Amazon SP-API Privacy and Security Policy

Organization: Shanghai Ziyan Industrial Co., Ltd.

Website: www.vswave.com

Application: [VSWAVE OrderSync]

Last updated: [14-April-2026]

This policy describes how Shanghai Ziyan Industrial Co., Ltd. ("VSWAVE", "we", "our", or "us") collects, accesses, processes, stores, uses, retains, secures, and disposes of information obtained through the Amazon Selling Partner API ("Amazon SP-API"), including restricted data where Amazon has authorized access for permitted business purposes.

1. Scope and Purpose

Our SP-API application is a private internal operational tool used solely to support our own business operations, including merchant-fulfilled order processing, shipment preparation, order synchronization, customer service handling, and internal operational traceability.

The application is not offered as a public SaaS service and is not licensed or resold to third parties.

2. Categories of Amazon Information We May Process

  • Order identifiers and order status information
  • Order item details such as SKU and quantity
  • Shipment-related information required for fulfillment
  • Recipient shipping information where necessary for delivery
  • Buyer contact information where permitted by Amazon role approvals and required for customer service or fulfillment
  • Operational metadata such as request identifiers, timestamps, workflow status, and audit records

3. Purpose Limitation and Data Minimization

Amazon information is used only for approved and necessary internal business purposes, including:

  • retrieving and processing eligible orders;
  • supporting shipment workflows and shipping-label operations;
  • addressing order exceptions, delivery issues, and customer service matters;
  • maintaining operational reliability, auditability, and system security.

We apply data minimization principles and do not intentionally collect, use, or retain Amazon information beyond what is reasonably necessary for the approved operational purpose.

4. No Sale or Unauthorized Sharing

We do not sell Amazon information. We do not share Amazon information with external parties for advertising, resale, profiling, or unrelated commercial purposes.

Access is limited to authorized internal personnel, systems, and service providers that support the approved workflow and are subject to confidentiality and security controls.

5. Storage and Encryption

  • Amazon information is stored in managed systems and controlled infrastructure designed for secure processing.
  • Data in transit is protected using encryption such as TLS 1.2 or higher.
  • Data at rest is protected using strong encryption, such as AES-256 or cloud-provider managed equivalent safeguards.
  • Access to encryption keys and secrets is restricted according to least-privilege principles.

6. Access Control

  • Unique user identities are required for personnel with authorized access.
  • Access is granted on a need-to-know and least-privilege basis.
  • Role-based access controls are used where applicable.
  • Privileged access is protected through stronger authentication controls, including MFA where applicable.
  • Access is reviewed and removed when no longer required.

7. Credential and Secret Protection

  • API credentials, tokens, and secrets are stored in protected environment or secrets-management controls.
  • Secrets are not intentionally hardcoded in application source code.
  • Credential access is restricted to authorized systems and personnel.
  • Rotation, revocation, and remediation procedures are applied when risk or exposure is detected.

8. Logging, Monitoring, and Auditability

  • We maintain application, system, and security logs appropriate for operational support and incident investigation.
  • We monitor for unauthorized access attempts, abnormal activity, privilege changes, and other security-relevant events.
  • Logs are designed to avoid unnecessary inclusion of sensitive personal information where feasible.

9. Retention and Secure Disposal

We retain Amazon-related personal information only for the minimum period necessary to fulfill the approved operational purpose and applicable legal obligations.

Unless a longer retention period is required by law or a documented operational necessity permitted by applicable rules, restricted personal information obtained through Amazon SP-API is targeted for deletion or secure disposal within 30 days after shipment or completion of the related operational need.

Expired or unnecessary data is securely deleted, anonymized, or otherwise disposed of through controlled processes.

10. Development, Testing, and Change Control

  • Where feasible, testing is performed using synthetic, masked, or non-production data.
  • Application changes are reviewed and validated before production deployment.
  • We use reasonable controls to reduce the risk of credential leakage, insecure dependencies, and unintended exposure.

11. Incident Response

We maintain an incident response process covering detection, triage, containment, investigation, remediation, recovery, and post-incident review.

If we identify a security incident involving Amazon information, we will take appropriate containment and remediation measures and will notify Amazon as required by applicable Amazon policies and timelines.

12. Contact

Security / Incident Contact:
Shanghai Ziyan Industrial Co., Ltd.
Email: service@vswave.com
Website: www.vswave.com