This Data Protection Policy ("DPP") is established by TechSera Inc. to govern the secure handling of Information retrieved from and vended through the Amazon Services API. This policy applies to all systems and processes at TechSera Inc. that store, process, or otherwise handle such data. By adhering to this policy, TechSera Inc. ensures compliance with the requirements set forth by Amazon.
TechSera Inc. maintains physical, administrative, and technical safeguards and other security measures consistent with industry standards to protect Information. These measures are designed to ensure the security and confidentiality of Information and to protect it from all forms of unauthorized access, loss, or alteration.
TechSera Inc. implements network protection controls, including network firewalls and network access control lists, to deny access to unauthorized IP addresses. We also implement network segmentation, intrusion detection and prevention mechanisms (including defense in depth methods), and anti-virus and anti-malware tools on a periodic basis, with a minimum frequency of at least monthly. Access to systems containing Information is restricted only to approved internal employees with coding and development responsibilities who have completed data protection and IT security awareness trainings ("Approved Users"). TechSera Inc. maintains secure coding practices and conducts data protection and IT security awareness training for Approved Users on at least an annual basis.
TechSera Inc. establishes and maintains a formal user access registration process to assign unique access rights to each individual with computer access to Information. We do not create or use generic, shared, or default login credentials or user accounts and we actively prevent user accounts from being shared. We implement baselining mechanisms to ensure that, at all times, only the required user accounts have access to Information. Employees and contractors are prohibited from storing Information on personal devices. We enforce "account lockout" by detecting anomalous usage patterns and login attempts, and disabling accounts with access to Information upon detection. The list of individuals and services with access to Information is reviewed at least quarterly. Access is disabled and/or removed within 24 hours for all terminated employees.
TechSera Inc. implements fine-grained access control mechanisms to grant rights to any party using our Application and its authorized operators, following the principle of least privilege. Access to Information is granted on a "need-to-know" basis.
TechSera Inc. establishes minimum password requirements for all personnel and systems with access to Information. Passwords must be a minimum of twelve (12) characters, not include any part of the user’s name, and include a mix of upper-case letters, lower-case letters, numbers, and special characters. TechSera Inc. also establishes a minimum password age of 1-day and a maximum 365-day password expiration for all users. Multi-Factor Authentication (MFA) is a mandatory requirement for all user accounts. All API keys provided by Amazon are encrypted, and access is restricted to only required employees.
TechSera Inc. encrypts all Information in transit using secure protocols such as TLS 1.2+, SFTP, and SSH-2. This security control is enforced on all applicable internal and external endpoints. Data message-level encryption is used in any scenario where channel encryption terminates in untrusted multi-tenant hardware.
TechSera Inc. maintains a risk assessment and management process, reviewed annually by senior management, to assess potential threats and vulnerabilities and track known risks. We create and maintain an Incident Response Plan (IRP) to detect and handle Security Incidents. The plan identifies roles and responsibilities, defines incident types that may affect Amazon, outlines procedures for defined incident types, and establishes an escalation path to Amazon via email to security@amazon.com. The IRP is reviewed and verified every six (6) months and after any major infrastructure or system change. TechSera Inc. notifies Amazon within 24 hours of detecting a Security Incident. We are solely responsible for informing relevant government or regulatory agencies as required by local laws. Each Security Incident is investigated and documented, including the incident description, remediation actions, and implemented corrective controls. The chain of custody for all evidence and records is maintained and made available to Amazon upon request.
TechSera Inc. permanently and securely deletes Information upon and in accordance with Amazon's notice. Secure deletion occurs within 30 days of Amazon’s request unless the data is necessary for legal, tax, or regulatory requirements. All live (online or network accessible) instances of Information are permanently and securely deleted 90 days after Amazon's notice. If requested by Amazon, TechSera Inc. certifies in writing that all Information has been securely destroyed.
TechSera Inc. stores Information in a separate database or implements a mechanism to tag and identify the origin of all data in any database that contains Information.
The following requirements apply to all Personally Identifiable Information ("PII") and any data stores that combine PII with non-PII.
TechSera Inc. retains PII for no longer than 30 days after order delivery, and only for the purpose of, and as long as is necessary to (i) fulfill orders, (ii) calculate and remit taxes, (iii) produce tax invoices and other legally required documents, and (iv) meet legal requirements. PII is not transmitted or stored unprotected at any time.
TechSera Inc. creates, documents, and abides by a privacy and data handling policy that includes the classification of information assets. We maintain a record of data processing activities for all PII to establish accountability and compliance. TechSera Inc. has a process in place to detect and comply with applicable privacy and security laws, and maintains documented evidence of this compliance. We abide by our privacy policy for customer consent and data rights, and have technical and organizational systems in place to assist Authorized Users with data subject access requests. TechSera Inc. includes contractual provisions in employment contracts with employees that process PII to maintain confidentiality.
TechSera Inc. maintains a baseline standard configuration for information systems and installs patches, updates, defect fixes, and upgrades on a regular basis. We maintain, and update quarterly, an accurate inventory of all software and physical assets (e.g., computers, mobile devices) with access to PII. A change management process is maintained for all information systems with access to PII, ensuring that software and hardware are tested, verified, and approved with a segregation of duties. We do not store PII on removable media, personal devices, or unsecured public cloud applications unless it is encrypted. TechSera Inc. securely disposes of any printed documents containing PII and implements data loss prevention (DLP) controls to monitor and detect unauthorized data movement.
TechSera Inc. encrypts all PII at rest using at least AES-128 or RSA with 2048-bit key size or higher. The cryptographic materials and capabilities used for encryption are accessible only to TechSera Inc.'s processes and services.
TechSera Inc. does not hardcode sensitive credentials in our code, including encryption keys, secret access keys, or passwords. Sensitive credentials are not exposed in public code repositories. We maintain separate test and production environments for our systems.
TechSera Inc. gathers logs to detect security-related events to our Applications and systems. This logging mechanism is implemented on all channels providing access to Information. Logs are reviewed in real-time or on a bi-weekly basis. All logs have access controls to prevent unauthorized access and tampering and do not contain PII unless required by law. Unless otherwise required, logs are retained for at least 90 days. TechSera Inc. builds mechanisms to monitor logs and system activities to trigger investigative alarms on suspicious actions. Monitoring alarms and processes are implemented to detect if Information is extracted from or found beyond its protected boundaries.
TechSera Inc. creates and maintains a plan to detect and remediate vulnerabilities. We perform vulnerability scans at least every 180 days, conduct penetration tests at least every 365 days, and scan code for vulnerabilities prior to each release. We have appropriate procedures and plans to restore availability and access to PII in a timely manner in the event of a physical or technical incident.
TechSera Inc. maintains all appropriate books and records to verify compliance with this policy and Amazon's terms for the duration of our agreement and for 12 months thereafter. Upon Amazon's written request, we certify in writing that we are in compliance. We cooperate with Amazon or Amazon’s auditor in any requested audit or assessment of our systems. If an audit reveals deficiencies, TechSera Inc. takes all necessary actions to remediate those deficiencies at our sole cost and expense within an agreed-upon timeframe.
TechSera Inc. adopts all definitions as provided in the Amazon Data Protection Policy for terms such as "Information," "Personally Identifiable Information," "Security Incident," and "Developer."