Data Protection Policy

DPP 1.1 Network Protection

• Firewalls and ACLs: Network firewalls and access control lists are deployed to restrict inbound and outbound traffic to authorized connections only.
• Network segmentation: Production systems are segmented from development and corporate networks. Intrusion detection and prevention systems (IDS/IPS) monitor for threats in real time.
• Anti-malware: Endpoint protection and anti-malware software is deployed on all systems and updated monthly at minimum. Tamper protection controls prevent unauthorized disablement of anti-virus/anti-malware software.
• Access restriction: Access to systems containing Amazon Information is restricted to Approved Users only, enforced through network-level controls.
• Secure coding practices: We follow secure coding standards (OWASP Top 10) and conduct code reviews before deployment. No credentials, API keys, or secrets are hardcoded in source code.
• Annual security training: All personnel with access to Amazon Information complete annual data protection and IT security training covering data handling, incident response, and privacy obligations.

DPP 1.2 Access Management

• Unique user IDs: Every individual with system access is assigned a unique user ID. Generic, shared, or default login credentials are prohibited.
• Formal registration: User access is provisioned through a formal registration and de-registration process with documented approval.
• Account lockout: Accounts are locked after 10 unsuccessful login attempts.
• Quarterly access reviews: Access lists are reviewed quarterly to verify that only currently authorized personnel retain access.
• Termination protocol: Access is disabled within 24 hours of employee termination or role change that no longer requires access.

DPP 1.3 Least Privilege Principle

All access rights are granted on a strict need-to-know basis using fine-grained controls. Personnel are assigned the minimum permissions necessary to perform their job functions. Database-level Row-Level Security (RLS) policies enforce data isolation between organizations.

• Role-Based Access Control (RBAC): Permissions are assigned by role, not individual, ensuring consistent enforcement.
• Elevated access: Administrative or elevated access requires additional approval and is time-limited where possible.
• Service accounts: Service accounts are restricted to the specific resources and operations they require.

DPP 1.4 Credential Management

Password Requirements

• Minimum length: All passwords must be a minimum of 14 characters.
• Complexity: Passwords must contain at least one character from each of the following four categories: (1) uppercase letters (A-Z), (2) lowercase letters (a-z), (3) numbers (0-9), and (4) special characters (e.g., !, @, #, $, %, ^, &, *).
• Name restriction: Passwords must not contain any part of the user's name, username, or email address.
• Minimum password age: 1 day - passwords cannot be changed more than once per day to prevent rapid cycling.
• Maximum password expiration: 365 days - passwords must be changed at least annually.
• Password history: The system enforces a 10-password history, preventing reuse of recent passwords.
• Password storage: All passwords are cryptographically hashed using bcrypt/scrypt. Plaintext passwords are never stored or transmitted.

Multi-Factor Authentication

• MFA required: Multi-Factor Authentication is mandatory for all user accounts across all systems covered by this policy.
• MFA methods: We support TOTP-based authenticator apps and hardware security keys.

API Key Management

• Encryption: All API keys, SP-API tokens, and credentials are encrypted at rest using AES-256 and accessible only to employees who require them for their role.
• Rotation: API keys and associated credentials are rotated at minimum once every 12 months.
• No exposure: API credentials are never hardcoded, committed to repositories, or exposed in client-side code.

DPP 1.5 Encryption in Transit

• TLS 1.2+: All data transmissions use TLS 1.2 or higher. Older protocols (SSL, TLS 1.0, TLS 1.1) are disabled.
• All endpoints: Encryption is enforced on all internal and external endpoints, including API communications, web interfaces, and database connections.
• Secure file transfer: Where file transfers are required, SFTP or SSH-2 protocols are used.
• No unencrypted PII: Personally identifiable information is never transmitted over unencrypted channels.
• Message-level encryption: Where channel encryption terminates in untrusted hardware or third-party infrastructure, message-level encryption is applied to protect data end-to-end.
• Certificate management: TLS certificates are managed and renewed before expiration. Certificate pinning is used where applicable.

DPP 1.6 Risk Management and Incident Response

Risk Management

• Annual risk assessments: Formal risk assessments are conducted annually and reviewed by senior management to identify threats, vulnerabilities, and required controls.
• Scope: Assessments cover all systems that process, store, or transmit Amazon Information, including third-party services.
• Remediation tracking: Identified risks are documented with remediation plans, owners, and target dates.

Incident Response Plan

• Documented plan: We maintain a documented incident response plan with defined roles, responsibilities, procedures, and escalation paths.
• Review cadence: The plan is reviewed every 6 months and after any major infrastructure change or security incident.
• Detection: Continuous monitoring and logging are employed to detect potential security incidents in real time.

Incident Handling

• Amazon notification: Any Security Incident involving Amazon Information is reported to Amazon at 3psecurity@amazon.com within 24 hours of detection.
• User notification: Affected users are notified per applicable law (PIPEDA: as soon as feasible; GDPR: within 72 hours; CCPA: without unreasonable delay).
• Investigation: All incidents are investigated and documented, including description of the incident, remediation actions, and corrective controls implemented.
• Chain of custody: Chain of custody is maintained for all evidence collected during incident investigation.
• Incident Management Point of Contact: A designated Incident Management Point of Contact is responsible for coordinating response efforts and Amazon communication.

DPP 1.7 Request for Deletion

• Amazon-initiated deletion: Upon notice from Amazon to delete Information, all applicable data is permanently and securely deleted within 30 days.
• User-initiated deletion: Users may request deletion by emailing hello@daysout.ai with the subject line "Data Deletion Request". Requests are processed within 30 days.
• SP-API revocation: Upon revocation of SP-API access through Amazon Seller Central, all associated SP-API data is deleted within 30 days.
• Scope of deletion: Deletion covers all live instances, backups, archives, and disaster recovery stores. All live instances are deleted within 90 days of notice.
• Deletion standard: Data sanitization follows NIST SP 800-88 guidelines (Clear, Purge, or Destroy methods as appropriate to the storage medium).
• No anonymization substitute: Anonymization is not used as a substitute for deletion. When deletion is requested, data is permanently removed.
• Written certification: Upon request, we will certify deletion in writing, confirming that all applicable data has been permanently removed from our systems.
• Non-PII retention: Non-personally identifiable Amazon data is deleted within 18 months unless legally required to retain.
• Legal retention: Where required by law, minimal data may be retained in encrypted cold storage solely for legal compliance, with documentation of the legal basis.

DPP 1.8 Data Attribution

All Amazon-sourced data is stored with clear attribution to identify its origin:

• Source tagging: Every record sourced from Amazon SP-API is tagged with a data source identifier and the originating selling partner account, enabling precise tracking and deletion.
• Logical separation: Amazon data is logically separated from non-Amazon data through database schemas, Row-Level Security policies, and source tagging, ensuring it can be independently identified, managed, and deleted.
• No commingling: Amazon Information is not commingled with data from other sources in a way that would prevent independent identification and deletion.

DPP 2.1 PII Data Retention

Personally Identifiable Information obtained through Amazon SP-API is subject to strict retention limits:

• Maximum retention: PII is retained for no longer than 30 days after order delivery or after the authorized purpose is fulfilled, whichever comes first.
• Permitted purposes only: PII is used exclusively for: (1) fulfilling merchant-fulfilled shipping obligations, (2) tax calculation and remittance, (3) producing legally required documents (invoices, customs declarations), and (4) meeting legal or regulatory requirements.
• Extended retention: PII may only be retained beyond 30 days where required by law for one of the four permitted purposes above, stored in encrypted cold storage in physically secure facilities.
• No marketing use: PII is never used for marketing, advertising, or promotional purposes.

DPP 2.2 Data Governance

• Privacy and data handling policy: This Data Protection Policy and our Privacy Policy together constitute our documented privacy and data handling classification policy.
• Data processing records: We maintain records of data processing activities covering categories of data subjects, categories of data processed, purposes of processing, categories of recipients, retention periods, international transfers, and disposal of Amazon Information.
• Legal compliance: We detect and comply with applicable privacy and security laws including PIPEDA, GDPR, CCPA/CPRA, and Amazon's DPP and AUP.
• Consent management: Customer consent is obtained through Amazon's OAuth mechanism for SP-API access. Users can revoke access at any time through Amazon Seller Central.
• Data subject access requests: Documented internal procedures govern the intake, verification, processing, and response to data subject access requests (DSARs), including rights to access, correction, deletion, portability, objection, and restriction. Requests are acknowledged within 5 business days and fulfilled within the applicable regulatory timeframe (30 days PIPEDA/GDPR, 45 days CCPA).
• Employee confidentiality: All personnel with access to Amazon Information sign confidentiality and data protection agreements as a condition of access.

DPP 2.3 Asset Management

• Baseline configurations: Production systems maintain documented baseline security configurations. Deviations require formal approval.
• Patch management: Security patches, updates, and fixes are installed regularly. Critical patches within 7 days, high-risk within 30 days.
• Quarterly asset inventory: An inventory of all software and physical assets that access, store, or process PII is maintained and updated quarterly.
• Change management: A formal change management process with segregation of duties governs all changes to production systems.
• No removable media: PII is never stored on removable media, personal devices, or unsecured public cloud applications unless encrypted to AES-256 standard.
• Printed PII disposal: Any printed documents containing PII are securely destroyed via cross-cut shredding when no longer needed.
• Data Loss Prevention: DLP controls are in place to prevent unauthorized exfiltration of Amazon Information from our systems.

DPP 2.4 Encryption at Rest

• Standard: All PII and Amazon Information is encrypted at rest using AES-256 encryption.
• Key Management System: A KMS handles the full cryptographic key lifecycle including generation, exchange, secure storage, revocation, and rotation.
• Restricted key access: Cryptographic materials are restricted to authorized processes and services only. No individual has direct access to raw encryption keys.
• Backups encrypted: All backup data, including automated daily backups with point-in-time recovery, is encrypted to the same AES-256 standard.

DPP 2.5 Secure Coding Practices

• No hardcoded credentials: Sensitive credentials (encryption keys, secret access keys, passwords, API tokens) are never hardcoded in source code. All secrets are managed through environment variables and encrypted secret stores.
• No public exposure: Automated scanning prevents credentials from being committed to version control or exposed in public repositories.
• Separate environments: Development, staging, and production environments are fully separated. Test data does not contain real PII. Production credentials are not used in non-production environments.
• Code review: All code changes undergo peer review before deployment, with security considerations as a review criterion.
• OWASP compliance: Development follows OWASP Top 10 guidelines to prevent common vulnerabilities including injection, XSS, CSRF, and insecure deserialization.

DPP 2.6 Logging and Monitoring

Log Content

Security event logs capture:

• Successful and failed authentication attempts
• Date, time, and source of access attempts
• Data access and modification events
• System errors and exceptions
• Administrative and configuration changes

Log Coverage

• All channels: Logging is implemented across service APIs, storage-layer APIs, administrative dashboards, and infrastructure components.
• PII exclusion: PII is excluded from log entries unless legally required. Logs are designed to capture security-relevant events without exposing sensitive data.

Log Review and Monitoring

• Review frequency: Logs are reviewed in real-time via automated alerting and bi-weekly through manual audit.
• Log integrity: Access to logs is restricted to authorized security personnel. Logs are protected against unauthorized access and tampering.
• Retention: Security logs are retained for a minimum of 12 months.
• Suspicious activity monitoring: Automated monitoring detects unauthorized API calls, unexpected request rates, anomalous data access patterns, canary data retrieval, and potential data exfiltration beyond system boundaries.
• Investigation: All triggered alarms are documented and investigated, with findings and remediation actions recorded.

DPP 2.7 Vulnerability Management

We maintain a documented vulnerability detection and remediation plan covering all systems that process Amazon Information:

• Vulnerability scanning: Automated vulnerability scans are performed at least every 30 days across all systems that process Amazon Information.
• Penetration testing: External penetration tests are conducted at least annually by qualified security professionals.
• Pre-release code scanning: Code is scanned for security vulnerabilities before each production release.
• Critical vulnerabilities: Remediated within 7 days of identification.
• High-risk vulnerabilities: Remediated within 30 days of identification.
• Dependency monitoring: Third-party dependencies are continuously monitored for known vulnerabilities via automated tooling.

Business Continuity

• Availability restoration: Procedures are maintained to restore availability and access to Amazon Information in a timely manner following a disruption.
• Geographically separated backups: Backup data is stored in a geographically separated secondary site to support defined Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO).
• Automated backups: Daily automated backups with point-in-time recovery ensure data can be restored to any point within the retention window.

DPP 2.8 Subcontractors

Before granting any third-party service provider access to Amazon Information, we conduct due diligence on their data protection practices:

• Risk assessments: Third-party risk assessments are conducted before granting initial access and annually thereafter before renewing access to any data containing PII.
• Comparable security standards: Service providers must maintain security controls comparable to those described in this policy.
• Data protection agreements: All service providers are bound by data protection agreements and their own privacy policies.
• Current providers: Supabase (database and authentication, hosted on AWS), Cloudflare (website hosting and security), and Cal.com (appointment scheduling).
• Minimum access: Third parties receive only the minimum data access necessary to provide their contracted services.

DPP 2.9 AI/ML Data Processing Controls

Where AI/ML systems are used to process Amazon Information, the following additional controls apply:

Data Restrictions

• No model training: Amazon SP-API data and Amazon Materials are not used to train, develop, or improve AI/ML models, in compliance with Amazon's Business Solutions Agreement (Section 4.2).
• No cross-seller aggregation: Data from different selling partners is never aggregated, combined, or pooled for AI/ML processing.
• PII exclusion: Personally identifiable information obtained through SP-API is never used as input to AI/ML systems.
• Data minimization: Only the minimum data necessary for the specific AI feature is processed. Input data is scoped to the authorized selling partner's account.

Security Controls

• Encryption in AI pipeline: All data transmitted to and from AI processing systems is encrypted in transit (TLS 1.2+) and at rest (AES-256), consistent with Sections 1.5 and 2.4 of this policy.
• Access controls: Access to AI systems that process Amazon Information is restricted to authorized personnel and governed by the same RBAC and least-privilege controls described in Sections 1.2 and 1.3.
• Logging: AI data processing events are logged per the requirements in Section 2.6, including inputs processed, outputs generated, and access events.
• Data integrity and validation: Data integrity and validation checks are implemented for AI features that have material impact on a selling partner's business, in compliance with Amazon's AUP (Section 2.10).

Third-Party AI Providers

• DPP compliance: Third-party AI service providers that process Amazon Information are subject to the same subcontractor requirements described in Section 2.8, including risk assessments, comparable security standards, and data protection agreements.
• No data retention for training: Third-party AI providers are contractually prohibited from retaining, using, or training on data submitted through our platform.
• Data residency: AI processing occurs within the United States and Canada.

Agent Policy Compliance

• Agent identification: Any automated systems or AI agents that access Amazon Services identify themselves as automated systems at all times, in compliance with Amazon's Agent Policy (BSA Section 19).
• Cessation mechanism: We maintain the ability to immediately cease all AI agent access to Amazon Services upon Amazon's request.
• Continuous compliance: AI agents comply with Amazon's Agent Policy requirements at all times, not only at initial deployment.

AI Incident Response

• AI-specific incidents: Security incidents involving AI systems that process Amazon Information are handled per the incident response procedures in Section 1.6, with the same 24-hour Amazon notification requirement.
• Model output anomalies: Anomalous AI outputs are monitored, flagged, and investigated as potential security or data integrity events.

DPP 3.1 Audit and Assessment

• Compliance records: We maintain books and records sufficient to verify compliance with Amazon's Data Protection Policy for the duration of our agreement plus 12 months.
• Written certification: Upon Amazon's request, we will certify compliance in writing.
• Audit cooperation: We will cooperate with Amazon's audits of our books, records, facilities, operations, and security systems as they relate to the protection of Amazon Information.
• Deficiency remediation: Any identified deficiencies will be remediated at our cost within agreed timeframes, with remediation evidence provided in the requested format.
• Approval before closure: Remediation items are not considered closed until written approval is obtained from Amazon.