Data Protection Policy
Effective Date: February 8, 2026
Last Updated: February 8, 2026
Version: 1.0
Purpose: This Data Protection Policy ("DPP") establishes the security requirements and technical safeguards implemented by XTGH Services for the receipt, storage, processing, usage, transfer, and disposal of customer information, including all data accessed through marketplace APIs (Amazon SP-API, Walmart API, eBay API, TikTok Shop API). This policy ensures the protection of our customers and their end-user data.
1 Policy Scope and Applicability
This Data Protection Policy applies to all XTGH Services systems, applications, and infrastructure that store, process, or otherwise handle customer information retrieved from marketplace APIs or collected through our platform. This policy supplements our Privacy Policy and Terms of Service.
Covered Systems:
- Production and staging environments processing customer data
- Data warehouses and analytics platforms
- API integration services and middleware
- Customer-facing applications and dashboards
- Backup and disaster recovery systems
- Development environments accessing production data
2 General Security Requirements
XTGH Services maintains comprehensive physical, administrative, and technical safeguards consistent with industry-leading security practices to protect customer information from unauthorized access, disclosure, alteration, and destruction.
2.1 Network Protection
Firewall and Access Controls:
- Network firewalls configured to deny unauthorized IP addresses
- Network access control lists (ACLs) restricting traffic by source, destination, and protocol
- Network segmentation isolating production, staging, and development environments
- Defense-in-depth architecture with multiple security layers
Intrusion Detection and Prevention:
- Intrusion Detection Systems (IDS) with signature-based pattern matching
- Intrusion Prevention Systems (IPS) to identify and block malicious behavior
- Real-time threat intelligence integration
- Automated alerting on suspicious network activity
Malware Protection:
- Anti-virus and anti-malware tools on all systems
- Automated updates performed at least monthly
- Technical controls preventing employees from disabling anti-virus software
- Regular scanning schedules for all endpoints and servers
Access Restrictions:
- System access limited to approved internal employees with documented responsibilities
- All approved users complete annual data protection and IT security awareness training
- Secure coding practices enforced through code review processes
2.2 Access Management
User Registration and Authentication:
- Formal user access registration process with documented approval workflows
- Unique IDs assigned to each person with system access
- No generic, shared, or default login credentials permitted
- User accounts cannot be shared between individuals
Account Security and Monitoring:
- Baseline mechanisms ensure only required accounts access customer information
- Personal devices prohibited from storing customer information
- Account lockout after 10 or fewer unsuccessful login attempts
- Anomalous usage pattern detection with automated account disabling
Access Reviews:
- Quarterly reviews of personnel and services with data access
- Access disabled within 24 hours for terminated employees
- Automated offboarding processes ensuring complete access revocation
2.3 Least Privilege Principle
- Fine-grained access control mechanisms implemented across all systems
- Rights granted following strict "need-to-know" basis
- Role-based access control (RBAC) with approval workflows
- Regular audits to ensure privilege creep prevention
- Separation of duties for critical operations
2.4 Credential Management
Password Requirements:
- Minimum length: 12 characters
- Complexity: Mix of upper-case, lower-case, numbers, and special characters
- Exclusions: Cannot include any part of user's name
- Minimum age: 1 day before password change allowed
- Maximum age: 365-day expiration for all users
- History: Last 10 passwords prevented from reuse
Multi-Factor Authentication (MFA):
- MFA required for all user accounts without exception
- Support for authenticator apps, hardware tokens, and biometric methods
- MFA enforced before accessing customer information
API Key Management:
- All marketplace API keys encrypted at rest
- Access restricted to only required employees
- API keys and credentials rotated at minimum once every 12 months
- Automated key rotation where supported by marketplace platforms
2.5 Encryption in Transit
- All customer information encrypted in transit using TLS 1.2 or higher
- Secure protocols enforced: TLS 1.2+, SFTP, SSH-2
- Security controls enforced on all internal and external endpoints
- Message-level encryption implemented where channel encryption terminates in untrusted multi-tenant hardware
- Certificate management with automated renewal and validation
2.6 Risk Management and Incident Response Plan
Risk Assessment:
- Annual risk assessment reviewed by senior management
- Assessment of potential threats, vulnerabilities, likelihood, and impact
- Risk register maintained to track known risks and mitigation strategies
- Continuous risk monitoring and updating as threats evolve
Incident Response:
- Comprehensive incident response plan and runbooks maintained
- Defined incident types and response procedures
- Clear incident response roles and responsibilities
- Escalation paths for critical incidents
- Plan reviewed every 6 months and after major infrastructure changes
Security Incident Notification:
- Amazon notified within 24 hours of security incidents involving their data (security@amazon.com)
- Customers notified within 72 hours of incidents affecting their data
- Government/regulatory agencies notified as required by applicable laws
- Designated Incident Management Point of Contact (IMPOC) available 24/7
Incident Documentation:
- Full investigation and documentation of each security incident
- Remediation actions and corrective controls documented
- Chain of custody maintained for all evidence
- Documentation made available to marketplace partners upon request
2.7 Request for Deletion
- Customer information permanently deleted within 30 days of deletion request
- Live (online/network-accessible) instances deleted within 90 days of request
- Non-PII data deleted within 18 months unless legally required for longer retention
- Deletion performed using NIST 800-88 sanitization standards
- Written certification of secure destruction provided upon request
- Exception: Data retained as necessary for legal, tax, or regulatory compliance
2.8 Data Attribution
- Customer information stored in separate databases per customer
- Data tagging mechanisms identify origin of all data in mixed databases
- Clear data attribution enables customer-specific data operations
- Database isolation prevents cross-customer data access
3 Additional Requirements for Personally Identifiable Information (PII)
PII Definition: Information that can be used to identify, contact, or locate an individual, including names, addresses, email addresses, phone numbers, payment details, IP addresses, and other identifying information. When PII is present in any data store, the entire data store must comply with all PII-specific requirements.
3.1 Data Retention
- Maximum Retention: PII retained for no longer than 30 days after order delivery
- Permitted Purposes: Fulfilling orders, calculating taxes, producing legally required documents
- Legal Exception: Extended retention permitted only when required by law
- No Unprotected Storage: PII never transmitted or stored without encryption protection
3.2 Data Governance
Privacy Policy and Data Handling:
- Documented privacy and data handling policy governing information management
- Data classification policy defining appropriate technical controls
- Record of processing activities maintained for all PII
- Documentation of data fields collected, processed, stored, used, shared, and disposed
Legal Compliance:
- Process established to detect and comply with applicable privacy and security laws
- Documented evidence of compliance retained
- Regular legal and regulatory review
Customer Rights:
- Privacy policy addresses customer consent and data rights
- Technical processes for data subject access requests
- Capability to access, rectify, erase, or stop processing customer information
- Employment contracts include PII confidentiality provisions
3.3 Asset Management
Configuration and Patching:
- Baseline standard configuration for all information systems
- Regular installation of patches, updates, and security fixes
- Quarterly updated inventory of software and physical assets with PII access
- Inventory includes device status and maintenance compliance
Change Management:
- Formal change management process for all systems handling PII
- Testing and verification required before implementation
- Segregation of duties between change approvers and testers
- Rollback procedures documented for all changes
Storage Restrictions:
- PII prohibited on removable media unless encrypted (AES-128 or RSA-2048 minimum)
- No PII storage on personal devices
- Unsecured public cloud applications prohibited for PII storage
- Printed documents with PII securely disposed using cross-cut shredding
- Data Loss Prevention (DLP) controls monitor unauthorized data movement
3.4 Encryption at Rest
- Encryption Standards: All PII encrypted using AES-128 or RSA-2048 bit keys (or higher)
- Key Management: Cryptographic materials accessible only to authorized processes and services
- Key Management System (KMS): Complete key lifecycle management implemented
- Key Operations: Generation, exchange, secure storage, revocation, and rotation per industry best practices
- Access Control: Encryption/decryption capabilities restricted to necessary services
3.5 Secure Coding Practices
- No hardcoded sensitive credentials in code (encryption keys, access keys, passwords)
- Sensitive credentials excluded from public code repositories
- Separate test and production environments maintained
- Code review processes enforce secure coding standards
- Static code analysis tools scan for security vulnerabilities
3.6 Logging and Monitoring
Log Collection:
- Security-related events logged including success/failure, date/time, access attempts
- Data changes and system errors captured
- Logging on all channels: service APIs, storage-layer APIs, administrative dashboards
- PII excluded from logs unless legally required
Log Analysis:
- Real-time log review using SIEM tools or bi-weekly manual review
- Access controls prevent unauthorized log access and tampering
- Log retention for at least 12 months for security investigation
Alerting and Response:
- Automated alerts on suspicious activities (multiple unauthorized calls, unexpected request rates)
- Monitoring for data extraction beyond protected boundaries (Dark Web scanning)
- Canary data records to detect unauthorized access
- Investigation procedures documented in Incident Response Plan
3.7 Vulnerability Management
Scanning and Testing:
- Vulnerability scanning at least every 30 days
- Penetration testing at least every 365 days
- Code vulnerability scanning prior to each release
- Hardware containing PII protected from technical vulnerabilities
Remediation Timelines:
- Critical vulnerabilities: Remediated within 7 days
- High-risk vulnerabilities: Remediated within 30 days
- Documented remediation plans and procedures
Business Continuity:
- Procedures to restore PII availability and access after incidents
- Geographically separated secondary/backup sites
- Defined Recovery Time Objective (RTO) and Recovery Point Objective (RPO)
- Regular testing of backup and recovery procedures
3.8 Subcontractors and Third Parties
- Annual third-party risk assessments conducted before granting data access
- Vendor security questionnaires and compliance verification
- Contractual data protection requirements for all subcontractors
- Regular audits of subcontractor compliance
4 Audit and Assessment
Record Retention:
XTGH Services maintains comprehensive books and records to verify compliance with this Data Protection Policy, applicable marketplace policies, and service agreements during the service period and for 12 months thereafter.
Compliance Certification:
Upon written request, XTGH Services will certify in writing our compliance with this policy and applicable data protection requirements.
Audit Rights:
Marketplace partners (including Amazon and its affiliates) may audit, assess, and inspect our systems, facilities, operations, and security measures. We fully cooperate with such audits and provide:
- Access to relevant systems and documentation
- Cooperation with auditors and assessment teams
- Timely remediation of identified deficiencies
- Evidence of remediation in requested formats (policies, screenshots, documentation)
- Written approval sought before audit closure
Confidentiality:
Auditors will maintain confidentiality of non-public information disclosed during audits that is designated as confidential or should reasonably be considered confidential.
5 Compliance Framework and Standards
XTGH Services aligns with industry-recognized security frameworks and standards:
Amazon SP-API Requirements
Full compliance with Amazon's Data Protection Policy for Solution Providers
NIST Guidelines
NIST 800-88 data sanitization, NIST Cybersecurity Framework alignment
GDPR Compliance
General Data Protection Regulation requirements for EU customer data
CCPA Compliance
California Consumer Privacy Act requirements for California residents
6 Definitions
Personally Identifiable Information (PII):
Information that can be used on its own or with other information to identify, contact, or locate an individual. Includes: name, address, email, phone number, payment details, purchase history, IP address, geo-location, device identifiers, and similar identifying information.
Security Incident:
Any actual or suspected unauthorized access, collection, acquisition, use, transmission, disclosure, corruption, or loss of customer information, or breach of any environment containing customer information.
Customer Information:
Any information exposed through marketplace APIs, customer portals, or collected through our platform. This includes both public and non-public information, including PII.
Approved Users:
Internal employees who have authorized system access, documented responsibilities, and have completed required data protection and IT security awareness training.
7 Policy Review and Updates
This Data Protection Policy is reviewed and updated on the following schedule:
- Annual Review: Comprehensive policy review conducted annually
- Incident-Triggered Review: After any major security incident
- Change-Triggered Review: Following significant infrastructure or system changes
- Regulatory Updates: When marketplace policies or regulations change
Policy updates are communicated to all relevant stakeholders and require approval from senior management before implementation.
Contact Information
For questions about this Data Protection Policy, security practices, or to report a security incident:
Security Team:
Privacy Team:
Incident Management (IMPOC):
General Support:
Related Documents
Privacy Policy - How we handle your personal information
Terms of Service - Agreement governing use of our services
Amazon Data Protection Policy - Amazon's DPP requirements for Solution Providers