Data Protection Policy (DPP)
This Data Protection Policy («DPP») ensures that the organization:
İnovabil Teknoloji A.Ş. (Netkasam App), governs the receipt, storage, usage, transfer, and disposal of Information, including the data vended and retrieved through the Amazon Services API (including the Marketplace Web Service API and Selling Partner API). This policy is applicable to all systems that store, process, or otherwise handle data vended and retrieved from the Amazon Services API, and ensures that İnovabil Teknoloji A.Ş. (Netkasam App) is compliant with the next Amazon Policies:
Data Protection Policy (DPP)Acceptable Use Policy (AUP)
Amazon Services API Developer Agreement
1. GENERAL SECURITY REQUIREMENTS
Consistent with industry-leading security, İnovabil Teknoloji A.Ş. (Netkasam App) will maintain physical, administrative, and technical safeguards, and other security measures to maintain the security and confidentiality of Information accessed, collected, used, stored, or transmitted by İnovabil Teknoloji A.Ş. (Netkasam App), and to protect that information from known or reasonably anticipated threats or hazards to its security and integrity, accidental loss, alteration, disclosure, and all other unlawful forms of processing. Without limitation, İnovabil Teknoloji A.Ş. (Netkasam App) will comply with the following requirements:
1.1 Network Protection
All İnovabil Teknoloji A.Ş. (Netkasam App) servers implement network protection controls including network firewalls and network access control lists to deny access to unauthorized IP addresses. Public access is restricted to authorized and approved users.
1.2 Access Management
Access to Amazon information is strictly limited to users who require access in order to perform specific required tasks, and access is limited where possible to only required data. All users are unique with no shared logins. Access is logged and monitored. Employees must request access and provide a reason when accessing Amazon data. Access can be revoked at any time if required and is reviewed regularly. Upon leaving the company, access permissions are revoked immediately. No Amazon data is allowed to be stored on removable devices, other than anonymized data such as overall sales figures. No PII is ever downloaded onto devices. The Company will maintain and enforce account lockout by detecting anomalous usage patterns and login attempts, and disabling accounts with access to Information as needed.
1.3 Least Privilege Principle
Access is provided to developers and other employees on a need-to-know basis using fine-grained access controls to assign specific roles to minimize access based on the need to perform duties.
1.4 Passwords and Credentials Management
The company sets minimum requirements on passwords and credentials for access to systems. These requirements are:
12 or more characters of password length
1 day of minimum password age
180 days of password expiry time
3 failed attempts allowed with an invalid password before a temporary lock-out
Passwords must include at least one uppercase, one lowercase, one number, and one special character
1.5 Encryption in TransitAll data in transit is encrypted using HTTPS and SSH on İnovabil Teknoloji A.Ş. (Netkasam App) systems as data traverses the network. There are no instances of data in transit not being encrypted, even unused.
1.6 Risk Management and Incident Response Plan
In case of unauthorized access to servers, database hacking, or data leakage, Amazon would first be contacted within 24 hours of the incident to notify the problem, via email to 3p-security@amazon.com and security@amazon.com. We would then follow the runbook developed and create a response mechanism to follow, which would include both non-security teams and the legal department. We would also use guides such as the recommended «NIST SP 800-61: Computer Security Incident Handling Guide» or «NIST SP 800-88: Guidelines for Media Sanitization» for the main steps to follow. If required by local law, we would also proceed to notify the relevant supervisory authority of the incident within 72 hours of detection, as well as any persons directly affected. In order to prevent the incident from recurring in the future, the description of the incident, the process followed to correct the incident, the controls implemented in the system, and the new processes implemented to resolve the problem would be documented. Should Amazon request access to the documentation of the collected logs, it will be made available immediately. Under no circumstances will developers speak on behalf of Amazon to any authority or customer unless specifically requested in writing by Amazon.
1.7 Request for Deletion or ReturnWithin a period of 72 hours from Amazon’s request, İnovabil Teknoloji A.Ş. (Netkasam App) will permanently and securely delete (in accordance with «NIST SP 800-88: Guidelines for Media Sanitization») or return Amazon Information in accordance with Amazon’s notice requiring deletion and return. İnovabil Teknoloji A.Ş. (Netkasam App) will also permanently and securely delete all live instances of Amazon Information within 90 days after Amazon’s notice. If requested by Amazon, İnovabil Teknoloji A.Ş. (Netkasam App) will certify in writing that all Amazon Information has been securely destroyed.
2. ADDITIONAL SECURITY REQUIREMENTS SPECIFIC TO PERSONALLY IDENTIFIABLE INFORMATION
2.1 Data Retention
Amazon PII is stored by İnovabil Teknoloji A.Ş. (Netkasam App) on privately hosted Database Servers for the only purpose of facilitating the management of client orders, shipments, and tax invoices issuing. Amazon PII is removed from İnovabil Teknoloji A.Ş. (Netkasam App)’s databases no more than 30 days after the fulfillment of an order. There is no Amazon PII stored in logs or other files. Amazon PII could exceptionally remain for over 30 days only if required by law and only for the purposes of complying with that law.
2.2 Data Governance
İnovabil Teknoloji A.Ş. (Netkasam App) has an asset management policy defining how the software and physical assets are kept in an inventory and how this is updated as assets are reassigned, added, or returned. It also specifies procedures for data cleansing as assets are reassigned or removed from the inventory. This is reviewed every 6 months and a full asset inventory is performed. İnovabil Teknoloji A.Ş. (Netkasam App) also has a publicly available privacy policy stating our compliance with all applicable data privacy regulations.
2.3 Asset Management
The Company will keep an inventory of software and physical assets with access to PII, and update quarterly (every 3 months). Physical assets that store, process, or otherwise handle PII will abide by all of the requirements set forth in this policy. The Company will not store PII in removable media, personal devices, or unsecured public cloud applications. The Company will securely dispose of any printed documents containing PII.
2.4 Encryption at Rest
All Amazon PII is encrypted at rest using industry-standard AES-128 encryption. No Amazon PII is allowed to be stored in external media or unsecured Cloud applications. All cryptographic materials and cryptographic capabilities used for encryption of PII at rest are only accessible to the İnovabil Teknoloji A.Ş. (Netkasam App) system and developers' processes and services on our privately hosted cloud servers.
2.5 Secure Coding Practices
The developers will never save or store keys, credentials, or passwords in the application code or in public repositories, and will always keep their development and production environments separated.
2.6 Logging and Monitoring
An internal process log file is generated each day and is manually cleared by the administrator user when the anomaly has been resolved, not earlier than 90 days after the log is recorded, in order to have a reference for a security incident. No PII is ever logged anywhere on İnovabil Teknoloji A.Ş. (Netkasam App) Systems. Code changes are logged to specific users. API logs are stored in databases on our privately hosted cloud servers. Unauthorized access or unexpected request rates are flagged and suspicious activity is monitored by system administrators who will instigate an investigation as detailed in the Incident Response Plan.
2.7 Vulnerability Management
Our organization has a runbook designed to detect, remediate, and correct vulnerabilities in the system. Through an internal task manager (Monday), developers indicate any vulnerability found in the system and classify them by severity and priority so that members of the development team are aware of them. Depending on the severity of the vulnerability, its correction is prioritized and immediate action is taken in the most critical cases. Each incident notification is identified by the user who reported it, the date and time, as well as other highly relevant parameters. Any type of software or hardware change is tested, verified, and approved by the developers within our team. Once the finding is corrected, the organization’s developers follow up thoroughly for several weeks to confirm that the problem has been fully fixed. An exhaustive vulnerability analysis is carried out every 180 days at the most. On the other hand, every 365 days at the most, several system penetration tests. If incidents are detected, the team works immediately on their correction and solution.
3. AUDIT AND ASSESSMENT
İnovabil Teknoloji A.Ş. (Netkasam App) will provide Amazon with all records if requested to demonstrate compliance with the AUP, DDP, and Amazon Marketplace Developer Agreement during the period of our agreement with Amazon and for 12 months thereafter. İnovabil Teknoloji A.Ş. (Netkasam App) will also cooperate fully with any auditor assigned by Amazon and allow them to inspect the books, records, facilities, operations, and security of all systems that are involved with İnovabil Teknoloji A.Ş. (Netkasam App)’s application in the retrieval, storage, or processing of Amazon Information. Any breaches, failures, or deficiencies flagged as part of any audit will be rectified by İnovabil Teknoloji A.Ş. (Netkasam App) at our expense within the agreed timeframe.