Overview
This document describes how NCK INTERNATIONAL CORP. (MOVA Globes) collects, stores, processes, protects, and retains Amazon-related data for integrations and SP-API usage. It is intended for platform review and auditors.
Storage & Location
- Data storage region: AWS EU (eu-west-1).
- Backups: encrypted backups stored within EU region.
Encryption & Transport
- Encryption at rest: AES-256.
- Encryption in transit: TLS 1.2 or higher.
Purposes & Data Minimization
- Purposes: order verification, warranty/replacement processing, returns handling, basic fraud detection, and customer support.
- PII collected: order ID, buyer name, buyer email, phone, shipping address, and minimal transaction metadata. Payment card PANs are never stored.
- Data minimization: only the minimum necessary fields are collected for each purpose.
Retention
- Support & warranty records: retained 18 months.
- Order/tax/audit records: retained 7 years.
- Security logs: retained 12 months; operational logs: 90 days.
Access Control & Credential Management
- Authentication: SSO (SAML/OIDC) with MFA for all staff.
- Access control: Role-Based Access Control (RBAC) and quarterly privileged access reviews.
- Secrets & keys: stored in AWS Secrets Manager / HashiCorp Vault and rotated every 90 days.
Logging, Monitoring & Incident Response
- Centralized logging to SIEM (Elastic/Datadog or equivalent).
- Detection: IDS/IPS integration, anomaly detection rules, and threat intelligence feeds.
- Alerting: critical alerts routed to on-call via PagerDuty (24/7).
- Incident response: documented IR playbook, RCA, and post-incident reporting.
Vulnerability & Patch Management
- Weekly automated vulnerability scans and annual third-party penetration testing (summary available).
- Findings tracked in ticketing system (e.g., JIRA); SLAs: Critical = 7 days; High = 30 days.
Third-Party Processors & Data Transfers
- Third-party processors engaged under Data Processing Agreements (DPA).
- Cross-border transfers limited; when required, adequate safeguards are applied.
Auditability & Evidence
We can provide on-request summaries or evidence: privacy policy URL, DPA summary, SIEM dashboard screenshot, pentest summary, ISO/SOC2 certificates (if available).