Data Protection Policy (DPP)

  • Home
  • Data Protection Policy (DPP)

Data Protection Policy (DPP)

The Data Protection Policy (DPP) governs the collection, storage, use, transmission, and disposal of data processed by the GaoLong Cross-Border API.

1、General Security Requirements

  • 1.1 In line with industry-leading security standards, we maintain comprehensive physical, administrative, and technical safeguards to ensure the confidentiality, integrity, and security of data that is accessed, collected, used, stored, or transmitted through GaoLong Cross-Border APIs. These protections guard against known or reasonably foreseeable threats, unauthorized alterations, disclosures, accidental loss, and any other unlawful processing.
  • 1.2 Network Security: We enforce network protection controls including firewalls and access control lists to block unauthorized IP addresses. End-user devices employ network segmentation, antivirus, and anti-malware solutions. Public access is restricted to approved users only. All personnel with system access undergo regular data protection and IT security training.
  • 1.3 Access Management: We maintain a formal process to register and assign unique user IDs and access permissions based on need-to-know. Use of shared, default, or generic credentials is prohibited. Baseline controls ensure only authorized accounts have data access. Employees and contractors are restricted from storing data on personal devices. Abnormal usage patterns and login attempts are monitored, and accounts may be disabled to enforce security. Quarterly reviews are conducted to update access lists, with revoked access promptly implemented within 24 hours of employee termination.
  • 1.4 Principle of Least Privilege: Access rights are granted on a granular basis strictly according to user roles and necessity, limiting exposure to sensitive information.
  • 1.5 Credential Management: Password policies require a minimum of 12 characters, excluding any part of the username, and must include uppercase, lowercase, numeric, and special characters. Password expiration ranges from 1 to 365 days. Multi-factor authentication (MFA) is mandatory for all user accounts. API keys are encrypted and accessible only to authorized personnel.
  • 1.6 Encryption in Transit: All data transmissions are encrypted using secure protocols such as TLS 1.3, SFTP, and SSH-2. Channel-level encryption terminates securely even in untrusted multi-tenant environments.
  • 1.7 Risk Management and Incident Response: We conduct annual risk assessments led by senior management, evaluating threats, vulnerabilities, likelihood, and impact. Incident detection and response plans are documented and maintained. Security incidents are reported to GaoLong within 24 hours, with investigations and corrective actions documented to prevent recurrence.
  • 1.8 Data Deletion Requests: Per Amazon security requirements, Personally Identifiable Information (PII) is securely and permanently deleted within 30 days after order completion, and non-PII data is deleted within 18 months. Written certification of data destruction is available upon request.
  • 1.9 Data Ownership: Data is stored in segregated databases or tagged appropriately to identify its origin across databases.

2、Additional Security Controls

  • 2.1 Data Retention: Data is retained up to 30 days post-delivery, solely for order fulfillment, tax calculations and payments, invoicing, and other lawful purposes, including legal compliance. Retention beyond 30 days occurs only when legally mandated. Data must never be transmitted or stored unprotected.
  • 2.2 Data Governance: We maintain and adhere to documented privacy and data processing policies governing appropriate behavior and technical controls over information assets. Data processing activities are logged comprehensively to ensure accountability and regulatory compliance. Privacy and security laws and regulations are actively monitored and complied with, with evidence of compliance preserved. Employee contracts include confidentiality clauses to safeguard data.
  • 2.3 Asset Management: Information system configurations are standardized and reviewed quarterly. Inventories of data-accessible software and physical assets are maintained and updated. PII data is never stored on removable media or insecure cloud applications. Printed materials containing sensitive data are securely disposed of. Data Loss Prevention (DLP) controls monitor unauthorized data transfers.
  • 2.4 Data Encryption at Rest: All static PII data is encrypted using AES-256-GCM, with cryptographic materials and functionality restricted to authorized developers and services.
  • 2.5 Secure Coding Practices: Sensitive credentials are never hard-coded or publicly exposed. Test and production environments are strictly separated.
  • 2.6 Logging and Monitoring: Security events, including successful and failed attempts, access, data changes, and system errors, are comprehensively logged. Logs cover all access channels and undergo real-time or scheduled review. Logs are access-controlled and retained for a minimum of 365 days as per legal requirements. Suspicious activities trigger alerts and are incorporated into incident response processes.
  • 2.7 Vulnerability Management: We maintain programs for identifying, tracking, and remediating vulnerabilities, including monthly scans and annual penetration testing. Code is scanned prior to each release. Hardware changes to storage systems are controlled, and emergency response plans ensure timely restoration of PII availability and access.

3、Auditing and Assessment

  • 3.1 We retain sufficient logs and records to verify compliance with the Acceptable Use Policy (AUP), Data Protection Policy (DPP), and GaoLong Cross-Border API Developer Agreement for the term of the agreement and 12 months thereafter. Written compliance attestations are provided upon request.
  • 3.2 Comprehensive audits of all systems involved in data retrieval and storage are conducted, covering records, operations, security measures, and facilities.
  • 3.3 All non-public information disclosed during audits, assessments, or inspections is treated as confidential and protected accordingly.
  • 3.4 Identified deficiencies or policy violations during audits are promptly addressed within agreed remediation timelines.
  • 3.5 Remediation evidence, including policies, documentation, screenshots, or shared sessions of infrastructure changes, is provided and requires GaoLong’s written approval before audit closure.

4、Privacy Policy Disclosure

  • 4.1 We commit to transparency by clearly informing all users about the collection, use, sharing, storage, protection, and deletion of their personal and Amazon-related data.
  • 4.2 Data Collection: Data collected via the authorized Amazon SP-API service under explicit user consent is limited to tax compliance-related information such as orders and VAT reports. Data transfers occur exclusively over encrypted channels, with no use of external or unauthorized sources.
  • 4.3 Purpose of Data Use: Amazon data is strictly used for compliance activities like tax calculations, invoicing, and filing. No data is repurposed for advertising, profiling, or internal business analytics without user authorization.
  • 4.4 Data Storage: All Amazon data is isolated in physically segregated database environments separate from other business data. Access controls, MFA, audit logging, and AES-256-GCM encryption protect data confidentiality. Physical security controls restrict access to authorized personnel only.
  • 4.5 Data Protection: Multiple layers of controls secure data during transmission (TLS 1.3, HTTPS) and at rest (AES-256-GCM encryption). Least privilege access principles apply. Centralized logging and SIEM monitoring provide security event detection, with biweekly log reviews and incident response within 24 hours of detection.
  • 4.6 Data Sharing and Third Parties: We do not share Amazon data with third parties, including affiliates, nor use data beyond authorized purposes. Users access their own data only; no cross-account sharing or aggregated analysis is supported.
  • 4.7 Data Deletion and Rights: PII is securely destroyed within 30 days post-order completion, and non-PII within 18 months, with auditable deletion records maintained. Backups are periodically purged per retention policies.
  • 4.8 Our privacy policy aligns with GaoLong Cross-Border’s data processing practices and is reviewed regularly to ensure compliance with applicable laws and Amazon policies.
  • 4.9 Significant changes in data handling or purpose will be communicated promptly through official channels and reflected in policy updates.