information and provide details on any encryption algorithm used.
Data backups and archives are controlled by Microsoft. Business Central is controlled by Azure SQL Database uses SQL Server engine technology to back up and restore data. By default, Microsoft creates:
- Full backups every week.
- Differential backups every 12 or 24 hours.
- Transaction log backups approximately every 10 minutes.
The exact frequency of transaction log backups is based on the compute size and the amount of database activity. Microsoft stores backups in geo-redundant storage blobs that are replicated to a paired region. Automatic, geo-redundant backups - Azure SQL Database | Microsoft Learn
-Logging and Monitoring 2.6
Question - Describe how your organization monitors, detects, and logs malicious activity in your application(s).
Microsoft provides a number of information security measures by default which help mitigate security issues at platform layers outside of Ooze’s control. These include both physical and logical security controls, as well as automated security processes, comprehensive information security and privacy policies, and Microsoft Services administrators’ security and privacy training.
MicrosoftAzureDataProtection_Aug2014.pdf section 3.3
- Risk Management and Incident Response Plan 1.6
Question - Summarize the steps taken within your organization's incident response plan to handle database hacks, unauthorized access, and data leaks.
Ooze maintains a plan to detect and handle Security Incidents. Such plan identifies the incident response roles and responsibilities, defines incident types, defines incident response procedures for defined incident types, and defines an escalation path and procedures to escalate Security Incidents. Ooze investigates each Security Incident, and document the incident description, remediation actions, and associated corrective process/system controls implemented to prevent future recurrence.
- Credential Management 1.4
Question - How do you enforce password management practices throughout the organization as it relates to required length, complexity (upper/lower case, numbers, special character) and expiration period?
All software utilized by Ooze is programed to automatically make users change their password every 42 days and enforces the complexity of the password by requiring the following:
- Not contain the user's account name or parts of the user's full name that exceed two consecutive characters.
- Be at least eight characters in length
- Contain characters from three of the following four categories:
- English uppercase characters (A through Z)
- English lowercase characters (a through z)
- Base 10 digits (0 through 9)
- Non-alphabetic characters (for example, !, $, #, %)
- Complexity requirements are enforced when passwords are changed or created. All our staff is getting monthly IT security training related to password protection, phishing, hacking.
- Vulnerability Management 2.7
Question - How do you track remediation progress of findings identified from vulnerability scans and penetration tests?
Ooze maintains a runbook to detect and remediate vulnerabilities. Ooze protects physical hardware containing PII from technical vulnerabilities by performing vulnerability scans and remediating appropriately. Ooze conducts vulnerability scans at least every 180 days. Ooze controls change to the storage hardware by testing, verifying changes, approving changes, and restricting access to who may perform those actions.
- Vulnerability Management 2.7
Question - Who is responsible for change management and how is their access granted? Please specify job title.
Ooze’s IT Manager is responsible for change management. The IT Manager’s access to change management is governed by general manager. All changes are logged.