Amazon SP-API Privacy and Data Handling Policy

Organization: YPA Microphones INC

Application: MFN OrderSync (private internal operational tool)

Last Updated: 2026-02-26

1. Scope and Purpose

MFN OrderSync is a private, internal-use application. It is not a public SaaS product and is not offered to third parties. Data is used solely to support Amazon merchant-fulfilled order operations, including order synchronization, shipping-label preparation,and order issue handling.

2. Data We Collect

• Order identifiers and order item details (e.g., SKU, quantity, order status).
• Recipient shipping information (name, address, postal code, country, phone) when required for fulfillment.
• Buyer contact data (such as buyer email) when required by approved Amazon roles and operational needs.
• Operational metadata and audit data (request IDs, timestamps, workflow actions, execution results).

3. How We Use Data

• Retrieve and process unshipped orders for MFN operations.
• Generate shipment workflows and shipping labels.
• Support customer service issue resolution related to orders and deliveries.
• Maintain operational reliability, traceability, and security auditing.

4. Data Sharing

We do not sell Amazon data and do not share Amazon data with outside parties for marketing or resale. Data is processed internally by authorized personnel and systems.

5. Storage and Encryption

• Amazon information at rest is stored in managed database systems.
• Encryption at rest: AES-256 (or stronger cloud-managed equivalent).
• Encryption in transit: TLS 1.2+ for API and service communications.
• Key management: cloud/provider key controls with least-privilege access and rotation procedures.

6. Backup and Retention

• Encrypted backups are stored in geographically separated cloud locations in the United States.
• Target RPO: 24 hours. Target RTO: 4 hours for critical order-processing capability.
• PII retention: less than 31 days after shipment unless legally required longer retention applies.
• Data is securely deleted/disposed after retention periods expire.

7. Access Control

• Unique user identities; no shared privileged accounts.
• Role-based access control (RBAC) and least-privilege principles.
• Access granted based on business need-to-know only.
• Privileged access protected with MFA and approval controls.

8. Monitoring and Logging

• Centralized application, database, and security event logging.
• Monitoring for suspicious activity (unauthorized access, abnormal export behavior, privilege changes).
• Alerting to responsible security contacts for investigation and containment.
• Logs are retained per policy and are designed to avoid unnecessary PII content.

9. Incident Response

Our incident response process includes detection, triage, containment, investigation, remediation, recovery, and post-incident review. For incidents involving Amazon information, Amazon is notified at security@amazon.com within required timelines.

10. Testing and Development Controls

• Test environments use synthetic/masked datasets whenever feasible.
• Application changes are validated in non-production environments before release.
• Code and dependency vulnerability scans are performed before release cycles.

11. Credential Protection

• Secrets are stored in protected environment/secrets controls, not hardcoded in source.
• Repository and CI checks are used to prevent credential leaks.
• Credentials are rotated and revoked promptly when risk is detected.

12. Contact

Incident Management Point of Contact (IMPOC):
Email: service@ypamicrophones.com
Organization: YPA Microphones INC
Website: https://www.ypamicrophones.com